70a196162a97c02b64e0c4f2e988f1c461340e2957fb8366665695e8ebce966f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
Size

656KB
MD5

12f9636ce18ef59f903f587836660310
SHA1

6b37fe57ac1d8d658601398b7e1a6e792dfab561
SHA256

70a196162a97c02b64e0c4f2e988f1c461340e2957fb8366665695e8ebce966f
SHA512

5476a4176dc244bbbbe1556fc2c59e3de72cd484697dfc08455f0746c5b930d7079d8cbf0433941fb21c83a52e5fdfeb49a3d8a0a760cfb7f2c32d42958fe373
SSDEEP

12288:3EZjg47NLD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:0ZrxX7bHsMQ4/O6yMLprOInyT/Swl8Mg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeSearchIndexer.exe

pid	process
964	alg.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
2160	fxssvc.exe
1216	elevation_service.exe
3392	elevation_service.exe
2292	maintenanceservice.exe
2232	msdtc.exe
3424	OSE.EXE
808	PerceptionSimulationService.exe
2012	perfhost.exe
3256	locator.exe
4852	SensorDataService.exe
3788	snmptrap.exe
4860	spectrum.exe
1040	ssh-agent.exe
1140	TieringEngineService.exe
400	AgentService.exe
4632	vds.exe
1164	vssvc.exe
3508	wbengine.exe
2364	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 39 IoCs

Processes:

12f9636ce18ef59f903f587836660310_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\593c72fb4a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000198473880daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faa36f870daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c48f5c870daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034e837880daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30572870daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f95461870daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae13e2870daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000695f2e880daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7d524880daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe
1216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

12f9636ce18ef59f903f587836660310_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3732	12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
Token: SeAuditPrivilege	2160	fxssvc.exe
Token: SeRestorePrivilege	1140	TieringEngineService.exe
Token: SeManageVolumePrivilege	1140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	400	AgentService.exe
Token: SeBackupPrivilege	1164	vssvc.exe
Token: SeRestorePrivilege	1164	vssvc.exe
Token: SeAuditPrivilege	1164	vssvc.exe
Token: SeBackupPrivilege	3508	wbengine.exe
Token: SeRestorePrivilege	3508	wbengine.exe
Token: SeSecurityPrivilege	3508	wbengine.exe
Token: SeDebugPrivilege	3208	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1216	elevation_service.exe
Token: 33	2364	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeDebugPrivilege	1216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2364 wrote to memory of 1864	2364	SearchIndexer.exe	SearchProtocolHost.exe
PID 2364 wrote to memory of 1864	2364	SearchIndexer.exe	SearchProtocolHost.exe
PID 2364 wrote to memory of 1540	2364	SearchIndexer.exe	SearchFilterHost.exe
PID 2364 wrote to memory of 1540	2364	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12f9636ce18ef59f903f587836660310_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2232

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
4229f9cbadb9b4eab9eda6dae340d21e

SHA1
1c59e976fb66296a13cff1e78812fdf44c0c2683

SHA256
465330c9694c5db3e83da9f50b64c3c9481a877214fd6bddbc382617613fa917

SHA512
a70f283d9b2b86479099c043481d5ddbd64ec7b79620cbbf626460b1d0c16cf8438dfcf11037895623f1770237c10e994b44caddbc154fa6a933ba76dc0424a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
ff7dfbe15d94d00f32ab909dae8ed15e

SHA1
fa3698c6623d567f3004006166f1f88cd3ad3255

SHA256
7e21226978b632ac32f80de565a751c2f7f97f485ab4a6069a7c41eaa3cb5e42

SHA512
c7f707e11e7224acd595e1ef4e6c6e6a9c45128cbc834ea20c20b134b6651781fe766316467277c9f1f5bf0bc8dd52da3673f705734dd2fa6d4e9c22d980b3ed

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
356f5ad39805e6c224f64f86c4025349

SHA1
5b4177d4fda4d864d723b8f1cd3668641dbea371

SHA256
a7df317f5a8f736d7a285e5783895e3c8840311448138f64746ef0f72b60db08

SHA512
cbfde5aaa5bdbd173f34b9132c10dfcdd968d4ea4beae0bc74621e7d667e489ba781ce567e59dbd59ef32048a15e0e27f711b841c7a870937d5785b329fc9263

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3ed6e1cec0959ef13bde1f8b336b66b5

SHA1
95bcaf702995f0c07010d913f61ee2ce94203cca

SHA256
53aeefe3ddb7e032598fd74198ea6a044f41dbdbf8bfa68f7fd6331d6d2085cc

SHA512
293b969f84fb9b17323883580b2a22ece4aee9f891827c31162e0bd92575fabab0283b31d6527875e4553a1343b7fd8191eec7857a4aac03499456b7cffaeca1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9cb764f944cad7f5851d4f37718d9c48

SHA1
b106527730a5d58fd033b05dd4ea039c75612dfd

SHA256
32d982377fd62296b71cb4b3da773cb91cfb4e6ff48ceed83ee77b8b07ad9a0e

SHA512
19f0d837eb29ab5b7a7e0cbe5140269ffd2185c52f93d170d882a7abd2a800684d3df65ee01a0faf838bbe134a095af24ae84c085df773a734fa8deb62a486d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8f4ec428676e2dde3cbc0b142e4e4719

SHA1
161a086e88a7e19da490fc362a5a18f615107374

SHA256
a71d7a5ae86aff491eaec8e64a11eba2993a3dc6106fe01c3567eb0c6699c3cc

SHA512
2a54602b38ce38b9c383fea91a502d07db066c863c1dfe29e50dcfb113227e898b1002e110c4704c14d81a47f7ea877fd036350b89ae00f40b7fcf888aedd9fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
fbc41c2a1fde4e7eda17511505211bb2

SHA1
1fa4066251d5c55054eacd73e4f0933339ebee54

SHA256
5eba9a11b55dea6ff84c02e7f72c332f7c52bcdb11c8e0b6edfd05c5597b9430

SHA512
8eb41315c04b91d56a67217b368a13ea3edb672f85ce6e5ec2043e2e9acec4e3a9eb4a10e8471ac467bdeaf08efbb462c5f6584c5fa165a254d7b73110949ca8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b7597b135d70ed7c889a8bf14ff06349

SHA1
44129045bc350973b919ae087850d3f7503a10c0

SHA256
92b42e749bd927555db40b9bb694f59a460dad803dfd6d3d3080d9c6c66c7c2a

SHA512
5b4f7bc05658ddc49fb8087d2db4f3abbfcba30bf5170144f0340f7ca39d87af3d16db5647f33b0b380d414d5d853b0adf4b7046fab498b993d629d057b906ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6fa7654ac07b580a168c49461e27da01

SHA1
e079dfd237a9ac2fd3b7580491a6f73c380e008b

SHA256
7c4f386758b10f5f04ef42d7cb9e1ee3c7b22710828ce24fbb2937b45349e120

SHA512
0d49f48c69d14913f0625f9f681b05a994ff372f36be9ef27401cdb0ea2da2e0bfe2ee93f4195fe643a746a13acb44cd0fdd862f6a4d3a02df0df588da605124

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
50fedf6c041b936908019eab51d97685

SHA1
7d0938d138d62ba7a17fcca8b732dce86e3d6fb9

SHA256
4194b3cbcb43d5ab5b216f4b88b3c537bb10efa84014d51ba15e28c102bd0c64

SHA512
6d95e9a616418e513c8651be362ea8455d765940bc5471c697a31442f0777471bc0643a4fb8dc790d2e00e69cd49b6d91d09f14836893b067be0dacad9929821

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9bb3eb2b8d420731d8adf5a1472a8f66

SHA1
a50bb197e6a1f9960d9632362f397b3461169572

SHA256
e145da3d24115f5be3b5d48ba13820b2b2098b8aff0e19a2efdd20b8eacd3c92

SHA512
dc98b085c1696ee13ec5efa08351c8231951761193f809b290f12dfbdefde96077a7311f4dca50e13b74afb02824c8cfd99fe8e6795c0a3ccc1a3555efdeb537

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c827cc8daa90e0c9a2f37c5a0eb03e70

SHA1
043295eb7a45204a4f14c0a02e3adac8ae46d55d

SHA256
139900fa235d0aa52f0d1a0becd36fabce7bf1e4aab863529912fb5d7824a2e9

SHA512
a2a8c4a8f9b2b1945c2e74ed7e7cc1e3c0b17ea0404c9c7a79c2c81ec6b03dab3c96f2062e0e295bc184949a63bbf6c1aa40dae8e201e41a6627d988100973f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
6804cefe7fa32c6e2ffde09fc2e62f65

SHA1
86ce4f042a54a9f5c6275bc3c5353437026c9f68

SHA256
c17f8a79b8f2beaff364d068ddcec5acb79d55643b86210cd1f55ec272d14fda

SHA512
77c7134541a82fbbe6f08d3f11f342e6df7e454f815fd5733d93398bd0332590daf95328a25cca5f287c41555fe1f6d49ac893326cf6e8d29a6bd26bad5380b2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
621153561dd0336aa46d26d3f607898d

SHA1
7a2c76053639db56e6646b67fd54b49c80317547

SHA256
1a1b8c8e92c7c53e069c2f8074576e547d300f80366894a022e7311665c71661

SHA512
2c96480ccaffa30a21204bcc0b8785c0a706d76318fe2cef5cf1039d99a1696240f32b8fcd06deafa088c979ad4fc5f5f0fda59264caf23850446c0cf808f69a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
cccef194061bc5e9e148fd2c532cbd2d

SHA1
09dec7018d2c753b98945eb49af01ca1a559408d

SHA256
6f60937d8c757f6a39780ab1ad2e510e95d2cd4cb4885be53aaeb5668e40309a

SHA512
6c5749ede4f2daa295700ab405fab458653376c58b478ee5d05affba08ac8e59abdd94a9e2f7a16279bd805276940b6c2578d014d62ee13330900782c1955ca5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ed163140aefd789a4a2e29b65428f701

SHA1
eb3f2acde63309b7ec2ff5df06f88a04ea76bd8c

SHA256
bfef3fcd0119ed722bfaac7566b9b05f0444ab78df7dfa9392ffd8ccb2d22291

SHA512
add0d26e36b82aac6530ada7eeece1c332ef8b6fedb3982f0a20a1f6933d7eb6fb2e6a9a66a08019be9c35d801561d0de4b3684baceb263b77addbe9402c285a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
9e136ca64be3b40b870e2620adc4fb0a

SHA1
a2d308d0fe4a98f94bfbf02e64a48de09f291834

SHA256
b08d7470d7baf8de2865406d171ec2256b70613070c1d4ccdb75bf1c22fe39c4

SHA512
a4c10fa465c53e81746e1f3d32f9b92d10ae21adc73516460114319b335d19d47c67299f85f3830219b4f305abc676ff45070af19b5499dff9588f715a87b25e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5fcacbe97d063b0770561092e9da6729

SHA1
06fa06f9201c2f42eea02a46ccd54abda53d89c2

SHA256
4974e8c2d5311e277dd50a8b204f13aefc2f38fca7889b663aef44e2fc36a176

SHA512
da8c4315697995c11b0706453e4e33232573c73082e47c47134b25a78453d9454d8971f0b5c8b282c94478063a0876b936814688d4827d9fd68fcf0ee684fd97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
cf4f119fdda94d3a8bf893572ded4d3d

SHA1
a1d1b4020e658da53d975a396ab02fcf6c44344c

SHA256
e2cabcef6a310960e7f1839bc21d445e1d625274c756ca2fd9dd8ed728ecf6ae

SHA512
b93a46dbc821eb40f3e81733a3219b62b83ae9fed120f84d811d699d1c1260283488b409addce6257afa23a39ad482d69170e2393c3f098c230117b44d6c2b33

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
9f343d1e99e251bcfdc152e9fb10778b

SHA1
c2e693337dc9139d3d9192699cfc519f6ce4f696

SHA256
84d94ca75e1a56276fd11bcf7cf88e20546035858939dc1aa1516b8c6a007975

SHA512
2e93e74cb8d7d0828f0059cc7b5d33883aaad4557a8782be7c740da8a0be232827ed7c384ed585852de937bc3c2fafb4fd6372060207d2a744cadb7d5043f30f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
707f489e2d0626a9861ece4709a33aae

SHA1
ed14ac5efa93733cb0053dd2991dcac26be46c19

SHA256
86ce85a018b8821a11bcd88064a312ff1e24a0891c7b095483dfa59ea250e653

SHA512
a52a36a20767fd5529897b860081c8fe3d25715c16dbd65224e635c537ca974d3a3c07888036ff9be0eaa9513758306c12b346b78c9871ff0ecea30d35d0297c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
269b18fe45f6af85efa647b1a8ba42e7

SHA1
71fddd02ab23d9521c7fbd99fbf42145c85a65a3

SHA256
203b2f47eb35e82ba668f6a7ae6e0991d6d6e71abfed8f4df632ffaa8c946f74

SHA512
84bc1fc3d0a4ff3576c4ef0449029efe6f75e4e77fb0d15837b6091c6192177d8ed6601dc20435e2b93c9ddf1da743254b3f59e0a45d9a433cef012569f9b7bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
8b19de8fd367fd2541ceb05cbeb5d15a

SHA1
ce7534ef50989719f67e0f58f085437d15e1520b

SHA256
feb74814ff7250927d64337f41799a35be685b5526febea9a1903ca3b652fc68

SHA512
9060b5162710ad27a74955da0062e7f46c1d6b45b67378ab66238f00dd1a47af039a2f20b9836ac9282f17a5cdc5ae419b0dc6a2276df8ed16433b4fdc1d63a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
cea62efd66295a5352e99b2a172fe37b

SHA1
73cde8b9111a5c14e1bb347c1193a548c314a68a

SHA256
47fce79ff9e512d514d6a375dc6cc904bd18f14ca60aa8d741de55669c488ac4

SHA512
76585eed1656381bf07ad3f7cf46cac93a5f8c4e7abfb23581273d3f392fa96d8c2a6e012f37cf0d79aa5d60fa870584d6a117e0ebff341167caa0d26346c807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
218d2ce89fe46c0c924dcfcc51510bbb

SHA1
1d8ee0a9bdb6c886f608e585bbe2d5ce3e37e87c

SHA256
6610577359d4ed6df28c677c41b3dc04d3086696a911f874231e49c634585a3e

SHA512
b68f69608fd2188712242939927ea0d8afcbc14492d2754c0295917a7eed122b956ccbc3c2fb901511436c2a67774159053cf6fd6415c37525f2c4247f57df54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
90bda4ebee9bc1d3212a1079d629d936

SHA1
ed2801cc03b550d45387c7a67aa6023759ae91f4

SHA256
437ffd9306263ec72880d42f23097eb936a8309ed9fd955e7ecef531252ded59

SHA512
30507a189607c5f3ce9bae16e6441c94b3d1aba656c92b23f3e8bf020407671bc16451b56128983f66c673062d2c4f8c718c2b0f546359c0be4c97fe09df58cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
006f2edc7ab2b334c978f02f984661ba

SHA1
ca7bce19be2e5ca039fbff08f45d025f3bac1b95

SHA256
6c6e1705286ff8e1b413a5b259518ce7e57512d7089f8412d66407c89a0ca155

SHA512
6f8e9411f323eb8d1dd6db57c594e15d3171444ebc57affc00e59fab950ab0ae1b2e8789b0b7715b7d4a1ff264dc78616b4c157e0b63eb98190e6dc576b6af25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
8c23421de7d348f4e1f46c2151f87136

SHA1
0420e0f53f15f4678a7c7db501712b1f7702d0c0

SHA256
1b3c8ee778a4dad86fbb378e3acdc730c5b60be4995ca15cc84c73f9ed2ebdad

SHA512
f95cbd1c16132c5839bffc430df8371213036a93503cfcae1ca10eb2b3f3402b8719b2717970719e4293b7b5a9305971542b413048c96a61628dfe08a7c17785

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
f7dab6455ab523d3a2450f081af9ccba

SHA1
6440fc6d57e5fc609f06bf805cee56e0546936f3

SHA256
dc96fe7838c1239b289bd43f5a8602fc0c079c5630f3303b59f257394468474d

SHA512
95485dcd17cf066f04aa12927ae46aeb9cadfb2b6d1e235b787ef98b998796480a92174c961d2cac8fe692b2e5273580df68e8ee4f4721fce6dbd83325996d74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
b99b2408564cc892544745d516c46a27

SHA1
d4e9f13efb3a0ffa758e76dd19c541e85e77df99

SHA256
5db65af58d8893b444403f54837cfaa39624edffa0c0779d5e172f982eea2165

SHA512
a47a4cf1f8dc90478c744028fa4a0f6d7e03083e3b35c35303c2c3fc51ca4cd6f8a557545611e21b76602d8257b2b896d5f1e05b280eaf5ea17e0c2de1166f86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
fa82026aa7fbe070114ac9e18f4340fe

SHA1
b110934164391c52dfced6f7b0c2adfe2724d7bb

SHA256
f059b99f82085678e0463121fcffa388b648af611a783e44e2f115844a0504ad

SHA512
9d99f1df646e7e7796ef7ccee01147552964deca0037fd73b3815ea9d834272abb3581172869eedadba8a0df921aad4f59efae9262372f0355568ea386e035a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9a28ac36a70a18ab977bf6780522d0a8

SHA1
0cf92a698c735fc513201a61e92753be34bc4a14

SHA256
07ceecd0103be9b41a8504f7b2b6c3c546dda31ca3ad2503561616f438770a3e

SHA512
cbfab1f0708a86a8bc2b8d22dd3f67734fa96f952814e8ce2d7c51bbc1b0b949e0a5994f8940f202bb3135f3f4c607e4b145f62b825d3bbcc3dd3f33b98dc136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
7f08adecaa2d73b5e9720b677daad7b1

SHA1
84e0bea762f79a61cda090819c7433810264d674

SHA256
94511521ffc2aeec9d3299dc89302ba1a8903f3fc2818a0f9b2242cd8f572bd5

SHA512
01598a6342b0487028101bc2a88d9e6dfb9fb53276f4dd05418f0994d26947f731a0dff3c0db49e09594188e9744c969b8530ec0ad582fda9318ca0e85b6423a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
400146aad9b404e5ea5cd4829d7c4f3c

SHA1
b0aa5b1d46d5d792927521e9458a2d155af9e10f

SHA256
7248d30579c428b9eda8faa701a3b5d65cfb7c7624bcd7938924bb2ffd5a6e3b

SHA512
adf47db4809d9fe480ecf83c6ae47fcf75aeaf845b2197fe076ddbc2d6c5bb6e6b5df7740dc304c90be52a4de7778e279ed5279a32fb62cde507815ff6a9094a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
2c7765fcf1d861671ac636505e26f2ed

SHA1
9a1b9cf1c48a8831bfaf1ee1b89f58053c8f389b

SHA256
30fa1258e3d604321d51963f561f2a3d6915a42297b532ff8f6a79885283462c

SHA512
25765eea42aeb592109046308db13270c7f986d0724df43764d9ffe044e6980c23165c5aa13933bd2d49b71e7a6c9e87a449c5cac2177b1f91a047a445e9f9e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
99e17179d4c5b3211b184db86e55ae88

SHA1
8fce410f26b44f6d28bdb98d61b777acb4815e68

SHA256
ac30e02c5cf723d3afb9fd8992b177f7aa973146d893f1f0c8cedafefe647d09

SHA512
cda72b2dc05a56603665ca8a62696f1edc84f54b431c84c76744cba4495e0ceae9e2bc44a394380133d21f886c0dcaa76c1fcbde69b3192b59bf547b458a8a1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
eb4a547960889bbdec79a7aae365209e

SHA1
136f242de829de05064178a05c9474dca2ed4e2d

SHA256
09025863a4efa5ffb8351496fe6f77ca2d3810af01d967083a8fea3c8c1443f2

SHA512
9240d80b3ef760830fbe0f7cfda9da203b9e9be2ed62406483e41e0fb68d553bef5107aea4955378f3eccbcdaa5d941d8840ffe56a5676817c0f0cea6004c104

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
87d1100c03300a325a734ff78763a8c3

SHA1
6947a607405a6f235086ffd0a3aafb0942f51eba

SHA256
ea0483e4427fc59e37bb1497d7803b3880aede8d709725d1b14f8582847e9709

SHA512
2ac1bb3ed52804204071ce8f3e10f31c1156de594f5aae577cff18d7d17176cedb04aaddbf12a65c2a459b1cae0e5d0618c9e5d8c6f9a1bd2212924676c570ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
b4d3139e8c5695fe41ec965d69783f66

SHA1
350f35023c4792c8c8b47ce00f61cbcc3b131736

SHA256
8e8dd922b885acb7b4a404e7e396e00a0f5c682df85ff7ad7c36c80d8528389e

SHA512
7b0e0c4e2d87dc577c1b20770983378a0414d60f310d4f6a5f79664ff838f1222956cf31c4a3df43194049d6c05463be837183741067381178feb8db2ed97372

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3dc7e5c4a63b02f742795a102dda0c51

SHA1
6c9ecbd28e2ef58ef4e0dd128ef2b5d2dd1f6250

SHA256
6cc6cdeccf7c17e6ea420ce243859b317e5c391e3113a15b15e5bed6fd389786

SHA512
fed35e05967db3a4ca9fc68edc6d3494f3d563e436bb8a465581f8ed30dae6dc295bec66a3447ea00fb528ff3a0741ffd73f3d2e5e2c7e241ab82a209dfe39c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
604f2f793cef5545234abcc1ec9f839b

SHA1
36e4e58ea44f3e0569cd3b995c348957068760ce

SHA256
d2353906e46490d2ec6e42521fe513cc38223cd6f33767ba4798e597ae29cc67

SHA512
6f0912d3121d7743ebff2da89a904d9dbf7fd298c6876a156e09a2c1ea156bc36913e6d9d07c5e9aa3deb460b12fde7a7b6cce92ae288eb051756f708f03f228

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2884bf5fb995619ebf6cbfd7f5bcb08f

SHA1
d5a7bde301bc28cf4f774af8eba91a729bcdfd85

SHA256
a7d021282b3ceaae57cb8270f0713839909933d95fadc99fb10b7e2d437287bd

SHA512
274ac531023c62a0578392b39f737a5460668a08b0c684b181cbbe1b00254470e7e8617db5439d9e09fc2856faa744c0d69c6aec2586cf25473e11b4eab5b6d8

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
9389d1f33b859d232e76f0944eb9556d

SHA1
88f1fb2571fd302722e56768074811f92217c0ff

SHA256
7177619fba690b5f1322c32cdd1713dfab57443cac93c8fb18b7778f7b70da64

SHA512
a8fedabda9caca13f0c9f8676e5696be6278b10a87439fceb61b5c4d995de2a207634ba4d603176123113f02b6e4aa9cf677b101657a7f83c4a1b9a3f9d07006

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
7cb1b05dbf9da513b103913b62fc1bc6

SHA1
82b789fbd7eda4275cfc3be24f61916671f7bc9d

SHA256
36f913293bf4afe1068a9f8e74f747ef4e062e6acc8c32221fa7408cf1847ad6

SHA512
9ab6bedbcc2110b939d7d2c25a03a42c061d2a67a144312298457e736effb0e642ab11c3f51974b34152f4904174385bc634f2a9499517428554fe9f1d65ea46

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
8af0eef58995a09933d2d86a2281fc8a

SHA1
80156b88d16293c459cb3d880b96b5694f2283df

SHA256
33c107dfb88c06178826622778abce562e2678b82111a5acd1527fd2230e1d03

SHA512
5e6017ccaa67eaf8dc78080ec6a41940f6dc14ddc9b4d9a1446773dcf553568ebf65216fe21762feeb82c940dd689a6d8397893d9470e3c53fc939b78c75a9d2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bef29f1b5b2d7465108cf58959392387

SHA1
eecb980eb72e6dcd437fb7f89f87b74174adb8a8

SHA256
1f64a48ad49152e8ae1e35cf4ed4078f1bcbb81aa4f5b37647d818f1ec71da41

SHA512
01a2d1edb641b1b02665e4dafb5872b3b56a95aa825ae3dbcbd50bcd6dd16cb6af7002f697949f63be45c33c16d6312e622b59bddee6def1ad54953faab9f886

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4ec915c1579117aedcf0ee97a177ad38

SHA1
15ea8239c9dd5709a1b5d1d17d91e13ba10156fc

SHA256
f1205c6f4f03f6e757996995889ce07a2ecc56c8a6860c0cfcd1f3521aa92085

SHA512
0737709b9796a392234569802cfd1c8d4dde50a70e93ee27cc0be20663572a4521b8454308c11c72b49a5826ea71b1a88a2124189c82761d393c7bb025da2fd9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
853470542bc763fce34529a0eea55171

SHA1
e25c924e49df6e0f62b37ddf580d19e7a6c4de39

SHA256
712215486b12c33ffccd41e1741e7dd698b0a08ec50be139c16bd1700a3a776d

SHA512
f6a88b4895a77de32e92b86d055920ccc3a8410c59e3e6f90dbdf78e4c06aa945b670ea8669af5d756179a3953d9bab7a2ca87a0b4ba80b5319d1a3687b0c4c4

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5f0ba0017cd95995f8cf024bcc7c8943

SHA1
3b2850ab7368c9b218cf20b06af44e17b157ac55

SHA256
389f9b5e2b5017b3da3feb7ff76cc0d56ea377a2eed52effeee9e352763b68d5

SHA512
519c97ccda799fd9d26055264fcc39ca565b9bfa83b043283d378731fef4f03d83954682dbe36dd5a7fccf849e73abc7556241ad9f218dcdcef81770eb7fb226

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ccb1d4a5735bf35d331283c7c663d079

SHA1
ae171d5b916b283388c33f13308c76169e4cd4b9

SHA256
cd37dc898e4844bd258ae446263381cc98cac03f7e40a9239cbefb03e8ec1294

SHA512
8e265287ff96262e662d8dd3ac9b52d79d88215b2524b05dd616f437bb235ea484babe94f4ef671e8c12705e0472c6676a4d91cc88587918c0e8880618c43a68

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
4fdf10f1ad9915514e8cee7f95471600

SHA1
410bc0eae154e38ada87c717642728d2dd492ef5

SHA256
535f65ec316831cae59f7baa96970b536d89c0bc127700856c77e31fe63c4b13

SHA512
bd9d6b0d96b6924a35638d645d629c24179a3836619be67cf566cdbe550876c276ce5906f1250bef3a4664bbaf12fda4cdb59a8eb67b009fb185b3a1ca5c1a4e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
4b115714eb63b182aa39be0c4309eb65

SHA1
6db51f28e6891c56c52aa9058fe7de4e16dad81e

SHA256
6245e0d575eafe2eeeb5dcb948fb2aaebeaf5fadc19d5c23c55f3861243c6289

SHA512
9b40330d75952e57351534f6a1e0da80e96b879406de7654b837d97d94ae25ed6752a81b443aa9b69474ef47a894528f47a5072fb645c5c57b469a8587b95403

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2bc9591d84ad982b3c2bd8e0df0554de

SHA1
d824d87be9c71336e831de689acfe0984868eebc

SHA256
739126bd1d9d5fc068211e1d2ab60cb865c8bdcb5bb0c5a76dad38c37a859b3a

SHA512
516fdd71f39fed3d3b9729d252e55fd656d17b53e61187e387b4ea84f04ca895ac0e21b1b3aca8e9ab69f25f0b8d310890311b1f5c2e917c5fe2db9183130c9d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
98095f275c65ace7b8e0ee812c7bef2d

SHA1
7162f6a8b0f43fdcd0265545966402cb69b34736

SHA256
32f426c738c299bac3d685eea56a8dbb93735dba2775b4c38358565128eb6e13

SHA512
22797d3c155d3bc7317110a8eefe56bbe3ec831f9384b060230b1116e23004a466fed35a229267ef19bae3e0e6edd7f818fface7ac57e64791653393640afb24

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
96995f69592fd60e3d349ab520db29ae

SHA1
ee7fee8ebd9350f080a5abb77fd03a6e655506f1

SHA256
51a20e4f895923bf040ee5d41ea579a87e438a61b6b7c15b4c52f80402624d05

SHA512
f375c8161542094c25b3c428a81dea607203a4e973a8963aef59e08e1509e15edbe1cbe4ea786dc43ff86972e926310f68abccf2861cb3f1f01bfe0ec5287621

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f94becd208373c2ac86637ed44d4e86f

SHA1
7942edb7e5933452ca5b671539c7838fa4009d55

SHA256
bd278385c4546405f874a97c9152a931dd9e2eaa44fe50ddb3405c944ee181f8

SHA512
480c82385d8950c7a1ae38943cfa794e2e4767e9974516bd80f24d4d253c0f6119cf3cb99e53a4c80fd9e09814d1af7119d164a40f6b7155f3f85dd3df3164fb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
deccdebeadaf2d66ae727fc66ff5fc49

SHA1
d44d918a1e3bb07b159c889586d49ed531076af9

SHA256
bd4214e98ed449d1179cca14ba4127f8afe26d975fb0c819bc368c5892821c40

SHA512
f41b805e64498971362a59accd1a0f15cdaeda4a1d92d40ba54a96020dae91c5f1083f2d69fba30d38d069fa8f9f0ca73092edbd3ac7afd4ac552ff1db76f200

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
6cafb7999215e97046acdaaf4942816e

SHA1
50e4ec184f1ba714bb6dfeec7dca55d27aec71d6

SHA256
2ee32915ea71c7100c263ea53f65968d5edadc18aad1bdbd69f362b37489e775

SHA512
fcbc13fdfa4398f24b7e6ee7f0c405b6096eded7e77c6a029d07dc3cd8c62856b374a7185a6418ad114a5fcb001310a434b22ebcc7b6d9cedf165ea56ccbcca4

Download Submit
C:\Windows\system32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
f91da66f8789329516fb6453654bd1f4

SHA1
c684e1723ba77b704bf8a4e443a83b5f32ffa547

SHA256
45147bb79ca1027fab75ec402f8c8cb9229254b0c155bff2c741ce8b9b637e81

SHA512
c01ef0e4a9ffabc2288560547485b61087d174af76ee4c853d3c1bbae0b9b767bfd50fcac4872a0dc1f5ab033811d807a090b1f65abdb38b7e0d0c8a220beb33

Download Submit
memory/400-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/400-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/808-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/808-95-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/808-89-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/808-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/964-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/964-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1040-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1040-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1140-336-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1140-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1164-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1164-340-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1216-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1216-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1216-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1216-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2012-106-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2012-107-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2012-101-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2160-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2160-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2232-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2232-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2292-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2292-54-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2292-65-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2292-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2292-60-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2364-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2364-538-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3208-100-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3208-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3208-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3208-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3256-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3392-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3392-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3392-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3392-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3424-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3424-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3424-83-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3424-76-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3508-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3508-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3732-6-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/3732-75-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3732-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3732-167-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3732-2-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/3788-332-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3788-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4632-339-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4632-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4852-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download