4ab656ff059e357e1ab3a93fbdebbb091f015e30792953a417bddb0e790290bc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
Size

648KB
MD5

eb79f17f08325cd71328c9156a215310
SHA1

1c5b1f5278dc988ba9543837c7b039a668f66fa4
SHA256

4ab656ff059e357e1ab3a93fbdebbb091f015e30792953a417bddb0e790290bc
SHA512

f79554c5f34f214552de78e4e283e9b773ab0743ccb1fc8a52579703e00a462a05302aa4fe4ab7d84456bf1b13ed45c27a5ed41bdb4dc130fb8d52c43a755264
SSDEEP

12288:Vqz2DWUmqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:4z2DWgZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
212	alg.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4304	fxssvc.exe
1472	elevation_service.exe
4404	elevation_service.exe
3760	maintenanceservice.exe
1080	msdtc.exe
1492	OSE.EXE
968	PerceptionSimulationService.exe
5004	perfhost.exe
4964	locator.exe
1720	SensorDataService.exe
1868	snmptrap.exe
1156	spectrum.exe
1356	ssh-agent.exe
2132	TieringEngineService.exe
1712	AgentService.exe
1908	vds.exe
4324	vssvc.exe
1916	wbengine.exe
804	WmiApSrv.exe
636	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3ad7575c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b980a7d74eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dfb9ad54eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020a8aed74eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bfa5fd74eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000728947d54eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d358bfd74eaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000535f24d74eaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3812	eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
Token: SeAuditPrivilege	4304	fxssvc.exe
Token: SeRestorePrivilege	2132	TieringEngineService.exe
Token: SeManageVolumePrivilege	2132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1712	AgentService.exe
Token: SeBackupPrivilege	4324	vssvc.exe
Token: SeRestorePrivilege	4324	vssvc.exe
Token: SeAuditPrivilege	4324	vssvc.exe
Token: SeBackupPrivilege	1916	wbengine.exe
Token: SeRestorePrivilege	1916	wbengine.exe
Token: SeSecurityPrivilege	1916	wbengine.exe
Token: 33	636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	212	alg.exe
Token: SeDebugPrivilege	4540	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3412	636	SearchIndexer.exe	118
PID 636 wrote to memory of 3412	636	SearchIndexer.exe	118
PID 636 wrote to memory of 2712	636	SearchIndexer.exe	119
PID 636 wrote to memory of 2712	636	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eb79f17f08325cd71328c9156a215310_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1720

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1156

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
108d47f316b617fe37ae68cbe294cb58

SHA1
1f5f68a6caf0b811fa0d02a4a5e1d61958652f6f

SHA256
6f2d7dc88632f20b27878222307b8098df8c4239733e68edfa38215b0a66d8aa

SHA512
6ee53d80bff8989e95dc46e6523fc32e6ea957d0371af12f0903947734045d53a05ba0992f52fe4c8b89424ec35c40b0881921ea28dab0def79860d6d8bde31e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
24882f7ecab57e61e893b8c25c42c388

SHA1
2862c6edd395c547159e865e139e0b06f75d7168

SHA256
68f85852c8d35e598c47f7affea34ee191e3b3a9242e23c13485d5d3cb87e4b1

SHA512
471e8c6ed274f9a489a3c1459c636f153330364b9ed824782afe51046157dd4804b4066c4b450d7971998a8dea29483083197b4da307ce4533b9613df75e7629

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1eb1ff549522b02dd23798b298c545d3

SHA1
f47e24e41d852bdef1ef714f8810fcd7c69bb2bd

SHA256
f48fbc8c35957412bc7edbb30d482b9e09413933ba326fa76a6e25cbf0db5ea6

SHA512
22ef233c3c31f6e49f10a1f2d9fc05254658ea5831652e295429ac11f9a57556da56b07f73244e1915306fffce614f973fbaafcd5fefeee2555b0da194eb287c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cc6d3409806a122c44d9b69dd797f9d0

SHA1
7af56d17b86ebe524f448a3574d03d0dd13e0d79

SHA256
affb880bff74d279f5b4a31854858d39f6c991e22fdccf185a14768f429e0b97

SHA512
2dfaf5d5a27c87b33a85a914669dfa33951bb20a5e7145a2010262691f9e9c69c2e267d5da85f864c29d0ff0fec134bbe5ac18b811481722dac56318dd0e5316

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
69dfb2cae0f990d4bbc640aada14b58b

SHA1
a5705ed8bba01f1a12ed45162630b2dc13dcd391

SHA256
0dc96a328dcb714f87207de69d6764afac17fcf6314dff862950982bc4e197a9

SHA512
ec0eb783ce26d0f9ab292cef4390652c8e99c860777c6e95b01dedfac0b37538cb7854f6fb04f7083ad92137742a8cec49d90d5ef8fda5580ae1c9de43ad1a73

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
322f493e5c2fd379b9537cd1c16d7606

SHA1
085c3018a5d69e9db089b6cfedafe812c8ead706

SHA256
9b2b0d225440144b1bc840a8f50d80e440625579f7f72237b196bf1055eec16c

SHA512
67bddd3349a2f660f413e56eec5caff96d35c2e0518b83a5d19b74bb97f580c1788dfb8be3a9945ce007fc4c9e55f47307f21ddad808a453bc6ebb47e6539cb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9f54d60bcf51386f6bb15a94a5e6fdfd

SHA1
b0f56c6de83fd2964e6668596a86233970dfaf04

SHA256
9c1a51f7ca297daa2d60fa573e73de4b6336d176ac68e14a9ad6835048d024f6

SHA512
7373473c15ef26d2f79a1bf65d73d7c17d9f3c0b028865a92468bde35e99ed14380d9b023f7431d487816e8c2b335d786c2b654f6c29732a78c30fc8dd305a45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7063a3809776a1f74fe2d2003237b4d1

SHA1
a32e0c4ae6a33ed0ab94e372e844c2342d1d6ba6

SHA256
65e556888d95bb531868e93e85fb6ec46d12b383ff4336e8ee2a103ac5cf5c32

SHA512
6db656cdeb78c47268029469197bb087fa64639e745c96f003a6897629f7d93af1bd336e48bbeb64bfec3158b1a3425105ead530d52ddfcd386c92ea39421b45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9d862c0fb119b33f312c753b0a1b6a19

SHA1
60adb3ebdbe28feb79f05fccb21dff97dec059e3

SHA256
6f1168feecf2501f0f54953ae357bbac69c6803f7a0d29581c7819dcfd938295

SHA512
7890105eaa800efc2012d501f1f1d703e74ffa731c05dd6271ea175148aebfcb2886b1205c9ecd5ec2bdc1dfb9f02677c793b9c9dc55bf1098a9fa54127262f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
59963e69166261adfd0cc000f9ce48a5

SHA1
60c1b0fe9e95f1b2b41277e4fcbbecc3a4aef5d2

SHA256
fd64d5dee7147eff26ca17bb19d836b243fbbbb5276a9e59e8ec6170ed683bb3

SHA512
3e982d292f62efd02f2aec9e8baf25b04d0d2f55d7ae7c56ea1823085eddf5059e71b7747d15bb145f32b67f6321e07232248bf1857c5d671380e4295f9e98e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
46e3c76348d09d6e3e8890b9889dcebc

SHA1
a9eff55ec0ef45dd8e6d546357c817832144cd25

SHA256
cdc20ac92447ede5c4f090bf838535e5cfc63e701e7771961661710fe2f95208

SHA512
54fffbdb982679f9d3ff58d29f8bf51b57d5be3a99bf249d5a674aff737950850e4791885529f1d5477b601b4e43ef35dcf1b3a3331d4a841beeca5bd9226c3f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dbbea780959a83f4839ca9caca513b7e

SHA1
a4d6c682df6f11678ae6df07ce29ff7b52b6389d

SHA256
d9e4abf79afe506e5349793b5193f1184d48be4a234d219dd3a27bbbce4c4159

SHA512
e2c4ecc9c87ac817c5efd2db393625fc83464e618c7ea83c3eddb6f990ae02542af7af836c3c3a5a463e19748150d1f934e4c10469993874fb5406a7ab458f53

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5e4883b9d4bfdcace49f933447241d5b

SHA1
5593b88861c8ca667b852942349be70cf10f6868

SHA256
7e7c1f3ecbf0dae0077e3fe7061d85ffbaaaaebb28c18599fb2947f4ff9ea357

SHA512
880d19850e62bb6d62ac59eeb71f67a0e5930b546c7227e467518995c0eb8a2ebe10f27cd83cab6dc74e54387c148926b2c5fc96dbddb62137c8e2574590b462

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
74c6f7b47840eafc1d527909acc8b998

SHA1
7ad0f13176d7d6aa423f23fe93c68bc4d9df139f

SHA256
380bbe6a721034449fa9e32c5815667541b038b4a33d5ce46c3cc85e12df62a5

SHA512
849021b9b65caf61e33f9501187c9aca5953a816719afd26a19a0c911344366e6d36c58c5695b6af94392b2c35a1beb0588deb5eea525ee8c86370fd42d1c23b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c7a6323216a0e68d3b31649678eca645

SHA1
f48c932ed74e01c165896a237ccbdf8d64d3f0e7

SHA256
e2515e7e7707e618c2eef1758098b993668bfaf5dd0a7556a863355f0b31e90c

SHA512
8289d2bf8927c34882091fba00ef0265591715a0a1ac0b8788d60eef3beeb8f98559c42d6f2509578e7558d264598ef23f8416b1eb894a5d2a2e071d0e652905

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
088204febaf59b75dd0ea4bdcdbdcf46

SHA1
a8a2969a3ca144a969118283f73ffc0937eaa29a

SHA256
07f27ed21c58294afac7f41cafcb866aeb41f2ecdadbb0ede86281ebba5e9b60

SHA512
119836cb2b4e3ea1a3d0f2613b7ba96f6cb349c84c65e18b06b1ef2322db9beec1d50043e271eb3172fa3d289a6d2c23b910495e8c19a4c0ca74fa3e045604a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7e661a99ee70140abe8df84b4fc7ba3c

SHA1
3d883bbb6dde602622122e8cfca4db2160363e92

SHA256
462b97216bd1d4636ae3d98ad35648e6e23bd0a04c1d55f8ee9f46bbeaf6804e

SHA512
c4ef6846eafa6b2fcecf36bb09e7880310e42782cde4f97528db3226dc31dc8c7ddf680865d1df8a121027cf19dcd358a51a856d347a862e626c37c80deb5b53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
38a4b30a9859701f96b0b4e7ff3a426a

SHA1
b210b2068ae7b951278d9a9fa0a9d8efee47c6ee

SHA256
7f9d268deb08f879827d5c937315174c422ed84b535912ffab8d5407423e50e9

SHA512
48cf57550b8510312b56482cd79165b8ee898d1b172e382320979d9b1f93404af03ea6380eee9a3353a3aa4b6ae473c67d15eba7813e11bee9e4898e157bb999

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
da2004e1784bd2a722cd065cfc186b2a

SHA1
3a65320170fa9fe69c1b343c4e5d3cc565faf1a4

SHA256
ae82f1ddfa5a4798ae00d1d479ad4db93cf75edaf3692c9156c91b7b44af2bb7

SHA512
e9c155d197c33f7044e1d71db83f3d674119b869436bd0705b11b10e15afe20bdbf7dcf3b79d7628c8b29bd658a5a5cf3159316431f4113f92b71f158f6a20c6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d8004c7b2e6be53de7b91a14bc44a67c

SHA1
277cc8e3313756909a4a199585a1d75e6a0911ab

SHA256
d75ec4950808138ab1d01b97f65e2d365ec50177be01744861cf4a2ea1d8f12c

SHA512
c24ee0471bb5feef752df117c3bdf0ac6fa7a7fb7902e8cdd2da098f32f6f627aa1eaf616a65ad8abd11ce7f9f586856e3a584175cc69c23d2f8c56e36db340b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
397cf5635c92124db824e96ef79bafe5

SHA1
6adb0aa1a6c4772180b7bacfde3bf52babe7dff2

SHA256
3cc244f3302798ba134e2b8af2456f7059a10e95c073135866ddc71d385c95cb

SHA512
d9a6a24eed7c9aaf17a2a65043d8642b6781adc885121aaedc396142d4e5103df4dc190031e7a054ad4b1d0c06ed2315c1fe0077903390acb646a6126968fbfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a1b0712448da73fbeae88c39942f1a82

SHA1
c12b0aaf37080cf32c846d281c26cd18cb8b32e2

SHA256
b35c3f640a0a6dea5a0b874de98864123ed3ecd937c65d29a926cdca5e5a98c7

SHA512
1a3e836af1bb2231dbcad26a70ca508be5865b9331be91e0e4c6d66716c7e8977d0785325bc3a5d45b79a6369f15cf6c97d2811f1cc8f096c6ed92b19b146709

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b743f8c2b08127b13440a5822df63f8b

SHA1
665b7641d5bce96706fcfa4274f4c9f70742ce1e

SHA256
deaeaa3297acc206bd824216ce77bf1043f043d7ae79bb5177fb2625fccabebd

SHA512
86ba96981efd8b1aa370c9e0bf63a4ff9a6753c69793846bef8ccb5ecfa053c2913e439c7e9e26c200c440d71e4a42b2a50016b0a1e505d88857777216bda452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fe13c8ca0c6e8bcfc6551d670995f6ac

SHA1
a5dae03723571a9d803702475b71c9a274d0edf3

SHA256
c55cc2920bf69f34a7556ade786fbe9b32e141a67ace5ab2dd7ce5acf34d7a9c

SHA512
55640420f9b768957fee9dc6b42f040078dce9ad001180851131d56ab554bda24006656a1fa6100dd548cad7f07695b6dcf77fac264d4964c680cbbd612cea9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1415c0cf144d0b1c0cd36553543b3065

SHA1
11cf586f2ffe20a5e78188ce616f605458c6f795

SHA256
5fe32ca4889c1c5af163def8e4bbc87f4628899241da2736490507f9afdcc6a8

SHA512
a56fa4fc344ff7863994f9bfab76b3bfe7444d21eb5cbc80b9c2f60287c7794d8e9171f16af6e4a3ec6cc12aefca3799c4ce481dddc5d8b97dd0cab53a725202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8dfb5938ece6cc4d37030cc86123c148

SHA1
90f3adcee382d086e7155e42ace8d57d12a5884f

SHA256
df4c3dcbab6f100fd6a4a85df9d89195c569068435f081d9ba5954f7dc87b2b4

SHA512
a826c43897b2238e3865f7b0d6fa116790b92b8374d525ce2bca353c40cf72f14228def11569ea3dc150f958018e16ffded711d3846d6f0d8ada8ccf80acfc1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fb273e941219d5d7958cddf70d8bde23

SHA1
88c8fc69275fe98a60ed223f11db281f93d0c9e2

SHA256
23f8fc12ecbfe8a519929adee30521aba8e5c7449889b6f98d9bb104eec3ff3f

SHA512
9f63f2c7a9045abe67d00e5498ce02b964a0282d2573201c4a9463e060dd9594139f6e04bec61d91e9cd3966e48c79613b2532f864da53b01aa675d4ece48761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4e8e628592cbc73f828a5b6053eb9ef4

SHA1
6aa94fdc49dc93b5e43bd312eb4ceaa161f5284a

SHA256
e235444c57b98dc901375928ab7e2730397964c7876658a6dbe2e2860fd45474

SHA512
7da22693dac5d6711b3677e5150dde4632f865985e18ba0ed4018b9b11ae762f47a3d7cd9556d0c22b20d378044dc61bab382e52d45da98906148965de7f11d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
35d524ceb3360cb648291d0b26dd5bd9

SHA1
9401b322d27582d70074909d686cabff7f53846b

SHA256
2e96b18003ad97f6918d64505549d805340a73538914840dee056512ee6c9ee7

SHA512
8495f96488dde996491ca4b475bf4c32fa3252a974758d0bc6161fa048c3a79592799e3dabf3abeaddcaa4fbc0dc9819132669111aabbfca66141e3f8617a589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
782e741724720d80a3ffdbd4ba39beae

SHA1
c037d0f0493337382b7f49b0e3fd3efd4cced55d

SHA256
098686ef5faa327d2ea3eb2d62177e3d125fbee5b24b6222999db7cc6409791b

SHA512
dedf2146591e24a7ca3425c22006e0a632ee5b748f2fce6b4ed144ec813fc0dff43ac75b7d38b879487c8c1a225407c3a7e9818ee87b254aafcf258b5a9a3cc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
874576d9a12a307ce60995ed8088564a

SHA1
c8a11e4c9056c6114c3704b07b8eb986e58f0ea0

SHA256
69f0238d343ef86ba7915bbf7b18c5bcd90cf877e9824be5b4d3389d2d01f8e0

SHA512
e26c6c2a26500a9b8f53b052d0c13ecbd6faa7d632558e99a7e5abfa2da0594ea47fc76fbc01676c78ae9bf3a9aaa079b91911e750c715cde954c37dab782fc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1a140af6278cd8ff3b62efced7f218f8

SHA1
7a3810cea97f4f82f619e1cccc659cb0da2b6f2c

SHA256
7be54e6474f907dfe89b4130048c13e7898306ec0822183e8a48b0a4a21c5b5a

SHA512
1fc358c5d0b8f2851664433cefa773354aa3aa05ad1736008a95ed5ccbd8282374734b5734020f2ddd05013b65941b65d78dd1b49d7011171d59d70b34bace48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e66a9317601227db3e4813b0031844b9

SHA1
ca0c95d6438f8fc5a876f1b72088d8bcc7c0a560

SHA256
ec0f9676e63182647107299326cba67bcdfe7cc71bc3fd62a8fef2bb34a540f9

SHA512
0534b9a298d6a369ed6f987a44648ee932166fe93377b02c8ce84f962f9fc9ab236e4d2b12a50ed6ca989bd4a31980897c64c6eb529b246383349caae5372661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3e167a5175603d2fbbe5ddfb76bcab3a

SHA1
e63ab4870eb3a774a786181f1d935c7e92b96003

SHA256
67aba8ced556e9b1c422adade97033a5765fc83a5983581978332a03d04e8742

SHA512
69f17e707f8e7e297d9f0fc6ae280336594874bb643c894ba8350b7baa327a8967e0269f2f101ce7e12a8f5d9293fc84378d76d39ebc0d8cf6e269d83c6c5254

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
65306d6a2feecdd046c575764d41cd82

SHA1
a2b961cf7d819a1cf57403bc408e627e4df72063

SHA256
d6752782d9f4b6f533ed6c8b22fc8a3ba5feaa4cdaa940541ba49bb1345801c3

SHA512
4c6b023c6d5ee1eb9b32fb8489fe0af578cdaf8a3f1fa19e144b51a94d097810f70f8d82be3decfdb8b92befdc328c79e198d28c408f5f563b83cb8b5ea877d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
66ee5afece416f412407b7f050b18bb0

SHA1
e423290cb6f46165ed75acddd7bfd8d488592a54

SHA256
e51a1805511eaea2daf4dbea13918af9a4583755f443254cfa89036c98c2401a

SHA512
639e62cc22ab4f69d9baa21a43e5e44801e4a3b87cd9a5d0fe889247362ce30402590011a10bd00c47a72b412d1d254f4f6830a21a870c9982069a4250ba123d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8387e00092d7e3df3f0b24987e79ad19

SHA1
a29e517022b92e00f47508d41a08ba7262f19848

SHA256
3b97f313aa62c6052bfa686ff95f093b8514f4cc571e546cb71e9eddf1bb327b

SHA512
cb297dc4a5c5ed0e7a3d2d969a0913246e1e29b55a782402a367399cdd21ce454a024e509102f2f07bcd572ead1ebe0f9b0a2831384253cb92314e6d899d5f8e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
69937c898f3db2ba573cf5c26a38f2dc

SHA1
98b8a0569653244c8b8cf135bf9ea2ebdbf0fafc

SHA256
c833147c45779a15d455429dc539bd5a0ed00ef88a502833ff6f2bc678f9f04d

SHA512
050c04347645df77a2ddb0a3c52a1c75a861c4bf451c107c6234486e089af5c9b00257936138385b73a495783701fe3d5080a75ee813173808f2fa61d4978b94

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bc114f2743cdc2813109b7f31a693a6b

SHA1
26b6c4b7792bb13368d3d132e3d4441217bcd448

SHA256
ae7679e3cb56e6f259f3e5ae11f7a408faa3e33682f1810139c6b8f347183330

SHA512
0b88d14e78c048ee963c0006e06f878cb22c817e53f087fc3d10a93960a118a01e6f3f07ebb6772479ab3f9b76546914da966dcd95aed4be3bec6a9966a188d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a05dbf654ee2f4e5ea4fecdd496a5aa5

SHA1
d95968bfe01f0e6c49316a1603f0f8c6451dc166

SHA256
c93f57727a1af0139f4b6a8af544443578bf9cc66bb69700d0636c2495b1ba85

SHA512
ab005b2f10e9c560bd512f100ea0c5a841c8b0c9a668a79861661351ce8f1d3732412856cdbdc84706840de1639f1b382d0beea92e2c5b5849a0f2c369801982

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e4b55ba7fe8560e07b49caa2a8aed63c

SHA1
4501d18e70eb3bec4720da88e3b594671a7ec24b

SHA256
11eac8afb8a1b524a1f48ea89e3d78b11e372cad52b07ad3fa2d53364579fade

SHA512
1f222baf7b822bcc361ad97cb26db46de4ac6822e3394db79c15b605f87b25949f7d0a91b66eab1a6c4f28450ea2350571f3aacaec1195bedbd3623755a2c633

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
647c1c7944853c219386f52f8a73e588

SHA1
4d48b4cbe4fedd44b31845d01fa69b4d241cf27a

SHA256
fc4a9fd472862d4bc486413b364c7e722912a3ec2876be9e4ef0df558d6b7e70

SHA512
792e921352b40ca3ee475bbcb8c5ec7990093537bce5db6beab3507698921fd1396deced379e62aa2b0bee92496923e29110bdc93b07bb4d6e60b59075d069e9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
abbb869804a00dc93655c7b35f61783c

SHA1
22ea22940dad61af957351d56ce0c2376227014a

SHA256
c4483053c040c86a4842dc1385ab723a8dc734d8ad46b5e9fe90591e55b28dbb

SHA512
0658b1d3f9e4386032d0e395ab01ee9de3a4a37797511be0c4433f765b856fca0c405e4a760b2b4b05bbf9ab8d6cdf4a7d52df2addf5bb0bbc94157d949d8420

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2cedf46af4b05d8cf2130bf246cb15bf

SHA1
47e545a2820a7bf08b9a46a360417335feaabe60

SHA256
038d0fd8425a72622c2dbdd96055926caec237c87b319b163080d88054029e43

SHA512
1a308f6c84c84dbd676c3c43531a7ce87c323fad8676e54e13217918c097adb6c7b40f522e6483c991294ccb9b1850f8a58f0f4e29f662f834d9d8f42f03b341

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9e358371b49ceaaebf9798b7a106679a

SHA1
b0fa4f25f544b3ae02cac20d6d3849ff696419f7

SHA256
460cc98f12bac2d2737c99668679295ab3285eb5e653dda2a46964091772493a

SHA512
e9a0a7d262369454ead4592ca4a89046e50fb79788cb9596e5355cd6f4256d5f631edb891c8c6071f221732a91b3e2b8de0081c1873059f3d451e1f9def5e19d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f6f8444ddc3af9c2a8d19f2dbb00c436

SHA1
0eb8cbe525b3ab585c454684d2f6a08fe00935ba

SHA256
5c47082499ac83111265a86e5308f2bff8e86062f2d9f029f646ceea2701e776

SHA512
3efdc714c06ab9e226e934ecd1f790845f747e969d6e5b639ab22a2a2420ae6d95be0f5c5280235cdadbb4d3083f18e0f48ecdfc7a612bdb94619e0eb10338b0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
47dfa992b5761e5b9ccbdd5c31c10dce

SHA1
778bee51d8b6b2fe5e99c2e6531e0fa2b5e4fac5

SHA256
21f222de615045ffae18b6b4a7c5949d26a608e77a68c1ec2b398eed5e523f12

SHA512
e3dd5bcb36557f63e99acaad01aff10c501e3203d4fc7dda995a13257998ff96f84978a9349b75a705aae9c7f61eaa92d57831dd0a990aa2f016527a67c75df0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
254f8e0b2266471ba28b0c67fcf39741

SHA1
a1f7e02eb73a9a755a900cb1acd965d74ad64640

SHA256
b30b057f9124fc3ce1d7d6dcbd51ffbf502b4ad7a9a9062e664273c703302fec

SHA512
578473500d7255c911c80a307e6baee297b05cf069055a248fbc43913d6d5b9d5343862d820ffc393abdca51333ee5dadbb96814095caf0efc321f437f3f1bf7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1d146a81261994195b29cd2b66acad08

SHA1
d8cb7ce61b4328dc76991c5219f97e9e25650317

SHA256
bfd7cf25230be34a3f0efe2ed99a2cd816d37324bb3d3f5da46de475e70d19b2

SHA512
4f483db3b1e87f116497a0c09adaf10367b5294031e8aefd597cdc933c76802190e74a78a261ce43281461a17815873bd58af0fdcc564a1b0b6029f1fa620a4e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7a6201d4c7e18cc12d6866d4dcaa754e

SHA1
92378c7f6703769893fed9efb297eb90aef4a915

SHA256
bf9bbd73e3b4ca3184e22ed266086e887ec2a525f88fdfb93c4c42d32944e2bb

SHA512
c668614e6a4a8a2f26a4ec5b658d3a0df17b0f9c2eb5781e9f0e7d28abb3991eb4c924244196ed76f37d42d5ac7d534a3347b9904985433c543c9f5abe0fe0e1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1a2bbc4915c220158f06661ba49842f3

SHA1
e6063aeebbdbd8a954051a4f77297018c608a50e

SHA256
55dcf61d6cf2d1c184468406e08f89be26d660b4fd9578760235715a3fd67bcc

SHA512
8f6d0f7d7cc0fa043f7596f9daa30cc84506ec69c5ce65a82717eebc363d9c36a87ba6600a3e36ec2fea7f671a0cfd2450222a4734a5b8835b4ccaf55fa0569d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bc63ec323fa92fe3efb7c5237bf7bc0d

SHA1
3ccbe06198f9cf09e90ff49018bcfa88e4f62d3e

SHA256
543080f85f5d77ecca9b32d3f2841f9e4b197b0925e692901ab4b5ceee75bbb0

SHA512
6dfbc4854db5b44f6b66cc30a34b7095abd619c5be42608076114f3f71dc40da672a3333de2b917ec6c2cddb1436cc7ba77d7a87e1b7b2b43db6d9895f55e52f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a589a5a6315a64e4efb4c6f879952616

SHA1
0bf13d7355f80e1b284e77a361fa49d35e7935a1

SHA256
05805af6995748808d92812d436f2c3b65dfbe37e49aebe0cb369a7ecf478aa6

SHA512
fb73e36d48a604130f46272c64e522208c9acf9dc27b1df229380fef6ca3b880c47ad6ed23d5d0c551cca26d5e28b59435b4d2fbc502566586a897863c554b27

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a76cb3e2ae6d6de9c288279c601d4a89

SHA1
dc9a22cef93edcb2cb970cd54af41a5ab98bd36f

SHA256
8572609b79f02348384d04fc08933cc6e6b4c4fc7e4218dc7840f11b18109b43

SHA512
42ef63ad73e39bcde30797398cb2f04bb7bd3475f230f2871d4c0e9d15f750e754304c28e0fe49af1a99f076026f2b5fff3d7a12244e1f80c05e6d73b9d4708d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e52e324b4c3f2bf4c12af9f167704916

SHA1
81d11fbfedbafada7e67b085199fd3b1db7d7cff

SHA256
f7a1a8a78c87b30d8628da80419d4eacb9c99417d50e8ca7ab7652b02c95b347

SHA512
de79dd6531adc9fa0c3015f0d6347dfc72ebbd62e38dc75366973dd1828ce57a279bbfb53bc22768b168ca4e29c63d63557644f31e80ccaef941165cb6a383f6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ca44023b6731a77bdfc741bf8ef236c8

SHA1
5c30d1706c43714f8fc28098cc23f2e36c438ad9

SHA256
b34166fb198786264fb83713cecbed40c6ee10723b8cf4c13346b721a181cab5

SHA512
9d0a5e9dc67c76f799d7e4df34bf2337d51d6ae1f59014b5a389bfa6043067b7b2cdc7cfe96c9cc37064da1577fd86c63bf50a563683ddbd7608d5df9360e10a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5dfd8b5c99b880f18dba7d0ced3fee55

SHA1
77993b814d89c5f3f648df3989a1a2d42c01a17c

SHA256
4c25ba064ac04fee67518b4b4c833e5c799603bbe92aad6d85cba227b7ac6b8c

SHA512
3387123c42ad3c4531b2f473e68dd08c321e4c95166ef3628a2ce11b0d57f7c19d4f892f0e31ce3025edbc453bff6fd33a87690c1a834dbacaf351cb5c2976f1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d2ff7ca743134cab8bf09b9f1b36b943

SHA1
dbbb4dedbb21f16d8cbac1f0a917868ea363743a

SHA256
2884851346af5af772d10443ccc62ec0b687c64c6c897520dd84100139524129

SHA512
9b7d9905d089a45fed19f8431b9660a35c276b0ca8a6552fba2ed1f4cc5d4ad6956f667c245095aeba611e709de8575047e460564ff1a38129d737eab38dcf7d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
209868c284a2ba572c42f59245f451fd

SHA1
712baf042ca32db47913b57dc77bfda2d9596141

SHA256
e0646e593ad5c317791e6856f1736e15a6b3394e2162e8c2b6ca8f7f9324aa43

SHA512
f4a7256945d6dbc3943c1c03a1d691f0c83a369f0c5d8b00ed3894eb45db2166a1e606a1d5cc3acc2edc045c22528ea12fb50098088e362e945c8fed7ec02f50

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7b1d302a08abbf0f41477263bed81179

SHA1
a57811a1a517d877ad78a0cb1a0e1fe7b9a3eeb1

SHA256
20a7db3881584054847a2daa8379b05d60533194bdb53240957e8a6e2f53d61a

SHA512
628fbb2ea5373c4292e1e109f95d02306112e4e984f24663a9b35a113d14d642ea8142f0cb8bc8d47715184f78707fe8b9c47021c183fd10f9710c9b3e174c2b

Download Submit
memory/212-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/212-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/212-128-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/212-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/636-567-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/636-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/804-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/804-566-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/968-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/968-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1080-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1080-91-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1080-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1156-528-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1156-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1356-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1356-557-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1472-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1472-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1472-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1472-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1492-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1492-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1712-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1712-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1720-518-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1720-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1720-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1868-487-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1908-561-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1908-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1916-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1916-565-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2132-560-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2132-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3760-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3760-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3760-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3760-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3760-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3812-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3812-7-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/3812-450-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3812-451-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/3812-110-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3812-1-0x00000000021A0000-0x0000000002200000-memory.dmp

Filesize
384KB

Download
memory/4304-75-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4304-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4304-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4304-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4304-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4324-562-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4404-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4404-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4404-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4540-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4540-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4964-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4964-147-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5004-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5004-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download