dbff8e2fd94454389291499681208cdfdbd3ec219ea94c7af0b5575729d48c54

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Size

5.4MB
MD5

188f40bfea25a5abc2fbc04726c48b50
SHA1

a149ca81a29903f08177dd3e6958956ac2d11ff0
SHA256

dbff8e2fd94454389291499681208cdfdbd3ec219ea94c7af0b5575729d48c54
SHA512

ffba3de37c73c9530fd7ace76bc6ee54f7b0801f719d6c3c1ba090d6b9220913cb24e1feb6687e84db8e7e0b19e5828ab5737e5631c05895e4566a3787fad806
SSDEEP

98304:huLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0h:47wq1W6HqULS8djZDTaNNeCKVP5ORsgK

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
4332	alg.exe
1192	DiagnosticsHub.StandardCollector.Service.exe
1976	fxssvc.exe
1892	elevation_service.exe
412	Setup.exe
5076	elevation_service.exe
4092	maintenanceservice.exe
2508	msdtc.exe
4656	OSE.EXE
4460	PerceptionSimulationService.exe
1492	perfhost.exe
756	locator.exe
652	SensorDataService.exe
3480	snmptrap.exe
2480	spectrum.exe
3284	ssh-agent.exe
1208	TieringEngineService.exe
4388	AgentService.exe
3276	vds.exe
380	vssvc.exe
2612	wbengine.exe
4660	WmiApSrv.exe
1872	SearchIndexer.exe

Loads dropped DLL 5 IoCs

pid	Process
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b9747397293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a591fd9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009dcc3d9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd65aed9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000084c90d8fbabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac583ed9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075e328d9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c8026d9fbabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fa64cd9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcacb1d8fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e147d9fbabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
412	Setup.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeAuditPrivilege	1976	fxssvc.exe
Token: SeRestorePrivilege	1208	TieringEngineService.exe
Token: SeManageVolumePrivilege	1208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4388	AgentService.exe
Token: SeBackupPrivilege	380	vssvc.exe
Token: SeRestorePrivilege	380	vssvc.exe
Token: SeAuditPrivilege	380	vssvc.exe
Token: SeBackupPrivilege	2612	wbengine.exe
Token: SeRestorePrivilege	2612	wbengine.exe
Token: SeSecurityPrivilege	2612	wbengine.exe
Token: 33	1872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1872	SearchIndexer.exe
Token: SeDebugPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 412	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe	87
PID 740 wrote to memory of 412	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe	87
PID 740 wrote to memory of 412	740	188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe	87
PID 1872 wrote to memory of 5000	1872	SearchIndexer.exe	112
PID 1872 wrote to memory of 5000	1872	SearchIndexer.exe	112
PID 1872 wrote to memory of 3092	1872	SearchIndexer.exe	113
PID 1872 wrote to memory of 3092	1872	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\188f40bfea25a5abc2fbc04726c48b50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- \??\c:\597d813b76908e5c4315\Setup.exe
  c:\597d813b76908e5c4315\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:32

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\597d813b76908e5c4315\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\597d813b76908e5c4315\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
C:\597d813b76908e5c4315\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\597d813b76908e5c4315\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\597d813b76908e5c4315\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
666KB

MD5
d030e38f3fdc5d2562e2c9ec379ac0a9

SHA1
f08d4b89937181080c400cfd79cfd9f5fa0d0bb6

SHA256
d039a7bd504c8fafaddc4c2bb16bd1182afa0fe9124611b73265f93789315daf

SHA512
6090627f1473525f32451f0f0e93fb85312e4e03975f907f438a20e1c8b700420b3a385b6b886137ec966044ee016df63111574a6839863d98d282b9d10819d3

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
973KB

MD5
fc1c9ae5de9990c2bfac3f21c6902981

SHA1
a7d9064f1521775b9acc46059ebe8f60a9550d74

SHA256
eabbf16b89b8fe3a9c3b0deb9310ebf1c9f8d11c9212df241e9c5c9f64429bca

SHA512
32a6609dda36e945cff6d0ed2fd66b6a853982ff94b70b98f951317725d6b08eeb7e6236d1321bd94fbd92c69c8382d017657d994887fa03dd3775ca40cdd77a

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Filesize
1.7MB

MD5
dd0f33e154d695563c3eb4d7b88d5cb9

SHA1
322798a3acfee7a00d177c0c3ab692201283d03e

SHA256
294520ec4037823e1f183e4468e789dbcd0cc998d060b360ee00246babf239d9

SHA512
4ca71a9d74b16b7cab7e5f156cf2c8b508d1f77745c4dddc10a9dda237e571c630ba760cce03925f7d9cb19bf801008817622837f41059a58881a6f090f27ffa

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
61e7422137f99ee30240d2c29fed5561

SHA1
514f814ce792440c4697e3051a8ec2141dfa01a0

SHA256
eff557bb365e96e5f579ab58ea8d8e3023333bcd87a4cc94ab5b2d181935a919

SHA512
578f563530dc42fa12e2c04ec8e25e443e081cacef9a3daa26b27144f9015053b2f876dba1075d42459eef1604c457ab226351382968e57cfae47ab56003f470

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
aad39e42e21f83fb1b73cb6bb40cd037

SHA1
f3eea490e1a3a13c9d16ad9377e2ab353e035978

SHA256
d147e5266f4cfe2969d9c48e707d04cb722d1ee9bf30f0035de71bdfa323f14d

SHA512
c94704673ee541793e3f139aa7e88cb810d27514100a88ea651bc42634f31928fe037c82d83ef8628eece56181b3d283af765299c8890211daf78377105bc89d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dcf5b8621920a9c35c94ba06c5b6b741

SHA1
267aef182b713ef66275b0374ede7d3d09dac713

SHA256
39e49e3097471b79e07de5becfa6fe6ec58298417fa5e8c30df28e9e6d4a6d2a

SHA512
02cbed20e31f197166a9c19fcc169ac3e708cd20a824f208be20f0339cb4d48ea32b02321f149afbdacc9d722aec45505424daaebb9e6704823f048838a74bdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a556bf182110d30686e8779a2035859c

SHA1
eb05af39838e6f9d2298c3f2f5f23bd310667f17

SHA256
b0009deba5c96daccf42742792baea4dd46a8e81f3c021e1ba873f1469a0c6b7

SHA512
6a93261f6527f86ef90ba06b4d5722c51676a83c0c10472397c51d3629721f95940cca6fd086a0e45bd38398e7b8acd8f06af5d968cbd84f655befd5e379806c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1ff873c48670dd01a6544c99f6eabc32

SHA1
0ac16e921413dd28b77b9918337d0c1664648f02

SHA256
d2fba542910e65453ce84553fe102d29957d24068f70a5107e10dab93eff7eb5

SHA512
3a833c331f62d6e7c9721e688508d18714aacecfc8aa87ed2ee17aa67efdb571b9ab7a22bc0716acf9b3d051727a9f0cf9c97a26814e9776cab5cdfe46104b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI4C5C.tmp.html

Filesize
39KB

MD5
2e9aee92d765bd3928ae92e929f6f075

SHA1
fd4962ad87dc5855d8c73f1f46c99b6e850080ae

SHA256
1fa8ae56864076dc4d75d404c4017828ff4f6f8dd73d35f31938d981a4379d4d

SHA512
ee6a438650d7c53d39fcf319c0ca824a52df436fac68be1e5456304f8057333786af911602f9a466dc1ec3aa09472308b5d7ed3a1ab17a53d775eb7582246882

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ed9b11187e9e949775b3746e0fc2f789

SHA1
7fbf6569f8913085a1d0466c398f9a3c417d600f

SHA256
ed3719dbfcdff298526c8ba4deadbe23c6031f935bc500811ed530ca219f7de9

SHA512
6d94405f19197aaf4f717266dcac9fdb27842d30a2f79aa2718251960928ff28aa1d14b661a050d555285ea2a805bd30bed59135b185801011abf7043ea2d346

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4d85ac13aabb8d01d095b216dc7316dc

SHA1
6a4c20a7694b369fda27c93fef80f2614defe1ae

SHA256
56d8d3fb1d6ec46af7b0e0e4bde7f53690fb3a3bc3a2d8d9b55e445f990c5e5f

SHA512
a26b2e1eb76f253e42be2e010de3dbfa0e534eab068832acd81c5e8b4bdb833640f48f0064a0450bb1fa3ed0b8fc97e7dffbaaf13a88bcf15e40b348d298191a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
41b4e0aefb5d908a9379b32599fed8e3

SHA1
b5268bac7a6dbc932386416d4a5d725e34374621

SHA256
1992c24e285a6d7f5a1beedd9335aa7fc08bb222632281fa429c90e6972b913e

SHA512
ed880116f591db18514bc032e2965c6aa0d401598e61619797e4a6c6780f5846a23efcd2674e1d95674becbced06038a61954e8836ef5576eee903e1cb34ef29

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
af668568a0471a9d5a44a2bddf02e4a1

SHA1
bdd5b690a727736c550e6f64bfb2e4f22c096b16

SHA256
cf630a415fa8027f9d8f1e9d6cb12d74069997a92b6a600f1d3e9f7f87b2cd58

SHA512
24c157bcdfb62aaa4c8a1c4d75042b672c706289e1c106b396f5c65f2476ee5a40ddc8271d0742ba2dfabf7c0223879f3763d5c0b955ba62020fe7487335b33c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
78a02a6e61700aee98d78f21e2851448

SHA1
53be71f39bcf462edf093d240d833cbbb15d2d94

SHA256
1063dbf3af7d053d26f6b20f19474c099586eba1920b32d46c5debe7f50c71b1

SHA512
3e8c5c93fe15f742de97480f19804d0db33fd1fca1543aec112b2e382537eda0acaef08c0f00ca847ae4cb29aa3f5a173857a7588ae95a3b511d5d9040a0ecf2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
080be2e26c217465571df93f046d2029

SHA1
56581ba665ca8507bce7809a05329c83fdb9acd4

SHA256
d2a710d45d911c93aad649981134eb177a5de8e582a0424e283586c4f1da131d

SHA512
67e85eaafed8818d62fe6b1ff9894c890aeda2f67b800a17ba809ab5137a629b0f31f700cf3d678a98bf50d8c04aa6abc5cd616bfd11381616f76ce3a2649987

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ec5d790700cc22fea04728c9c11bd6e0

SHA1
8b90837b97683937a6328e80f062813011ee310e

SHA256
cef4bc75d661338df21884c6f5b1adba23fea497c6caeb64785f3c46aff313c8

SHA512
a8c5e2c214489e49226a1f1b69a1ec42c4e64ca98c4a74751a71fd6e87a361e315af63ac9d3adbe070fa2e9b6fad6845502017bd3f9a881a7a32a84752e59da5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5b5edad0d705f538f1ff5309a7f59d5b

SHA1
33421d782d7021121b6a941d201eaf75bb66ebfb

SHA256
7a16d708c12de4d6afe64b167e21c41e81842999bf04007017aa91e38b320def

SHA512
862c23290b381ca6a9faf69462b286abd1450a89b1af6deca7587931f36669dace76779a0d53ca5e56060808f6b054129de893535b00bfeb45bafab0119078b3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3a7597f24f82624834da15494368f68

SHA1
21bf8ffa28d826615b86bf62240099c73ee6f611

SHA256
c03f15c1430f9473804f904ce53e5c86376e6542efabff97b9bc6e94b53d5105

SHA512
c37ea0c314fe1239077a6d991bb32eadba7407e1163f1e930bcb63724afb7d0acf806491f760f5d924ca6ba9aa4453217dedd04a17eeb37f9fb9c701be0b1455

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a57e2480533a265b5ba24fea7258a15e

SHA1
98696718052306516472442b1138321826645fc4

SHA256
2f0292cb88252d35a43069fb6a3230bbe9bed0733608065b4fd4c91e655f9f13

SHA512
969926ec39b017973d02fdb0822e38b369971553137b02540577084f92a35b0bec2d797e245fad5428e8e7075cb38f46a72f1ff6c420e7fa5dbd3922c6944ddb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8e7149e498b0c1e8ecda0a03a3939e7f

SHA1
2af5c1ca7b69bb0a57ed67c6499b459c8dae89c3

SHA256
361da55edcc4c190940c2a0f5c174826cfdf90536012b6f9fa2170f79d4a2794

SHA512
c468ff9b3642f059757720ea606cab3b22b33539ead245ac33fed0a73879f0aa1b79919d01b6f0134b08496eda5110da204ca2efefc4b15bebee3c3c09c916bf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4a7f27d7c588d774bd119fcf7bbdee89

SHA1
e22cb4475bc01faf9138f7bbbade9368e0d8daa5

SHA256
d1717927b544a7ebb9f8ef28759f6279337a74aa6c9a93d791f557e07b9e4272

SHA512
ac51c3c43d62e41738e05247f3bc3ee7282750813dd04cffad0963cbe1b6f1645dc64f5d9636cfd9639122f8b89df7b2750681e256adb155918f8cf19902bdc9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fdd7840014eef036403e0afba13bc8e8

SHA1
6076818fe38eb41f5746947a115c2177fe7df4dc

SHA256
ffeb9a24606cc593e8724df5c70c6b5245c5cf7bbad25203cd124df2b8bdf262

SHA512
b2e99483c48334210d64aa57f4980f144b1288dc9dd57bccd07f8ceb32387c18e2e1fbe6c1467f0e77c87311ba0263d2f462b6511eafdca2e5d9c0ebb6590274

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2281a827b55e2bc068378b6a289523d2

SHA1
9d7ffdf85a2c2623dbe386c9460f97383debf996

SHA256
e14b21f58d3413c44012f3554c3f7f60fc36e0815bf87c2d5935d3c679911c78

SHA512
7b29844585f2bd309b3d0fe183009b9db9603d748575047e067ab960001db44a63539052d58e9cb57fffb2ddb3e6a032bebbf8fd100e228a6ef165cd29898872

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f1894eb53de63609d677e798933283c0

SHA1
dd95b2f059662a933c1f1f65cbda1e9ac95c9723

SHA256
9aa1c40b0da5b559e2d71d492b83c65e3c98b75d99f960a3b051faa8f0b9e26d

SHA512
eddf85256db0b6f1b1402e8f092e05728e7a3746e862b13d37e41f909f4d0c65fef6c36d283183a1a075c8452595e1fc281d09440b4fc6fe405ca1cc26ccd21f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2640ee99c09579aba2185b2f828492df

SHA1
b2602ccb594ea2bb3fdcfada8688129a4d314a9a

SHA256
7e32622e7de8997e0e206ce04e72dfff2fc2ed8a89b285732d87a5c3123c7859

SHA512
b98b464c24ba8e2d82b5800470897ec18f488a020f21c532ee5a6ac1de2ffcc97b9711c7ad97bf05379007615d9ffa4ea79117384fe015a9f81e23531c728a91

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ab5e1f1b5593b9bcae6ebb094f1febc6

SHA1
2f01e17cac45c9787814b9b6fad0d322a9b4dad8

SHA256
16ef1301d9a91c5d35b98c4846b9f4458eef74f79c80f91e1f231b30de1278ca

SHA512
4f635303c1774b58e27102532602e06b8c73f8ae1df90a691d40f8b3243defada8d9df6b8bd6f94233edc942ffe50c4dc0dabe3970ea83e329aca2307c5b26c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5d078524ef072cda8d956d9efadc0963

SHA1
f4b4094551d05f43c77aafa9d94614e750e71acf

SHA256
758d5b4b448ac4f7ac7127293eee68f56693354e3ced4594517d253553984513

SHA512
3cddfb5062a523a72a1bedb55c9b69004daded2c0829cd8dd769166c6e7f384538058221e51b7e4efef9151878aca1999549c3809a082ac259b125ad05617b31

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b477a16d4f84c87b5456fac518642c78

SHA1
934d6299ef3100f7a55212455730b418e14fe898

SHA256
6197bbe7483fc990cee1ae09f24de5a863b9a4650faa6523e5a3d414191ee11b

SHA512
a732d11fcac03c336ad5f138504536aefdf94396d63ea75c9762b6234725478230b27396a0374f8dc0c542becfcb50b86861528b6efc6b6f2accfcdca4e9b090

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b7ddb88040cfa8df93f9b7370f546e7f

SHA1
e9c5b9353d4b24ba7d32d581039325923748ad2a

SHA256
6eea70795bb41ab5c7a5797f30412d4fe99f691dfaa08927ccb99a087795c439

SHA512
284a3e16ada49926e910fdff86ff5a9e0b712d91e48776207e6a98138b68d34878cf395528a556cf6b2a608e263177c253356cfa26215b168d079462543fbabd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6fa6a970e7d9627f34220ae95b01ac3c

SHA1
04940b67cfbab93ceb7ff936d6b634c68ee0440f

SHA256
23ca39e2687576cbcf0f938dead21613d8768b87cc3956a7c8550adc737bfe8a

SHA512
ecec3754ac11209da1b5be57b91fa5766af2edfb2dc1edbc9509d03290800e2f61d09f0b286ba6893bdcdf5963994d43fe9581a51aa85e42407b862939557f69

Download Submit
\??\c:\597d813b76908e5c4315\1028\LocalizedData.xml

Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\597d813b76908e5c4315\1031\LocalizedData.xml

Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\597d813b76908e5c4315\1033\LocalizedData.xml

Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\597d813b76908e5c4315\1036\LocalizedData.xml

Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\597d813b76908e5c4315\1040\LocalizedData.xml

Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\597d813b76908e5c4315\1041\LocalizedData.xml

Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\597d813b76908e5c4315\1042\LocalizedData.xml

Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\597d813b76908e5c4315\1049\LocalizedData.xml

Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\597d813b76908e5c4315\2052\LocalizedData.xml

Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\597d813b76908e5c4315\3082\LocalizedData.xml

Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\597d813b76908e5c4315\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\597d813b76908e5c4315\ParameterInfo.xml

Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\597d813b76908e5c4315\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\597d813b76908e5c4315\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\597d813b76908e5c4315\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\597d813b76908e5c4315\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\597d813b76908e5c4315\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\597d813b76908e5c4315\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\597d813b76908e5c4315\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/380-466-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/380-319-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/652-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/652-460-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/740-0-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/740-7-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/740-8-0x0000000000AC0000-0x0000000000B27000-memory.dmp

Filesize
412KB

Download
memory/740-271-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/756-276-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1192-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1192-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1192-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1208-286-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1208-462-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1492-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1872-361-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1872-469-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1892-408-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1892-120-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1892-112-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1892-113-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1976-89-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1976-73-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1976-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1976-125-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1976-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2480-461-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2480-279-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2508-186-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2508-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2612-467-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2612-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-308-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3276-465-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-280-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3480-278-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4092-151-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4092-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-157-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4092-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-173-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4332-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4332-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4332-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4332-307-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4388-301-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4388-305-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4460-274-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4656-273-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4660-468-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4660-349-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-168-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-409-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-145-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download