3ee4bcb2d54e2257a10087b234af30ae7fd1c3bcd8f9e80ef79405da57da20f8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
Size

648KB
MD5

287abddd35d9913ed17a4438fecdafb0
SHA1

afac445d9536812c78175ce927cb6a1efb983dbb
SHA256

3ee4bcb2d54e2257a10087b234af30ae7fd1c3bcd8f9e80ef79405da57da20f8
SHA512

d65b700317162e02f9344fd598589aa01e7a163b5c7e7797e3847c9422d30c6491f7ae38dcf4effb2685fb47d946235632be747248f7309246ae089dc73c1435
SSDEEP

12288:2qz2DWUaMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:3z2DWISkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2344	alg.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
3944	fxssvc.exe
4196	elevation_service.exe
1560	elevation_service.exe
3780	maintenanceservice.exe
2088	msdtc.exe
4924	OSE.EXE
3208	PerceptionSimulationService.exe
1720	perfhost.exe
3464	locator.exe
2952	SensorDataService.exe
2708	snmptrap.exe
4580	spectrum.exe
3488	ssh-agent.exe
4572	TieringEngineService.exe
2084	AgentService.exe
2300	vds.exe
5096	vssvc.exe
3960	wbengine.exe
3328	WmiApSrv.exe
732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e49126d1293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012ebef926baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000800f35936baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049b7ff936baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a0b92936baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bde56b936baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064373c936baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000936005936baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033e74c936baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe
2560	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	808	287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3944	fxssvc.exe
Token: SeRestorePrivilege	4572	TieringEngineService.exe
Token: SeManageVolumePrivilege	4572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2084	AgentService.exe
Token: SeBackupPrivilege	5096	vssvc.exe
Token: SeRestorePrivilege	5096	vssvc.exe
Token: SeAuditPrivilege	5096	vssvc.exe
Token: SeBackupPrivilege	3960	wbengine.exe
Token: SeRestorePrivilege	3960	wbengine.exe
Token: SeSecurityPrivilege	3960	wbengine.exe
Token: 33	732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	732	SearchIndexer.exe
Token: SeDebugPrivilege	2344	alg.exe
Token: SeDebugPrivilege	2344	alg.exe
Token: SeDebugPrivilege	2344	alg.exe
Token: SeDebugPrivilege	2560	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 5024	732	SearchIndexer.exe	110
PID 732 wrote to memory of 5024	732	SearchIndexer.exe	110
PID 732 wrote to memory of 3780	732	SearchIndexer.exe	111
PID 732 wrote to memory of 3780	732	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\287abddd35d9913ed17a4438fecdafb0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2088

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5024
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
21bcf781bf8201729169b350f2dd59b2

SHA1
8991b819cddc9759463c1c206d2462e5946810f3

SHA256
05c6cbf44359b2ea6d730abcfb301ff913d754135d0d7b65f471c763dd252ed9

SHA512
561f30e1ed62caf0f29ad75f6bc27d8f6a4df0605c2589ce7ae2c85c3474b5e03244e7146d02367e24a7b873658966c4793d956f3b803d2b7a1324c0495b55e1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0e5f70c041812b9439b5fb3973b334ee

SHA1
0a2a3884145fcf32279692791d098ba5e5e6155b

SHA256
ce0e4b0db7e1887471b070c24a37eb9f7a58ac245325070b3c663aa605ffb352

SHA512
61ca53f9c04d217c996717bb09fb950fcd6e1ace49123abe81d17992a045d09e24127a1d3f31cf34fa834169e2de86f616cc64f67c5dac3697192b6299249965

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e9522567bfb45242d269d0faf58eea9a

SHA1
20f097aa841e39d1b9429f942a588c22c86625dc

SHA256
b1dba393864ab13497df245d88e7c923541039b8da231b99ce179a2b4f5e053f

SHA512
2f973065bce6f4cbfb6e9de990b51c29f69074e1dc4846e79e2ba0b35ff5a2a4abfdf9a693edf6690c49729d03026778e76f5a7de061e0a4f48eeecbb414d673

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bcfbebd4d276e21b6b5eb16aa29c63b1

SHA1
1517902c389236f13a7b6e55ee8af8b4f02cdb6d

SHA256
e6688a82e3c154d885062d41b875b219c8f50a0b10eff42d9e2fd21e2a4f6b9b

SHA512
28bf85af9d431ec966bc36f5e795ecbe4e021ea68c470900bda50dd9c4d1ddaf9b9e598a4db77030cc37707a9525b114a5d9bb6807f0c1cf437a270b46171e5d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5a5c6abdc1fca6d57bd71ed32efdb95a

SHA1
ccb3a2915e73e1198c00f0c1e6e951f37b865027

SHA256
079aab4c30d06de87f2826537b5da559daf367676fbf02a102d885cc0b9ca1db

SHA512
a0892bcd96999e54721664ccae3bb15c385c74bffb2e8399b944efe6a5b248ecac8328f0091209de68b65a61b871d85d32cf37c1ec402bdd83504b3cc2d2cfbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1dc859c111076228bdf454f22acd955d

SHA1
aec396012c99d94c0e1360c48ba6bd98502d239f

SHA256
f61060fe3b9e47f18c696c1e22eaa33050e893e3a37b429d5644b94beed4ba73

SHA512
b0dad9447ecb654c1529a06997c60c4f49c58ca197a77f23a86cbc9fe5a4e47e031a724829991688be221025d741df5ed260cc0b1c4291334c49ae4293531311

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5d6e82f710cf791deb14330c13999b30

SHA1
90c27ea59589fc3ef50aeee5f0fc39f7f9d1349b

SHA256
bae1e520219191835fcfc897149233fcfe9322f2ed89be775af083c4fce2818c

SHA512
b91eaaa40d0f96297e719761818348d5e37cd56c6380adad6cef827475d1cae5372e1c994e9a266877d0ba42827e479e1ef47fc5bfb9c97df9a14ce5a86deb2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1cd6b4834180d31c6a982d885cf73621

SHA1
4c3a9e00ed4abe43e084fd0ac22023820e162e82

SHA256
89f9950806c9da3173be91e3ed169b818bbc25836883b7bd8195b7c2757e9a31

SHA512
1f5036acd12d775507da6d91d07024d013dc16d4f759d1aaa21d71c5825350b5f4844640cb6aa6580f8037e0578dd5fc60032c7f205d2bbed3460be06103a942

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a35d935cee8ecb26b6bfcb5cb0d2276e

SHA1
9631f323de028b445065b8ba058b4e59ecba912c

SHA256
4388ffce430738b0bab334f0fc4be0c1e836b6d1fcf3761dcede9d3094a45607

SHA512
8b8c04a9053383366910e0997b9c3b94be85e70f8c20b8b936254f032a2b5078e748bad98a5a6c4ca7769210760d8d0ee142e3ed7de50ae7a53cfca96e3a2e04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7b6cbedce5ecc452d5a2c6b6d915ea0b

SHA1
8fe1e3df80a440f812c996ac73ee49ca458e287c

SHA256
705aedf59ae610c1f7e9cb57f8a404c1fabe75a02e22f6f6cc1a54428151756a

SHA512
6c900532eb6ab42fcaa2a40291aa0dbbf25cb0dd1c0c5f75d46556d9c0e1ff4cacb3cf075b93aae42661df01201ef9e62ddb787fa09e641918ecc501abd2439d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
eb86974c13ce6e8d9f2279d7b41ed1c7

SHA1
74c3435500b0f9b5fb2b467c89ab4a95aa91e9a5

SHA256
811ce78d394cc04ecc7e98237cbcd999e113a2200f4c2b6878f040c7828c96bb

SHA512
faafa8716094b421edd119048555c31fdb73ba1d945531f07adc079b6f99beb92d45a55c2d6733cd634408d725d28a23ef1180986ff831b3828a24232591a025

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c13acd81503d9e782c8c2cbbcbca51d2

SHA1
5d1a80ebecb0f9f2a2b7b449f4051c6c70301008

SHA256
7ef55829c005debf77b04850a79bd08a8b01cba716f02236f5bcd8b291a80365

SHA512
1cb68a2e635b6d7d011b1f72c7f7851952f597e239b866d10827da8f624cd5360a675ef5e258d87481ab266cbabf3decafcb0d8d4ad8c3cedd19a6ceb28a88b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1d962fd3f19287493933052adf95d4c9

SHA1
112c2b97bfd6b2b57489917c9ad026418eb9a001

SHA256
fb4a523e49f9ba76d79c43b655901096c3df2ef94a879968451a16b4cc84a702

SHA512
ef2e5f85fffc2ebe72bcd7ce87651b9824a93afbfba0e7f8ccbf12135c6403fc47f63dff92fd2ad037cc2dd9afbc9ce7d3dd23a79e969db0a30e74419e27585f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c4a1de978dba6f5afb7225fa48501359

SHA1
608ebd9caa9aec920df0fa92be383bd0d4505ea6

SHA256
0226fc9ed5f5460f230e6fc5af3e02ca055f13a0854ed8e9e78512bb0de49ea5

SHA512
79912b451d3c0a8e1067463d8aa55dd352e14a55dbe19e9fd02033c97da0005e13b53a3bf0eea90917da44f8870c4472899f97e36a0e4c8e10ab0b138f707b67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
93c1262ed8ded22850b3b8f3240e098b

SHA1
b68fc96d49fe81cb4e9c80b505157c80bef7cfca

SHA256
838fa5ca48aede9508dbb145f29367b233084d2fafd1cf8ad6dfd11111991ba2

SHA512
d050a612df2d90388c89310ca94ebff55dd2cd49fc021b1e1d16cf9b437f4e51612115a3d34b3ed183f0681f9ceb44ea9f207d09a4b8b607b66402489f35c7f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
648a5362b8f3affa6191a14b37664aa2

SHA1
676baf16eea793af41b262e12a1c6d1e484e00cb

SHA256
73d9abbd5fed3dc2d60bb13d1ee4fb94cb3ff5b633be63bcafa636f1bd63370c

SHA512
fd2a639a8fddfa0b7079227851915df27c8c6bc1e965de4b66f5fcc9cfeadc0b78fea7f9eb664ce99cfeb0590b4c1ca553000158bf525ba2d3ced8465a5b2f81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4530ecd6942fe58bb7aaa43fa5fa4b54

SHA1
7d5e481bea2bb82870232fd25369b9d377cf3b3f

SHA256
d19ccfd282b0f9a6185d177841bc8e03900b20bec129c2c2ad83788a10fb534b

SHA512
49cd9f8d32d9b7c1f5e5adeadb932d10f636e2a685f77bc17bd815537d4ff9c1a8de636804674db34bb81990b2456d68b9b2cf6e37262987c2aae6e93b00b54a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
725ae72e392b549d343d6d923dabe54c

SHA1
fceae6a40d0834d1cce0d08f83ab4bd7d26d1f5c

SHA256
1da20b873155f53da05741d491c2d862eca1652ff967b8222d7f72f12d472f67

SHA512
3ba438938c0f1b18a64a99531beb841d09f63ac24d253cb3d530625ab246b291a968d24ea46dc3f8713e40d83ecc4bebcbafbedfae33123051d0db6f0d5807fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fa8a94fef3a5960beb92a45d79e97adc

SHA1
3dc067ddaa56fc8966b55a0793d89589bb790a1d

SHA256
1efef9e2f25de6b2380ac9492768e1ee1278ed0f197e89325157bfbce84d6a04

SHA512
5cf7fd78c03d6b4cc39a5d1ce1cc8ea1e9e0a2f494042547bb8ad8d4a2a67e98f95bdfa4514a6810873f71914fea877339a7e990123cac8882ef7831e34a6d79

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ef3d06856f68ecb5432361d61fd5447e

SHA1
e601f2f6ff9342b21af3f19743fae0199db2dde7

SHA256
3b775c686865c919d0d328d3143d32573b60ed0424831f39595c89d265b392e0

SHA512
e7e254aead6dec2cf6c1cca1990ed28c4b9cd4d200b84c697b0eeb847eece33f57537aa57bb00292e80414d61fb4e8767471e1edf5631e0116991064dde71805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
825c9c8f7df8eaf0854d5cd7b4f8f80a

SHA1
8763fcad7bb0c45ad60050e7fb73a52a3626df6d

SHA256
5abfa2c618761e7b73e477684949adb23aa703ae0ce193e183cc2f089e90e3c9

SHA512
ac381c29d0f979d0bcff98e736d99b52b20e0f30d33a8003d85ca5f19fb19d9277d740e0169c80f94336be7c5e4a45d8df3a06dd9e3ebf5f3f01081a808a4c21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
96f5eae73bdd18629b89c1d6f2312aa4

SHA1
c341aceb4ef3c7e3761f9a09190bf094cd8df0d5

SHA256
ffae54157eaf9fb2fc4746eb3dd50becbf92ed38b4194e8b1f295f45634fdfe3

SHA512
25dafcf8b680dab6f2e7b34f39d88425cb59e540588b5ef24fbb311852b43f2ae465bb1a13487016e8c5621aebf1469197a1253b59acf5371f94379336df7ff6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
15c5eba83fcff8bc4697794198de9573

SHA1
5693be35a682682c51c7bd2de46968d82f345064

SHA256
474e469bd0c1ca0edc27b7f4558c9711d91b36e35d2d6b1a201b2763c7405659

SHA512
1ae42757420f1afa375456338c1142aba458e88748e6eccc439288388a7b5b1beb9fe863260f019cac36d1697ec819dc9d18c54fce3292f0781220410a798e07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ed3f0a90c98b632011a3e9513633f14d

SHA1
42c18ebebcdcb572a7f892704e372084ba87d038

SHA256
112a311b838206bd6bed6dea31c762d1758d955bda8003e603462dfc9b87bc75

SHA512
5e058489be927104f61ffe7e2da0c67e547b20a37023c9040f09a015533d479bcb18d47acec67bccce5a805c7375042c3a63aa9ca836a1aba34b206c14df6997

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
58c0630e6895920b913b5e39d905872c

SHA1
e12501c15bbe4d43dfaacf121320818ffc053ff9

SHA256
52e4519da69a6d3e9df0ae81acc7e2e09f692db1e318737eb0ef1f5c94582516

SHA512
df6805ca1ab5c5113516bc265c91f625b03617b93781f0f6fecc4dcc6db32fb3a471b9ae7c7120861a6b4a9b2c779cb9caa0c995006351bb3d1fc40cea989b64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f01c470e72e405b858e91a3ad4e5144d

SHA1
d6bec8fca9f6660afa72ad11f59ff242585efc3d

SHA256
2a0d6c343508234ad0866b87a0e98e52180b193dbf58a41a1d898a6972edeafa

SHA512
9bc326406655f03c8e1c1454f65e8855efe9a02ea489d30f4d137ea5d158c30e5562cfa2cfe6ce66473ec8cb1de387385d6b0f78eb36d98a0bc268701b0f8aae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
00a21c79aa1afab0632af912fabfad48

SHA1
3cabdc0ad5cec137ce36c7aee0559cd8dbf227c5

SHA256
db57b2f0464c9adbcb50333559b2295ec98ed900d309adc220b9e31cf9e595a2

SHA512
153d3388b4133e50337dcb3b6a741e6d460e9171f9e087ad787559d23288824ed09e0692f40f2f4ca068c26a62cddae8b5ce23fed46c0af6876210df9a31b619

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a5aaefb1814572698cd11b3b3068c317

SHA1
9b25c3b9afbba6d6d006e949c17ed9a2aaeec168

SHA256
eff5244e3d1ce85e67ec723a47bc174984afc37fbe7c68a4cb6dd37e7dc2258b

SHA512
a4103e8834368b2aeac7bfae5edab8b07272c14fee5b13aa92cf41eaa6f0783774156c9e56b251d82569d7b673318bf3ad2346d921ff720ce9e7ea371f521765

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4eca0e2ddad1da951d242623ff6c3b87

SHA1
dd89f50ab5264928a3c7a921be9550e551786a9f

SHA256
a3cb5344b5af883aff28f41378a648e1cb8ee81eaba1ffb0d5de0cb650d624e3

SHA512
f902c8fb5572abfa7aa2e15454bfb5f25306d24d05843f2a40b6265f51376295bd6a8db38a7632f5524475a40c66934c59401ae9dbc84d530817d08c5157b714

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7783f600b7f518338c9fc2d82b399de0

SHA1
5f1fe1f689df9ae1a2ed84fcc4394620c780fa92

SHA256
68d6c7e2ca6d8d5f43dea0229202867262c7a89ac4ad0037605acd4ee9a67f60

SHA512
c406d374198c2759e2f3f8a44a458dad8097aafb622b520bd2f0112f7a1d0e6f25248cdbeb8ba98c45bc056d6585a698eff841bef4f12c0a214ac68a8a583849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1741d0041bfa9b1d8ada16306c8a3d45

SHA1
cb3bd1542918a6f7e439c06396e4395708d1ad96

SHA256
b52019ed5a7b963f97923ca6d65db9400b19a27fc4bdd50018137a6454a62819

SHA512
846e12cf50ab0b495e7455443ea3a43141eccbd33694144ddb34c2323bc814b432034f428bf179fdd2d56ca53e06b989c31d66a2102b1d25dc77d167983b1fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ae94916858ebc1461bd3d6c869325587

SHA1
7f81b70e51e7ab35f3b11a27faaf0e83e7a9e273

SHA256
e153d2b1902b67ba23ac11ec542c0aad4602f231d14684a8a18a2ca262a7a0f4

SHA512
04f09769d4f7af496d687486442662f2906f21ece98cf866e28ff9975369020a63f3ecbf5b7fe6a9f77ebce3fe0a7b6774903ec2faa08bef177678e82dca4f72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
166665aeae944329fb4173e40312666b

SHA1
1bf8cd34b2e9f930aa0d8d49d08a3733e2b86411

SHA256
ef6ecfdbc56280ec698d235b577a5945ec287b3bfcda5426d745a7e693cee59c

SHA512
ae8a5ea32d34abaa4ec0d948b15db6097c0978409423a96a396f282228335344bd403f2cba99bb59345c41c96c807ef7466df1cd953642d5ae83c258b6a66178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ecc7b7b213aa7e9698af4a7be3d3eae2

SHA1
bab6228dc2293d12c50a85b33adb4389bca430ae

SHA256
1fb6da943121566b1adb30b10f371146d1a5ab8351bce4fba257f29a5be0ad15

SHA512
58508974f26c3401b37b603b508c25f93b5573260f1d28634df702d86add9d8ba301c370b25921d44536113204f6a057659afe222a53acc5da82ffa7920a67cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
71fd10149baa42ba2bffcb9ac291df97

SHA1
8a75bd8e6ffc6bbad032ae5b2a4d52847cc931a0

SHA256
ca5f45651e714f586212d8c2c3d72e45c0c853173430993a659b211d30e4d2c8

SHA512
7906cc8c64060f2f61ff69eeb7ac8afc0e7cf22ca513cde590ce890b2eb02e859961893dac55d76beeb4640128d41c88c6d26752b623f7a39d780c808fe9deb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bfb7b9c88762df2fd52af7b6d87620cd

SHA1
e00c685628e9ef9b6c571b99d5163af042f04d0f

SHA256
456d04510f29801dcf558c6e6223eb9ad457f6493f587bd8f4cabe02523a80c8

SHA512
2dd4e063ae3566b0d2e02b640dfe63d9a4d74e1a797cfad67bbcddf1de34834d1bb0744ac468cedc2277e29b17e415b5fc0b4a005ddc6dbd148466d612819d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
013a347274984c91bb747cd94f4ae235

SHA1
3308631a77e69035f46966f603e24691e3b500ad

SHA256
b3a291f4379a9c3237638ae45a9b9266d6b23f80e1cdf07821a0315cbd927de6

SHA512
e073f705b9722be183334f3c1793804573d76fb806f1f4c5cdb31ab17131fa01500863ea9c8bb8adf21a57b91e893171d75e6a56f1009161c0adc47a165fdf97

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a32015b9945834586c20f57bece6ca90

SHA1
2dac01e3f7414f095ef32d090c2da38a5b0d8eb2

SHA256
8ef062afa412e65a98c7bad95c01353e1f5180205cd5d36a4adcd39ac1c4a66f

SHA512
edf41e7acf54fec6b4a8039e2636d42e52b905e99058fdc2bd5560c6295973ab2913b97ab908e7daeb666940f6892cf4f5818f921348c6c01353dda00f78d400

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2aafed5216250e5d398ee4e8ba39c5a2

SHA1
409877f3881a3ed534b292069c8569ff95930a58

SHA256
dbc7bc0727d36bd5bfee4f6a1d8dc2a6caa740ce123633eec60123ef6a4203e3

SHA512
39ec21a7058914a9eb386cae1152c4734b88ba9b0341979359bad57c436e000933d3247ebc45b93633b03cb8cb07e5564b55161a63c316b83dacd74bbdf79ada

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
857fe0ac1e4ca6fde96c3de73d948397

SHA1
20ff44de629e75ef9affddb3e2bf64e540d594d0

SHA256
ba9d69966e826128edfcad2ce4210ae461f532eb6df84fa6d04f363ea65f1944

SHA512
ee26cb7801c4d5bee22622804b84e627530b834a6d4e9da434252ff6da3b331d6663c55593620c523a0eba91b81f0af6d56a1987ee9c4ced9b923f322fc75a22

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
92349b58e6557ef88f448bf3279a3dc8

SHA1
628e02fdadba53497b9b5269c4b52de88949bfa9

SHA256
80c8bfe3281353cab08a13d8b9f29e3e6402b39b3c92afd82914eb8b6197837e

SHA512
52c914455bacb0629fe2007c3906dcfe4bf5ba1ea4e92285834b8a9c556543814945f5e7a5dd25244517fefaf0ab54f763882fe1dbeb049af3f5594a2727a8f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0aeacdb561fcbdcce2d110e04b0bb14c

SHA1
5121a674ddcd07ee565cf5a56a56a363bcb107c4

SHA256
4198b7ebcb509638031cb2231eb49c1677cde6fd6229b36af9a01132012a4362

SHA512
921bee25a4f5813256fa7e6e5ab800e4f7d94f3a2b3ee31f670f7e25946ec7ccde9b419183e427dc1fef56c4b62b9e0e5f73d9f7ac3fe6c93e8b342a3157b964

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
72e01fbac383c5b95a0186ecebfb6836

SHA1
f98ec07cebdb67701a104e4add29123f8f370211

SHA256
7021b8442dc8e463cfaa9aa3a535ba7674773327d8772f49045ad7587b288763

SHA512
8815aafb6f438c0d6b8d65af73e81f615dfb19f854cbe96f3ed7f18dd46d50c404e4a6fedefb86bf6027b408d49cd463afb3b9e040c3c0f6dc17071e5069f0ee

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
062dba28a835e0856ace49b6b5c44cda

SHA1
553247a5340bd984e6fe5ceb71173ec9ae9ec394

SHA256
d80e052d0d5bdcf96025d515932b75e4cf80c433ad1c283dfa157c92021e3d48

SHA512
25ced2277c2ab3469001c7acb6d06c62427e2f947d83184d89e09ed1078aa043d041fe20966a051b0bd6af16560372665cc0d8026e209c265e278540fbb4b388

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
319b4747c3cae1dffa4169db6dca2d6b

SHA1
58d40c2d71b03da2f5f1c2e625334cee2cfcd8c9

SHA256
2c58bec51f26434b4c18a780a200c43e07c92d4dcd6ba103df811105a5677404

SHA512
f7cf2292030466f24a21fb36d40c034ac3b3870b108b0c41b379e6388494ac51b4116c60d06f25c25e8815a3933ed88218b07650da4c918062a8cc928d8b96db

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
298cdac487381bbc61a5df8b7752c2fb

SHA1
11212ddabf3d2b6c2a5508e8868ff35a15befb0d

SHA256
031c8453b31d81682a188c2f8830ed3fe72e705e625ae41d020aa0aad0d7eebf

SHA512
7a093de1234b12efd63b7ea0f3fbc0d3591dcfcb8d24c1b79c6f7ffc04bf2a652bc3e2c67e4c08412d41d8c054fee0b0f98b19f31a8ef89649357d0fac9da146

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c9cbea4944b8eeef4c6c82df2e3daede

SHA1
f68d9c305380a2a5155c41932049da5df0d5d72f

SHA256
36b8249a9d1122eff1539aeb1de0a2e239c83eca0cd2153ff1149102e47deb29

SHA512
dd53fb3f2a109da800dc1368015bcbae5cd1398d02cae5a9cde91f4742f523cbb4417e1e5e1a4d74abdda875f4feba409644bf46ea9a5e6425ce563c180e3bf9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f3ed2a55f581b91830ba971ff0e19a9

SHA1
1fa28b7be14176490b470dbaaa84aa6056d483ac

SHA256
37d00e1cbb2a79d23bacb2003540cef725bc54a30796a4f430ddb37c0c82918f

SHA512
b96dd5cd0383c283c8ef97d4d1b860b5e85122488f3d63689ff34be8701a2eb56cf3e16196712445ae040f3ad64537136b74002e7d76b4a60288b3140d257be8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
16d2058e5c50ff6d0868b76a648def90

SHA1
df083f95a140fea37a7173c68af3975a70aef3c4

SHA256
a7268483b0b2130db7b984e6e3c0298c3fe8950cb964566befb64b5f54fec345

SHA512
d011252a97a5289e314ff08612f315d67102e04dd494abbee74ca216ae33350cb56a237eff3f4b3c3d5337d89599b6c2e7e37831f840da534acc9e79807fcf3c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
743766c3c1abb594f0459e831a6d7889

SHA1
7caad52e9fc230a3cb1d1c831ca567c5d70aba3a

SHA256
8a386b93605b167de4c7ce64950ae72738f3dafaf14b39bf50bf384d3da7e15d

SHA512
2a1a048bcb81f5fc85f7e069fc6cf50d93c957807fe350e8209f87dda90cc189cf4691d61a6a60ea2653e9bfe28bb9eb96417f43e1bd493a000fc92554281e22

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5597db3a0f764f685986e04650e52f29

SHA1
8dcca0c5037ddb4b6405cc1e3cb573048e161a69

SHA256
0e8b419a0caac58fcb17fe7dac775572205e501fd8fac7dc675576a5554418ed

SHA512
96a41e85bed40bc7e089a004c6954699073fc9324d73d435aea4c5463034ddf7f3d0f931101e57c4e518847280c00653f7ec7dbe843292a695e4277a348723d2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2fcfe3453730967341cc6a5ea31df574

SHA1
3d99e198bca075468552c0898d3260f4d699e410

SHA256
7ee40504f994ebd723d3b8a297bc0018bf3f35e2c7753100e41166b0f15316b6

SHA512
356b5e2b0082347f4b1864dd7c6a329821d6dd0f7887599282cc1cd366e255cc5e815b941c09938baec858ae0e14caaca5ecda4a6de88a61220dc57c2aff140b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ee747b62385593dfda7da257e9c845a2

SHA1
05e6e97668a49276d710b9b67fff0fbc7c23b2c4

SHA256
9ddc55aa0af2ff1dfab4985cab34e49e50eae2dedad57ba2a818e6314acb4d4c

SHA512
68f6889e2a7e47123424cce774c8b4954235f24abed30c3492345a98bc2eb2658012547f609942f5c72214ef6d5d5ce92b2a9c956da4584777f0843635cbf880

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5f26b6ef0fa788b433706621d81e7bcc

SHA1
148e0e2045b2d7cd13b3384365a8fa2c65ff9147

SHA256
53002d6d9ee0dd2ece3e904b747cfbc02c9ce6808729a48055587218435440eb

SHA512
d82a49af5f6f3b8a7e8e8ecc5cd24a961cc10f60f500209b719db9f6c552c278ad0f7ed285d4bfd6a6948f3f6dd47db295025a1f6db2c3417d8505c220dcccde

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dfb8766a3c60869c6f3f504fe9abc69c

SHA1
d1123607a636adbd168ff150cecb25962360cb43

SHA256
72bb9388ab6fef9a14de6e09068095b8413185d433af5262d282bff4d0c95712

SHA512
2efe1a394488716273cc5c7a6231b487447064682e90614ad19f359ec5b15de33f87d7fe51866eecd5e464ea79080566bcde820865701c47cd76316386cb05e1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7d76d7019514c3478af527b6115a4d7e

SHA1
d27acdf6590b3195c32fe507a9fcce1076b2018c

SHA256
dbf93459bec7cf214f673d061d743467b711297022b044f954d996ef7a7812d5

SHA512
59441c3985a2f9b11390a005ea0835e4e0b4d4c0119768fe2c2f42a881bc4ddd5c170d5a9a2d1683a8d98dd047bb20d67e05f6f7d822d370ee7521e92aaf7ee9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4fa54dd1905eb270c7614689f11ba265

SHA1
b2e980df13e4204c95bc49e101e5e621c34cc816

SHA256
d72eb3e02cd5d92114430da779fb3e11831e7f16a88334dfa3587bdd09b67e6e

SHA512
c740eafcb461614346a1b66c57152ee7a470e083f72c0999d00ead12b50bb17db18d7ac9eab30b74c801387eb08d60667f80003dcccca021a99fa504e8ddf6db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
13ae8d392d84595768861818cbc064d2

SHA1
6eb02409e1c885b45ae3ace8a30758ca3c43ffdd

SHA256
b121b11c4a5f3127a99dcadc0fff7f76259b9eb05aa6ee1111e71f52f854103a

SHA512
6304418c661938a31e9b9a737d3e5ece18367f49c012e40efb0a9845c3f997a242b02e421b80b44156ddee6a825ba83533605d7b924835040349a0b36f9af668

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6c317ce456be5a61d30c60c3b57642e1

SHA1
f38aa9cec884185d3f266ff8cf75c97909fc5301

SHA256
8ac9709c04e96c37e1a75abdb6b8a0c0037d9fabd179458deb6f9a46f926a5f5

SHA512
69f2929261527a63595687994fc42a89c6a391c9879c3d692e9db7a42cd596108c348cbdcf9c83c69504cf3c70f10d89afdebd2ad803efce026aee479b874f55

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b805ec1cf567dcf08327d7f95fa2deff

SHA1
86dadd48ac6fe43cfec2e218591a9a847a801238

SHA256
d14e13298c28371686f79c8fbc98bc8923e5941f76a98b98b8d9c6bf99a71028

SHA512
dc7aac63db97a42411005f812dae167dd54d875514e7220419efd4e1408144d98261f67dc7d8ee74c7982ac656206802e412d85b36cff789f70615fc11a179c7

Download Submit
memory/732-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/732-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/808-522-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/808-275-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/808-1-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/808-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/808-521-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/808-7-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/1560-634-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1560-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1560-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1560-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1720-207-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2084-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2088-90-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2088-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2300-276-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2344-516-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2344-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2344-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2560-517-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2560-35-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2560-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2560-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2708-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2952-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-205-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3328-636-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3328-279-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3464-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3488-212-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3780-76-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3780-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3780-86-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3780-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3944-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3944-63-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3944-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3944-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3944-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3960-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4196-631-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4196-56-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4196-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4196-50-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4572-215-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4580-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-635-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4924-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5096-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download