98ef3f24a08470b4483eb7f9df29a209bda381fc9358a74c2e87a3101e3677d3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
Size

625KB
MD5

af35fc33cdaeb37b70f4667e7f1150a0
SHA1

ee7834a99a9463463fcac1b4a527bb0199be6071
SHA256

98ef3f24a08470b4483eb7f9df29a209bda381fc9358a74c2e87a3101e3677d3
SHA512

2cb3abf785ea511a8015444729f0dedc5a49e242f2af2a624754f3d2fdb9c63a70560a32bef75929470355babd7b7898ef9e15b0ee748b9aa14e0b0d4bcd9d05
SSDEEP

12288:Y2GMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:lzSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3188	alg.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
964	fxssvc.exe
1724	elevation_service.exe
428	elevation_service.exe
4164	maintenanceservice.exe
3476	msdtc.exe
1440	OSE.EXE
1808	PerceptionSimulationService.exe
1336	perfhost.exe
4364	locator.exe
1800	SensorDataService.exe
1660	snmptrap.exe
3492	spectrum.exe
2568	ssh-agent.exe
4956	TieringEngineService.exe
2152	AgentService.exe
3856	vds.exe
3576	vssvc.exe
4744	wbengine.exe
768	WmiApSrv.exe
4100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f70c667ae703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012322d7f7baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030b4fe827baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c2209827baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041c403807baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089030d837baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a3c27837baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000179dfc7f7baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4000	af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
Token: SeAuditPrivilege	964	fxssvc.exe
Token: SeRestorePrivilege	4956	TieringEngineService.exe
Token: SeManageVolumePrivilege	4956	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2152	AgentService.exe
Token: SeBackupPrivilege	3576	vssvc.exe
Token: SeRestorePrivilege	3576	vssvc.exe
Token: SeAuditPrivilege	3576	vssvc.exe
Token: SeBackupPrivilege	4744	wbengine.exe
Token: SeRestorePrivilege	4744	wbengine.exe
Token: SeSecurityPrivilege	4744	wbengine.exe
Token: 33	4100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeDebugPrivilege	3188	alg.exe
Token: SeDebugPrivilege	3188	alg.exe
Token: SeDebugPrivilege	3188	alg.exe
Token: SeDebugPrivilege	2424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3004	4100	SearchIndexer.exe	110
PID 4100 wrote to memory of 3004	4100	SearchIndexer.exe	110
PID 4100 wrote to memory of 1664	4100	SearchIndexer.exe	111
PID 4100 wrote to memory of 1664	4100	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\af35fc33cdaeb37b70f4667e7f1150a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4508

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c0ef67865b045b5235e8f4ea0b085e7f

SHA1
a2ec1157b0571f8324f5fcbfc6dd9db093ea5f73

SHA256
2c96929370ef1d8425cb686f9a12452d476eb8861c67d0575d43b4012940249a

SHA512
334abf72a0f240fc992a0f832a4ddf30dab2e7751a0bdc585575aaed4ea53fb79eb7d2c8860f7066d4b41ed9383648f66b71c8b3067062d2cc756a3ff0e5f38e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
40c7e357648b37797f1ee9f000f0f496

SHA1
b8bfc0cda1731d56c2298c5baeef6fed0b39eb4d

SHA256
0e2c81705886ecb9217a459a9da4f80c59f8bb7f1daf4d8a60c33322b4b9db34

SHA512
5a04f1b291ddc25ac36b1ea7c297d7f5ea497b7f9defbf033bf9266d164bcef54350b5eb22c3a48804e6473097965b8e36d1b6ee98675ad5af220000ac2b6d90

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a547e853f096517be2828c03a64c3511

SHA1
8246d19f0318f120be19f6787114139f19a109c1

SHA256
02283fc1ead0f9e73e051bbbfc6db8751c832ceaab976dc037e6be8731675685

SHA512
16abc3ea70886f91caa6d8d1adb5760f3535bef876a8f3b8574d3b8695fac84d8229b59ee23f83a39785e0379e8d4f99a2a8f896c903b4e69683cb4397cf8569

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3f09f76b74263367c7b5fabf08ed6777

SHA1
e637cb0b793ad20b009e1a8be61562ba821a822d

SHA256
534f6bb320884b235b38e13cc67e33ae9eb14da449da1db115d8ba8b9fb90d1f

SHA512
f4ea245334ea7bb8655be383af7fd1ad5aa62d3eeb4ad5c963e7053fa3ca8159d6de0c6de2d108e2440cbcfc87d5115c6aa3c413b7c50aa4bcd49ed2545eae9f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ba73169ab27ea5db86a137939e209276

SHA1
92c3f241ffbadf198de8d6f97bf22cd70d50eaef

SHA256
9babcb4f31b1ab68a054571cab3fa4aba50f6cd0371a2752f6aecd889e12f589

SHA512
f29d30a77703a233026aa828aeb976beb91d01acd7a651bb36ab56cdf83ae99f04d94773f9bac84773b045ea2bbfdb2f8523cb9bc1f419915606ba441edbf65c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
141e94efad19f89c1ab7fb2aaaaa2c74

SHA1
b65dbb4afdba19197334ad06519740d494ea6955

SHA256
f8b774b233a157b06477d1a5d038e80c850c99ab14c9e4f02575a58b3c5aa3dc

SHA512
8602432713b323d526923d471cbdff3f9b2dfef8e2de501fbef44ee049d1e02b503140743caafd744ac56b01a8c959a24998c2ba56dc4da1b5df5d0135933865

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
efa907dbbc1399f48a765f015f42ab6b

SHA1
49e29b9171f9c9a119f38973b9624d7986af7d72

SHA256
e810de9edddadfbbc89c38cff0f10bff217fea50d86948ba3248cf6955850b71

SHA512
7d5b4b011bc825c902f09d6785b3a096d1df45603eaf696461a16b9adf8fe487edaf4a8a399bbe98e996b31db61bebe606121b717935f4301a7185f276664d02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
79d6a708ab9fa8925e1ce9fd42daffa0

SHA1
fa4179632bb8384ec71ed4d22bb9701c30b31c31

SHA256
cac5f653cb088d8dae0b0d19bbdf3be0d94aa7a47ef92ef32aa25c83ca126fb1

SHA512
3289da2178d89398fd6e2e133427307807d0f5fd7ebc5c342fabf44191552d777d3604fb6a94df663a21f8c51ccc94b41581c499474fa8cb77c821109475f58f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c56631ac5ec476421b36aff6d2c30398

SHA1
5e62e7a3ebb00788b0f491aeb02648294df12f5c

SHA256
1d7d895ccacfcc6e2bbe588db53ad34e829e37cf34297e1d39135a5e4b290a06

SHA512
6f661d2ebaadf455076cfadbe01557e516db7a6773780d4afe61ace8dbc09319cdb873d0242f4a96fcbb7d73ec80432b79445c4b3d370d3c2ae47705893343ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a7041024e03241ae1b73e5e91a5eac73

SHA1
585a4b4691d7f4a0ca280b87212f58ffe9a4277d

SHA256
012f4b813f3221bff230c69fed27475bc2d1e499944e1623d0adc68aadc215d1

SHA512
0de10ec03d493a8cbc098a2f22291bba804065910a777c60a2eb2920302838f117190affa34501386d2ad4130dba137b682fada7067e28252c6f28876dab875c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b77a536bce0d69001fb85e44029df1df

SHA1
79727a7a64e5b7f3235e84ae12764345d8aaae05

SHA256
43bf6c242b9b79c3cd52c28ca0c7affbc7a22761a132f859c2630e79e7960a32

SHA512
0daba17d1da1ee0a33bb657c97f7139e10812a9814dc96fd0e355388752051a57a1a4e47872352719f07f56590fc566731bdc98d4327461a010eb853e742efbb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
640aa450f15a4d5cb1161d273f41db20

SHA1
82c958e3db0c12735162a00776449488a7ac6ebf

SHA256
8319826ef3224f9ec0ca60a50faf307e03fe8ce088801d2bf17ce2ce7d3ba1b8

SHA512
72493b4598c539aa65462109695244c8fca384d0b7a0cd54f21beda244f94485dce68cd053b2f44548cf21e51ed2254a4fedad766be4178954f95f7a1236c049

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
95fc645a5b09b72c972cf3d971fb96c0

SHA1
c221835c47f0a22c91a76bdcea6cce380f7da4dd

SHA256
181a6aa0ae2bebad591eebbfcbbc2d5b3cce254f7615b76484f5156b53cbcc35

SHA512
5bacdcfd8f81e9462d9dfc44a6cd2f44e199f01f2f913feecd8c6e8894e3ef26da0e1386c71976b6a6ef1423906d1f21b6456387fea515f7cbd4991db701914a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
931eb2a7c44b14a0c3aac8f2c4a94993

SHA1
696ca20071b59e3d12764dcaf4379f2d428bc3f9

SHA256
3b908c16b71d7ba5665706db22dfc2d1d2cb6198144ed046c10411153b88dd91

SHA512
c9093d2a766073ae068be8191bec8640c75f244a19dc814bc45552dbf91ab14d0b450cfbbfea7e12917044ad61e8efcd9581321c6a96710058e45af942153239

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4e4e506ecb3a3bdffbaa71c7d00f0833

SHA1
65e2619eac8e97ef2d29a2cbd6ccbb3687d46a28

SHA256
784a392740d22d1d2b2a3990f73edfcfc1ba30b7f86105a7b49926f968d7ebb7

SHA512
b7ea87696ea6b5dab9f35f105e412a3449c0c081dd00d6b5d55c819537eb44fddd255056ff31d3568d77d9fddfc95cc36d3eab90aaa8575f9d0bc16526e07700

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
309cefb8a34be65fc27f4e31ef644034

SHA1
d05b9b7ce6da9f605ddcdc262b2ee905b410573d

SHA256
651ad24a0353807fed08d709238c870d2e88dadcc524528d5cd1d1aae1557aa1

SHA512
1ccc2c05a6114566062bb64758808d1264ebc4562a56afbf8288394909b0103aa68feacd0580703d2d1d8e86e8c775d07593bb705ef4f30c55f3fcc89effa5e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c78c88db7ae2cf0e101823b919b01f01

SHA1
7ad3b12b9d18320d014b423511fcf73d067b04fe

SHA256
8b5262309a02226e4dc4cca0dc94f1fc525b08256c92ea3c313b0cd4755d7755

SHA512
7eac10ae8082dd256de1618c099fe67f94eab4609652e6ce3ab0a1d8bf74f6ff34132db6bb02452abbba48915a5d41cecf657abb10a1f132b4d2e0a40c680518

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
26d87faeaab5a183ceeaf929422987e1

SHA1
d9d94d4fb34414cb1ff0917c92f7ef1aab3611f9

SHA256
81be4ebe762a4103d06d024c1112e94414366840424b5406902383268860dc23

SHA512
72afa89639b631214d6a4971ef63061113b9808147a1956ea1c48af2555173f9d633b4eda5b04eb2066809bc9220ba89acf1f69036db5b6abad447715fac8f4c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c105d0d97fcd9d3b377220bf4da3efff

SHA1
7135b597bc9dd73d31fd3c8e3959c64b48a8746b

SHA256
e0e8f77c3df2020355efd69d715e00959b8c7084acb79d0c6d4671efcdf14b66

SHA512
f573ba22b59ba777459b0fff7d51c4752d247089f1f13ac7f087283972dc94f03fed2f50f0c500f3de1c5c23b2cb48dbf93cfd56cd0ccae9ce850e25d9f2c449

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
396873e9b014e908f67e680283c70061

SHA1
420bc073541db90e3f9d6e0501a0aa5623745c4e

SHA256
f83bfbf6e8ffcd0566df5ceac09be0483c30abde06be7b42a9c4dd94df5b456a

SHA512
6257d69fd714ba701bec6f9f7c548979c526221b950c5318d6691603f329bf4a3d96edbbf0200ef55464b1ea738fdbee8faaa706bd143928aab26d0cfac9db30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c937d3752913fa20c3417d7fb2782961

SHA1
b9400526f0f7245627f9d9ef36df561e21d535e3

SHA256
69eb5923e4d15e721810d0fa039e09213b622cccb7d87069407ba6d9ea1570bb

SHA512
f299a8329fb4c0e121629ebec55554da3d006280f08a991cb4350a666984d4c3a76e6e0e76da340a1a6fbf4cb4aec0b50c93e516ca945c783c164f33cfcda8ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
143add8ea87e599b78d3d8d7e2030f4a

SHA1
1812f269645465a166e87c0d6c858544d6937591

SHA256
09a6847451cef0a85ed5c926e621b66e900b75c0f98b8849ff36a66f07e6e0b6

SHA512
9b332d5477eaef169169fad826abf3a88dc954de4d6cc20ed88a804e20574bac0234a37bbf56c002e14804928c6dc1b103b97d1f96088a8881b073d21fe1b6a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cc1e066c6fa6c5a796193d2358547b80

SHA1
70b136cfaa71dcbae72c7cfa2d21fc33000f76a4

SHA256
5ecce36da777cb8abfb147e0c46b21dd682513e9a327ddeb62069432d65adde1

SHA512
45d371af2cef938b69ea3384ef0082a55f810a9a3a0e41ce4afef3c6483c93f70f4c1da38e45273abe6d94717c7e41a23306c82008d84bf8afd204217ce2333b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e7881e576230253d41a6440ba00cb9d9

SHA1
896862a5ca5dafb3db9e311ed1061e3c0e06fbb3

SHA256
4ef3755413c73c6df9b4e5064f514f99e164b96224994b1dbb3bba4d1a8999e4

SHA512
2800ab498450e41ceab676be24a16eed2f4095157a2c1045b0680e7568f9d9e1aa152f96f2b47c153a2b59a394228706be8d59d50e45f7820ba4f016f6a78ede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
752e457be4d2f43b262bb540855a8fb7

SHA1
14a8fc21020bb1eb1c9debe8794076bd4450340c

SHA256
258b5e0090088ba93c2a26122efb811e80f24fc9e0c3805bc9d3985a328cc82e

SHA512
f06d91d63792644dadc41ff5535f32c60aeb11a9867245e8bdf8e9e9034ee63ffa7267abe57732085baeaa03ee67e5663c299f0513f12aa82d1306c55cd4a102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
780d9a3f36d41ec8bf197d71a1a7c688

SHA1
b692ed8141a56804fe86ef748620b6374e8a5a7d

SHA256
d7454d51a45e2455ef8483355b6cfbb50e01af5843dd94376c661a7c82c7f47a

SHA512
ba27085669a1961f1f99b3d2d4825086c2719b3945c37d1604acec16a798496a2928808bafedfe1a1c309da6714ffbc61b8b5d373726e42638fbd3eba56c451c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8237a18c0542df676b8ee23c5c51be57

SHA1
caecc0b81750571a30e02570535cc078343f3fc5

SHA256
02fda5a613b92037483ef8ceea25bdf710cb9d955ffbbea4aa496906c58169a3

SHA512
1811bf43c0d263e6b55ce202d1056e228713fcba6a1952415af1974956d538534276957d8267b260877ad7ecfcbec85f860334038b464273294938893e00d173

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8899fb1559ded7d9d213292de80de3de

SHA1
18bd602cb63824ac457895b0fb0817c4bf493dbc

SHA256
205e8d513200b72fff77972395b5515ca86c5376e0e63e0975ef6466776e76fd

SHA512
9b91eb6c26867244f0b457cc095ba2397967cbb97bf526f0eaadbe48276b4ca5d36e33d419ea343e1e8f45db7d0c49d89dc28bb7e26b19c6c8f52533d2982a0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
af428f425d274eba460c746aa4894947

SHA1
395a4d3ddfe544b48ab4fc954b6ffec1b686d8be

SHA256
e3584bb891e5161ad583c451002fe52409599f446f8cbc82bc9c5b0f60a781d2

SHA512
43e541fb0f09203d08db9bc6b9b24b58b2743b84e91721e762c8f57d89c25697b36ae77001edc7f95ffa3a1c1d58dee10ee8e15d462282fcc94f0ee4e88267de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ee0497427adb96d17259f3ae80e6b9ed

SHA1
bd84334e783d7272a7f728778ebbb54b1d62c26a

SHA256
f560b6b7483e35f9e436535cb865ff2f3ac590b45ee894a4e861710a477441ce

SHA512
5df57f45864c8abd19668cec2c04da7328f5e59c056973f141a443308717a63cb415064ff2079d57006f84b98619572ea0aa30dc9d5b4d66d2fb099e637ce16f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
24fee2099d5dda1a1802366a428867fb

SHA1
6621d3085c5ddb72b35c050080e7a0f5861af2ee

SHA256
927aa606fcc013607d4f6cb609dc47e4bce46bdde3d2b5528aa784e87cb124c4

SHA512
be661deeef13f1e7d46dc4c782734a1f94e332adc0403eb9f1633e3fb452be7f875fd29afd7a846d31a892daab878be054f69bf5c8273a6316323ffeaf5fd7a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3f27a755ad1175d601b0841647856adc

SHA1
614f6f3d777d4df238a1f400f251f3da7d00bd9a

SHA256
a3a0be1fb445b9a08881e8fc42ec220f88bfbab65149153282bd805ccaab2de5

SHA512
da39b65a4894a5ca11ad84c80b1568bc53fff7179b8cf402885e5936d44632c5361d80fef0b61ce44e17ab3802d8b93136a1c5846d55e73dc5d62db81fd6773e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1137a0a3353be31e3e308ed3efc7a891

SHA1
6a6e360d9cea84fb9be0c2a74ba584cb6cd2ee3e

SHA256
086e3d2fc3b7b17dfb5027c95ab948794ac30262ac9e3aea6dfec195553be001

SHA512
e91f48e4ad27d76981ed2894234c732a1024b7500d55df7fd737123b110fb2365a7d685850800fa81a4a8e7402a39a380a99be11186fd03f3740fcc698ee575c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
df56adc931be033bc74c4b844f35fe41

SHA1
2441c82b668f93b24d4fa72066be73b5c4bfc952

SHA256
62cd1ac924ceb4387dbc8fc249c83b1e91f7284ff5846df76cbbf1a64d222e47

SHA512
bcf8e56b380efa8786a16c29db351939abb7e7b130382a4e12404276dccb3a06965735db62d114ea62ebb5809386aa0739ebf7a4e4b9915b241e88db6c3e283a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d7dd051362924cf4e4114054e9aef9a9

SHA1
c2de6c7358b557c68308e29e4e60bc553316a9b3

SHA256
0b5fe096da06c968a755642f5e9d4414071fa0612c0d7cdc6eed4db156727eae

SHA512
d7bd22492d80486e0102526dc5c3fc953fa215e317be6b3a8eb3c650ea96bf36cfb88dd407d3afd0f6e55315b0292e2663e2a6946f39d986ec971268ad7815a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d2bdc74c8de6f1cb9af6658ed0178b59

SHA1
f4de5d432eae78049ea211a262f0f96077bfe348

SHA256
103b6e912e871136538ac74459432bb017889acd8a758ba7886c383043e7408b

SHA512
a7f329d611b1877404f4aa0f9aca5da9d75abe53a34ff4b0bf732bbb8f8da878db1c0e4da4cafc0bfd30eae5c24de60940295ad37a801e728de66664d2de9221

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9c36591e930d6302d4cfe83bea198bcf

SHA1
5854ec4c3dbce13a8658b08bc4ea4efb5db7c357

SHA256
e35cc39a245a25692ec222ee471bf70c6daf871d712ed0390598e2067e997ceb

SHA512
3d0a5405ca044818adf25d2574fc6657695d4df82ed02f5b7661914275babe09354c7e9f12dc8aa26cdff4a575d6eb51c6687162788489372770506fd00eaf57

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c5b0ffa20d1e5c1f7eb68305335b387c

SHA1
cc5f81f6aa7bd50ffa0a465ccf681eb4581e426b

SHA256
78b1e12f34be2d2154d36471c21b6c30c5162628fccc6cdee07adca65f5552c1

SHA512
fd47c93125f4581ce7199b56e766e09456eb82a6b80d5bca7d02d170d92d6b8afa13bf271786004f62b09a626379b47d722cc996be56bb005485f7ae6c129fdb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8217e426d152414bf807d2d308d42b73

SHA1
0bd219236ee4cffc634076dc5849b6b40477b613

SHA256
e82d7ca0a587ecf9a9d3e95833e3c9543d94c912e6f582389f0cae080d14eec7

SHA512
f0e7dc458f8e0083aa15f0c03aa5281e59e6b4d02a2b8f5168d5b3d293f4833ddcb2e9c8db9faf05db87fda393e7af355ffc32540b959392a406a4e1c7611721

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3c5f4cd35335f72ac758cfb34624344a

SHA1
2d29890c556a38586966ef809feb517811682fe5

SHA256
ab78228fe68ff4418010e426bdc90b7418fce5e86fdabecd09acaa5b6d796f3d

SHA512
1aeb795c7ead1ff4d3cb8b71cf2cbb105b8cedc971596fe5670616089022113673292f20b3049d62702c38522b24a16fa3c2a768de84514d608e76d1c7625471

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
422982752267d4c4bea7407fd24777cf

SHA1
4af3246946672105b37c03a3d816edf241ef1a76

SHA256
da19854eb7a3d65e2babc330794d206968287547826c65ea3a8aa935dc1f71a7

SHA512
9d9c3fb41af53f8f444ec4135d5ce43919d2f7b4a9580fa41f45f8cf1011d9ab706b21a480ce48c20dab7b8a368885d964c428e60523aad65f855a29a2fa7d24

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
29ae10bbbd7bfd7114dc447971b9d3c5

SHA1
17244b8aa7418edce8f9dea528a6aba94168b688

SHA256
70ddc9ebe01f4c97aacba60fc28274f69cc1d7c7b7824ec3150ccb66d9a0501e

SHA512
813deb24e4e2be1c5869fbcc8f7b6102e62aa50ac21e345fbf87d2e176e786396403881b8e5c38802b01da16dcfee737c414313d43da602c7ba0ba1bc58debe7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
70710b7b0b6c97a03859652a4bfa8d55

SHA1
10719edc4a05feeb7e39a77bff56b30ef44bb962

SHA256
bbe064c6bfbdbc8601b8a078cdefd64cceaf59949e7387847b67e39168e0ac08

SHA512
f632212be98ee1ae7ba0e169fb43781cf6317d54fe3795960fe3007d26a911478385ccf05a1e2ce13267296f2f133ae011e597e0b7cc2b60db4f0c3b1918ee72

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
aa94d73278ad5099b5a84dffb4eca07a

SHA1
045696644a50016c1d9784977ed29825b9441e9d

SHA256
919cd2e13b68b2b8b555c5b0cd40a1610e0ac2daf9161bce97cf1b5d30e6543f

SHA512
d2b83cf0f8cafce868ba0e9cb9ccda030621226a4d0d732e22992934fb903bbe4a025bf7df6fd7c79a4e179037646330663a469f0e8d418a8be49f96eead2aed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
95eb241aa648b380e0959f6f89de3fd3

SHA1
741c837f54271a99b9901367f874da7edb63e189

SHA256
f2c4357948c6a21eec474d9ae1c53ff91c0852a8d2517aeb507248068ecf6013

SHA512
2209837d6bd6c61f29a1c7766cd5847d3abd81c65f482e36b9c27e5b8eec7dcd5ef3b85e9ecc3abd9089bc82d568f52efc00b0b23f34851cb6efb23eb87c23c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e195091e252e98030352a8de1d0ef782

SHA1
6bb1d72a847217ff0d50e38d0c3b3b3990e62197

SHA256
dead85fc78f7445e2ed4d3d50c6e22bb31919166febfb05f4be774807027c124

SHA512
d1c2542f21bf4a58e504f4af782696eb6614b3e48535e3d5bedc396135926fd070fc74e1b4af75d3cc836f8fde42c4b34bd15ff44e17d1f62e1bce0910a63fca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8951280ed94a2fc6e7bcd3c54baf008f

SHA1
1ecfb0062d6d973898ea10052c666257be7a30c9

SHA256
a6289a3f884b4317b801c8e625415f8d585268221f1a2706346e30541f4bb216

SHA512
02f2eba381d0af6a37fcb71054d2dd4d3d99a72c8fcd8eea682e657d55ee8e8fc3e10f0a9d2d6bc3eb036a4916fbb694ba2b88be6cd772307791cbdf277ce289

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3d563f8966bb6161949ca36862751523

SHA1
64e746041602ae928f8c50c69a2973d9795130a3

SHA256
855e584c16c617d4f9756d992b2ad9ff79b6a90cf2164ac5715d85054c3f37fa

SHA512
55c503a1b471dd92198cabe30f48802270201182338ec67facf83623a888efe503f522ee7c4b03356f150d264735e77d847ec07156054baba982464e400d9c13

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d32f23527c025746bf09507746633e48

SHA1
3f0a9bdfe28d42b96cef392ac52c32ea96ccc7d3

SHA256
4d87cedbc749dedfc709aec71374da35d5d3a519300c8fe45191ced01e6dea60

SHA512
ef6b0b4fa37cfcbcc901b24718b17ab80b400728a31f7b54dfc17ecf3462c065827de304175ec9875d1292e16da0bf02f7ae7b9ae1f58da95ffd012054324837

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
745e2519808524002268693baea0080d

SHA1
153c4241f7b8949a862ab3e47c05f9fa43de3362

SHA256
0c441fa04eace60fcf823c40693516741615de2349532c8d20bf3f5e70839958

SHA512
881d55a47b47207e234b71443d84d97ec2ad2f4b7f000e3771ae4f3cd7c7b533cf7923412d51641e2a29b128da952d513a04b36e8b6a6dca268819e1b509337f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8c1d43606200909ef77fdc76fad2aadf

SHA1
c83f38fd162fa5b9cb4890824ec52dfb0c719adb

SHA256
0f66a42bd669a50f42b426d9a7b1aa66e7d3c1fa45c3a01f31522ca71c08e7e0

SHA512
a9e6ae4a471aad0670f9f3bcb7f9ca328a01c41fe6fa1f886c0b4bea77cb474535960031211df7337cf2c72c765a1ad7fd6953d3a141b0237b4a6979d0cbdc1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
125f9ac973c48abf62b0d1cbdd8d10b8

SHA1
baaafe3cd03c36ace1141f8007e4bb23ec581b3e

SHA256
f08261651853b51bf9acb85ee049b0be45b2c59cd0928003077bee3d63082097

SHA512
0d9ceda0eaf974dfd72fc96e751571dcbdc7ca404b0e18cd78bedd4d4452dc1be1d1b92ba77b836d204671da090175b9df4fffcdb270d4a7bcb56c8e1c8b8cbd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6937ea0c82bcd3b17b6904ce89672fae

SHA1
d2b51fe41c04ce48c39f728ce3cdff7018dfe5a0

SHA256
ce80fe9c829783107d598e5094a98fb7213057890184c0ded2e6b6916e628685

SHA512
1495c35411a5eac7b6f912eaa55e9e29686bcafb3e26b700fcdcf5386202a1839fe26397c9c099e68875670390c1a1ee5f6f35279b5766391f6646241c971413

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1d8866a72b4219d9a3e4471530ebb8e8

SHA1
2432e2b68f17dc01d2a1a11443b70268d3a5801b

SHA256
3608f0f8a882e3654d884ffb23fa1c3eab919d9a08ecf937af2959a514f2c507

SHA512
c189485a18003636fbb7df1e3d9727d48bcd6c13fd01be8f000eed660b10064b7f625437848a77e5dba1b4127d8be4325021011b20ea88b73df7293a0862ea18

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d71c776325eb8107ad3fcda1f2b3b9c8

SHA1
da5e2d5b3f490e61de9ac9e9cc77c92779f578ec

SHA256
5caa23783d84af09fcc63d0a1fa779d1203363333f0de8c9d539bf2886e5f81b

SHA512
347ece37d19100cd8382f4995a010e87e61a206c21ec3f78227f112683f1cf2ffec869b7e3b165327f6e084ee0019b9f51de7c7ed6bb0b6291b9c7e6db7e2ed7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
de0935927b70001e0bd296754f8a5327

SHA1
0dff55df578fa876a694ea516f823c989f1fe745

SHA256
c220a8f91377ed1845ea1a9bf06582121bc29b82e2c58b38b9daa9e94be2a15c

SHA512
7307f3c6e3f0cb546b44d6c78dd43129241c7ee8ccddf99d5901e29d0fa9b5a2f49f9f568021b60ebbc582977b685048dc0e5ac9c9a544b2b2a76d8f5f125ca8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
809d6f242e73a2c50a35dbae9017071b

SHA1
73b266de82133678be9b499da6dcfebcf54f6aa8

SHA256
deebb523522191b9aec7336f5810c6205984da9b452df0c4d41640951aad7ec7

SHA512
db1eca20b728ab4d32650566ef8e43891540139642d09734e9675e85e5aeafceb0987e1e4da9006cf859f6e25d839e86a06d70536fc564cf590a6735bd043a7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2b278fdaa065205cd925cd701c9dc3f1

SHA1
0bb8e742df0213719d6b25ef1b269770034da274

SHA256
c7d683f886d48764554e72ac3aecef6f965d4468611ff3728667e636b68d0d8d

SHA512
80e41573cbc8d97b34d99ba4dcc1a6c5b024465180684fe69cc7ca7b9ce5944770879cf30fcc70d767da7ae4d4ce3ae22dd0591fdd54e21187854e908a28089a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d3899778ed734ab7b285ba26d877badd

SHA1
a18437c9440f9be20517671945c0062682b60514

SHA256
f7694510f95bed1a08add36a1568829f6a071c2f12c539bd3cfceaf6c5cf5889

SHA512
4fbc208282d333f45950e0aef28d68c584f8138788342dd7b0a37de05900b95bb4cfa6c6fd733b3a31e140fc40b6618f17814f8ab177c008f2b9d43f212f7dbf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
cdae107ff69a1acc80c52a5a1fc90e31

SHA1
fbadbea8b52d442f7dcd9c25ca5999e9df8f9aa6

SHA256
0a3adb42458ce5114a9a9fc22539e3a272486a25c579d2b1595d39abce6827cc

SHA512
0f2777e3d84ee4b7ecd01d7536d9aa0c6fdb7ba29190029ae19c46f8d85b509ea35da6353c262e74623f63d777aca080f7f72088afe79094780da7cc01160113

Download Submit
memory/428-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/428-676-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/428-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/428-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/768-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/768-677-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/964-60-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/964-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/964-37-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/964-45-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/964-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1336-260-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1440-192-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1660-264-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1724-675-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1724-48-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1724-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1724-54-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1800-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1800-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1808-202-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2152-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2424-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2424-31-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2568-266-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3188-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3188-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3188-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3188-672-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3476-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3476-87-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3492-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3576-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3576-679-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3856-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4000-439-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4000-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4000-1-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4000-8-0x00000000009D0000-0x0000000000A36000-memory.dmp

Filesize
408KB

Download
memory/4000-480-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4100-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4100-678-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4164-73-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4164-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4164-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4364-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4744-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4956-267-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download