f7c8e461bb87b62ea327f1997e1122f20daf20a79f09fb473b424a57bd47c571

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
Size

1.8MB
MD5

800eba920dfea659909f686be2f29460
SHA1

3e60b036ee7fdb29a0d297fb3e63de0d3fb321ee
SHA256

f7c8e461bb87b62ea327f1997e1122f20daf20a79f09fb473b424a57bd47c571
SHA512

157b7b73c17712fa53324f6f60664ec48cd71da91647fb100c455d06dd361aaa98b162ae18c3ad217f107cc141bef2bcf762208a3999e81e7e63d89cfe458f50
SSDEEP

49152:bKJ0WR7AFPyyiSruXKpk3WFDL9zxnSrrfPOkhqvq:bKlBAFPydSS6W6X9ln0Okf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2644	alg.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
4884	fxssvc.exe
220	elevation_service.exe
5044	elevation_service.exe
1912	maintenanceservice.exe
2380	msdtc.exe
1384	OSE.EXE
3156	PerceptionSimulationService.exe
3532	perfhost.exe
112	locator.exe
2404	SensorDataService.exe
3664	snmptrap.exe
2944	spectrum.exe
5072	ssh-agent.exe
3536	TieringEngineService.exe
3084	AgentService.exe
4804	vds.exe
4692	vssvc.exe
3432	wbengine.exe
3708	WmiApSrv.exe
4768	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8d8b5642c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_am.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_pt-PT.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_fa.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_uk.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_ru.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_sw.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_et.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_lt.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_nl.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\GoogleUpdateCore.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_it.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4759.tmp\goopdateres_fr.dll	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071964aca2ab0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000518618ca2ab0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000287224ca2ab0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000683bebc92ab0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0bb35cc2ab0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff8337ca2ab0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000583d8ec92ab0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005250a1c92ab0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e1003ca2ab0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe
2148	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3004	800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
Token: SeAuditPrivilege	4884	fxssvc.exe
Token: SeRestorePrivilege	3536	TieringEngineService.exe
Token: SeManageVolumePrivilege	3536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3084	AgentService.exe
Token: SeBackupPrivilege	4692	vssvc.exe
Token: SeRestorePrivilege	4692	vssvc.exe
Token: SeAuditPrivilege	4692	vssvc.exe
Token: SeBackupPrivilege	3432	wbengine.exe
Token: SeRestorePrivilege	3432	wbengine.exe
Token: SeSecurityPrivilege	3432	wbengine.exe
Token: 33	4768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeDebugPrivilege	2644	alg.exe
Token: SeDebugPrivilege	2644	alg.exe
Token: SeDebugPrivilege	2644	alg.exe
Token: SeDebugPrivilege	2148	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1252	4768	SearchIndexer.exe	112
PID 4768 wrote to memory of 1252	4768	SearchIndexer.exe	112
PID 4768 wrote to memory of 5004	4768	SearchIndexer.exe	113
PID 4768 wrote to memory of 5004	4768	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\800eba920dfea659909f686be2f29460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\800eba920dfea659909f686be2f29460_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5044

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2380

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2404

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f8777b3ff2cc9661adacfe6cf92ec34d

SHA1
856b9a2309bbe0b88cd6e8dbac3c37414d86e144

SHA256
f8c61578db020f2717b5c19c4c3a5cceb2ac23ba88efce4fb4333ac820157092

SHA512
9901acd3084b0eca684b8a68a12dad17dfa8aa59b2dca800b724846f1ffeb7e1e4465c8d26d3bffb42ddf78f1be487a336b0185ebd48d7a6820bc1f3f9c238e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
7cd758cf218004903e71c469addf2a2e

SHA1
bcbe91ce67b8bd229ff93e219b34fd454308638e

SHA256
6bf748283bce015c5226a8264aaa599a0c8d75bbbd280e57a35152bee6bdbe8e

SHA512
cd6b955f118785bdba260a89d7576d11f176ece6f81673a956d25a55449c1042c404ee504cadc1dde7cc9e1a70b2fe7eaed41bbf8602887072524d1e910b0b41

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ad4c784038bf48bf601aa51a38438e41

SHA1
cb6df16e1a8800b0ada06a40ad6d6d7c2abb3ca4

SHA256
ae27f7bcaa1d66e41b6f9d8bc9d99056b516f3e42bc0dedc2514d82940f6ecd0

SHA512
3ce90f9d1d6a802cd1cdad9d46a98aac2270b61417cc66a9ba9da5ff563f214856d81793d13966887f8049ecedb3b2e0faed30e32235fae8594c99f67ef915f3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b09ebc04d79b1a07e646f62a58e6c3e1

SHA1
8b49f146ba950c0f636579264ba253569f9021d6

SHA256
3725fc0047a61775ecb94941d1089b8f356a9725adc0cddd96b02ff7923b8d88

SHA512
7390bac3e894444c480f18a5f6c129fefb6624df5662fb0f513d864215127e3ab21ffc865167c398324d6da2ca1782341b3782614e6e436797f9e6bdb1a4e26d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
204dcbf325b013401ce2f3006d6af298

SHA1
c43533a71ac07f8dff3aab4f51c4c1a20dcf5a48

SHA256
c33b857df6f4998900883134c71ff41e07a21697c92b06a3af3c608da2857532

SHA512
1f514c46bb7de14050f7dcbc308051e7f4f996454c3372d92a4b6069b058e1c0a312f09267459ac54d186a75d7ecf3b257f4aadf255db6968b6eb7ee5d6bf350

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
38ef680c199b90c70f36a11660790cc5

SHA1
6a52f24c627ea83b3ebfafb560d70c87c1ee0712

SHA256
0320b3628b3d5ed52c4c73b0aa5efcd6b1406ff2832a8b05e13a51cac2625703

SHA512
392c99f1c563e97edd4a3babd47e0d7558bd3924aa6a7fd1410fc7aedf4318a158883307e907db9a85e4f7d083efa07a6da65dec88d76709aff929ce11935f55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
42f7c9f9b807a4d156630dee220d0a2e

SHA1
debfa5929d4b8e2ff48c1d9c457b6fa31b765edf

SHA256
9e0ba72e97613e68a5110f52ce65400868cc59ec06c2569b48c1531345b0b860

SHA512
6842158019da70eb80682cb6f3b0b28ab63502e89cb905d6919535e8a343b86f250d3ec52ccf78fbce55317b610ccb04e44ddc95c9814b8499d7fbcd57e62b9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
881b8a11e28ac7ce58f2050c94b19d4f

SHA1
8645919bc9061d4ed16634fc55978a12d64e1b3e

SHA256
e0941a6bf91a9387ae03cdb558efe4f35b0d42bbf56d889352e966d47f16b36f

SHA512
33edbc8c4b6848e8f48f4701c836eb12e0d72e6015b621a8122b9899d33dc3e8a4e4b358c72c5d589eef6b31be8b661a5c8bc90ace613a28c9a7c2212c28a50f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
50519bcd8258e55c960eafd5be67fd11

SHA1
6fa4904ff5021de52d89c728e0d8ab7a6cd7366a

SHA256
881e5614b740a3580a99db3185438eab8597612dc8e5ffbb28cf1474ff610dfc

SHA512
0d5ba19a50e50e268216489902a9e247f9ffc7774e1888a6a08937e9d9f13551d2dcd0490032bcebaa6fd7661623079d07169e5d8c62e5a54c245e9b08093518

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9870eb09580c0bdfa3f6367b50218e88

SHA1
32e85fa8613e844f4bcffdf2995babff7805c1ce

SHA256
3aefaf57ac4034f5ee2aa939b045f37291b9db9ac66cf296bda98eb9ecefcc37

SHA512
2099db5a9fa83b576e2d67de12c8bc9087e600f992a0da3b89c12c8eedfa583297f85ba66dcc5bb04a01657fa6d102432e8dc3f34be2646131f5ac82c6783182

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
292dc4c2fff8c8d24ee7f763fc17ed0b

SHA1
ee614e88cb3c97034b8add62eb0ab62215e7723e

SHA256
8d6343fb5c1962349e3c5a1d6df511be8e8c25af4ec845356ef6e51f549a95b4

SHA512
477f6acd07933c82876a5f42eb4b1a021a096e72c59320249bae9d059f839cc2d97c9edf74c5964848dd30b3243deb3d85036c93a30b8e33ac181aa1862c8565

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7d95055ca8e8e996d7719b61ec5a4884

SHA1
e6609f79fba88cd53f037596136db4caf654e686

SHA256
b4b6e3dcab07702070df5f664d6ba66499b1e8bb69fd83bd5b6b42bade67785c

SHA512
acd1b643c1efab46f55348b4d894d685cb2c458245b910b846bb3d9093304682910b4f46d8a52ac1bf1356707110be217338e12b1c746fbfd2065f350a5b8f17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e81b190ddd76cb48c9195f4ab08a9ae9

SHA1
174c06af6ef11f8a12cf4345c4c4655748f5e705

SHA256
45e5d678fa72c15d0da61a21124824cdb87a6ffa6170fa7dab9a8ac74223b2cd

SHA512
98a5da83effd42a8770f81dff9f8bc55b201b4121f2ef0e777e68ed724b0c8f720de1497f289f9e0bcf176abfc2861df9677e6576d235aa5fd42ba10dcaa9ad9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
a8f1719fbe46f17ed986d4805116e9bf

SHA1
dea188d5d16aea996c79214a23ba914c31095e4b

SHA256
2701cae4891c987310db8f2a547d8b485e9950aa60dff94a4dfbb89485d6687e

SHA512
e86d386417619fe9cba900155699cec6cfe49ba44978941a632b8aab1e841127a66d68b7d2a7683110e3506542a3ea1c5fb474c5799b1acbfcf631015825e33b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5eef60aa5388be74ab35e9d4c25dbf9c

SHA1
d0dc62949dcc726bb2f76e95e2d102fcae8d7346

SHA256
31889db8552290fd0fa2fbf1f7f3e13ed0e26a2290fdf35b7355f046c0bec5f2

SHA512
689db35f09d44f499f3c51e445c6cfbe1cee21b4b382384e1798fc8dda7f89b98cf8fbadc2c84ea557218e69566bbc9dbec47e21982a5a252d8025f97e2c1290

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1b362e091ca1089b3e63a4c3cb69061a

SHA1
62763c46359c1034637a8a6bbaf8390333ebc2fc

SHA256
3929f6cdca45f19e7b9cfe39921ad7878195140dbb2543f6de089394337f1cce

SHA512
3167695e857466d121eac61e4f8612606d416bae92023cf6f43ccbb9426a844288f342f108c18ebc742aa112ca10f60e504a1596805b3191c338e8a48119b878

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5dd45dd65ff81144b19b94ac85d8a69f

SHA1
96d9e80f8a924d1bd7fb8861d4f99f8057fd5534

SHA256
6ed755b6012adf0084af657a222a59519d3396b08d4a77e671658f423477d100

SHA512
25caebdcbc0dfe731badf02a1e08faa800ae88fdc59c7afe21f04364ef102a32035b988527b33fe179559da81dc11b09dc79e5c6c580412d82acfa3ce95ad8e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1f2b603f12b8dd1c32308303fec1786b

SHA1
d020e98b0925a23f15271677dc73c1c2fd647119

SHA256
e0fab6d8ce39142de0effe40318525e8bfecfd0e036963d850cafb3348945adf

SHA512
3a6f4f88e4b6f25f803708d2a2490834db0ccb2580edd371de3b33e7481843035b6065db17fb780bb941241fd1bae1cd7bbabc1ad19cebce0cc0e8f17ae369e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9d5d2d50b1af97917191c08130edad0a

SHA1
36dd3c0fd05e9b80942c122f4a9e12c16dd0de82

SHA256
f0e0f75d558e7b4a1092944726c7d703e05154b274efc4a33d39eeb4b2426e04

SHA512
48956fcd21724a3fedc68b14b6f998a4bd2a812ee329f7f60538e638f5d8d8c378d8ae9ab2114ff4ad85abc44360c5e2c6dec0b557f387d9fe0d1c8106fa65ad

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1d59cae48c40b8f0477445ddf0e79412

SHA1
f2b49fbb3394a044a2cd95ad42f830a577dda457

SHA256
5e06de16c962860fec157f92acf05c7663faa8d90f068dceb14ce102fd584050

SHA512
77474e83e34115fd6ae2f2a64a3fabc33e52fba0e96660fa5afa0ab69c2fe5efd9f58392b1347362acc86937eed77c18186a99595a8cf3bdf65ea9bdaf25d3ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
124e295dc81c376473940baef69983a7

SHA1
a2e88a8b006bca1131188e5f06bd05769fc3440b

SHA256
56325891045df1be95cab1e50f42e63bab5a5c9bd3074a0e7fc586c49e8fc850

SHA512
2a33ae65623fcf3cfd687442e9a4280551a35dd24e69d7012d3d5924d900d875913503b3e8b432c815bd94591cd13c37b6937ef0874f99e60397883543a237e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7a9bfd8f86884d828ca6235da421676c

SHA1
0e4fb69120143e3374e8485c9c5a0064833c8caf

SHA256
67878f775cee6f7284b4d52b4ff520e39ac84b44239aa6e92901aad17406a3d0

SHA512
8abaab91bd59b384b649195f9f994c658721dabd726d785c7bc3a40be0c746f82b13f21e46644aa933dc7abf8d724343db24dbe78f4b155b37b52cd58668cc3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
76d064f92468e55535bc64ad54b3d8b6

SHA1
8cc8e45a375d906ae03e0dc6f7a202725b764e84

SHA256
ab7b4147626bd2ef5dfa3fd5e5eb54dac1e39c183fbd57d5b0f67592f91784ca

SHA512
3bd894250720684ec1e95b825a47c8215b4b04f7274cb5242788b98a9789f0bd81df37036d5be81a02346007475334cef34b20698a5ca7717eb7759e4712947e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
bbe95751dcf8fe6dc30736443fab08b2

SHA1
be7601ecba071a1b908d1e9c58fa78c12dd85ad0

SHA256
a9beb3bf7762090b2a2e7152d2b177394b9219814627fbb5b2f3b764f6d1b3f0

SHA512
fbf56fe66bd3cb3e9cd7090f25bcc5c7e26fc4a352f34f27cd1b4607a11c5cb520361a93c6c22fc326a72633be4ab1f0f97e17115361d7268f834bcc1ad39c7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
329dd707ad06cc79b8edaa4f3168e7af

SHA1
0e1b53209ed2b188a285a1983a8e722f53e624f8

SHA256
fcc25c718a46d3bb61cd421f8f72e0bbcbb8cb48104305549c4154ec44439871

SHA512
b042dd39cbfa24022664d5ed78978f1ea2028565b12ce53bb0ad6e2e2b09e468a31a410d273610f17dcb7a9cacd43abd6e18eac9475a3912abf514de59a71d65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b0fc22f59d8bfd1ad04d7d6dff53a52b

SHA1
4b1f64950bec9bff4c969151fa5587f1f81922f6

SHA256
6601d009deea855f5418d61122b85f251f4c5b492eb717ace3bd83f60e750a2b

SHA512
e363d2bcaefa80db2e15602d4dc6bbeb07d5f5af289f7c4326a7643640ca8356e59ade771372c71b88d2d9824e6036c2bf28f1da4fb62966a12d25a2bb2d0eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b33012002ac28d65fe6be465330153dc

SHA1
a4937a6a0354c8ad10ed4c33cb41729742155606

SHA256
838091e5c7a27213e6cd31387f8d4f547524289c42f73a328f63a1c2ddb81692

SHA512
2e104f038c860745860fdf84ef7692cc8bc9fb7efbbb6b5d1c680f06c71d4d5ef0a5191f797b266f5455e138a00a279c5bf19347807ffb50d224f4a2d5e8b6fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
575e79a65565744a2eaf240f6881f47b

SHA1
dfe76d210d7d76e370913bc2ba7203b7392df721

SHA256
6958f3f00ab025b8744d6071ad267acc5d52257b4fe5acf5db1863f3168173b4

SHA512
0f09c19e76132bcc5ee0bfc7bd55eb3c7eeb3e74ed37f9f4d3bf7198de05b9739abb68e0256818fde65dff96413294365e15283c6fb397a4d5ed0927b0903110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
4986e2a5a3ba0bd5e04bf6ca881c2a48

SHA1
cf92200b32413e187157b77e96807baacba85e22

SHA256
5d1ecf3b96da057f039bc4f632ca97a37a4525bdfb6a1e5094d8cd80a4e50b18

SHA512
79a44766421833c4ebfd4a6d745002a8dea69a8bfc859a5a0faae6f8ed683532b559cf4c21d4152723c5cbd774f117609433af2ea90802b5742cd176263f4026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
7f5adbfcc320659b01c3276b944ad349

SHA1
5ac13aa1a02102c1b12729716567816fd869ce99

SHA256
fb1acb310029b180b8f6c162fe371a4e33c1cec38a089ce4a859ff5be5b7a8a6

SHA512
65672c5b9081326cc5d3dbc427f2588ccfee66c385349d581b8ae9eeefce2a7d1d17282c8466843300360d546a50eeed5e64d6c53341fc1b6ca8f72037c7cca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
cf89a58ebde8de139dd130d10d31e4ff

SHA1
75cf803de06fd6a473800a1dc0c68fb757fc0f26

SHA256
ac28a6914e6fcf4f1e15130b14f7892f22cd917d2cc2decd12f3ab114cddcd41

SHA512
1f95ddeb4eb28d680503f5f8c92418263aec37d85812112a745a9598909ec5175b0fb0a23fc2f075272eb097915e1c0d6f6e027a7926c328c89fde43827c26fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ba8e9fbf6ad3e3126552e8099950a08e

SHA1
26f8a392840509c77ba3a6258642c904c48fda90

SHA256
8a2c9085bf4e2733f3e6fa9c00d026fe1d9109231c07dcf5fad534d4d0756f2a

SHA512
fb787fabf63c4be664ad090b5010fe03bc9be811760e2c4bb67345207aeb34ea39da64b2117716ab96f4e1181c081796c26fb84fc5001fa3cc2f50d1812e645c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
57f06a853a897ddcba553b0d7324d4af

SHA1
6413ca284c374105fd0821f157df51633bb76876

SHA256
bfbc7e172c96c164bc239c2428fb4f6bc9fcebb1e752d55783200e4f375c695d

SHA512
9c06562ed66433b49eb64f9c6bdd38acedc33ec459eb84ee574f124a52b096384ecfe551e3c5f718aefe8357e5246393405a517fac1067bbc4c5085178d00517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
4896e4d21fdb361606ecb01ef5a63b3b

SHA1
267a73d53ef7142b9985daf1d5114fb522e65f05

SHA256
64a44c68e437da6279162706319c3fd6995de42141ba5cd051cb15ac08adda60

SHA512
0c550b9a6eb758232482317d96504b03c9bf01204ebffb5a21036e683416751864279b88bf1ab5e47aaecb8755ed06d8c2c6cf462fdd01c860de6894d8afde6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
47b4a31ad4865964cf1df959f5d16267

SHA1
1441bca09607fce57fef6edf6f79cec5296881fe

SHA256
845e073acf122d221e68044daf77917667348c53ff241686bb2e96689f4ea066

SHA512
267ea56399086bbd54e8230c7dfa633516c18fed6cd9ca0631c5327f22c9dff07fdd4876c53b045401e3b394edaa79cae0349d51ac19ad2a1abf56e6bbe5a706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
f1c5bb9f230d243bede169c2af07bbe1

SHA1
04625de639d0187d6d113e83f991a4f40bd30134

SHA256
4acbdf3633596e241306924377b8a9bcc1572c94f8715797d5a7e1c1647f1c15

SHA512
5ac9557ef65fab6ef58d609c4b8dddcdbc2b8cc5545fdc70627e6b33650494a37b410c5fb47f6e032325b6097ad4fe653d6ee7cd15c78f61b131d3d72d07b3eb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5e1408f289ed6ec44decc9d2753748f2

SHA1
b6c1204cffd54dc0ef010aeef4c21fd11951e775

SHA256
4c7bec2cf9689e15f7a834615e9789fb63dbeba0eaff8df753f91e0890dd2b08

SHA512
2ba57403111b13c439701876dce35d2c7a932c5ebefb339b4921024ab17d4c92946a6d1820aa079ec4e0ce2b9560947b23f75f3e274d08fa0d71735a16ac44ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f4a2037e6d8a51cbfbb810f05dfdccb8

SHA1
ad808e8c1b3733782f3d8aecee294b4f04968712

SHA256
45d0a47c914999969c40c1b5a652fba9428b279f1aeb3df27c37730f637eb270

SHA512
3f49bd9ff56dacb1ed6dcf0ad75e901d3c081bfa4d96c15bc6db7be5b7cd18511e4bd749e4dab5126ccf92d7e38136d680665948ac3076323a633ce318209029

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
55c349371eeb88d7b21a245bc87f300d

SHA1
b1da498d09b2a61eccf367f0542993c296684990

SHA256
9a7cfd6d7a9091e16e7f47141b8a9a0414592eb2bd29109e987b9bd3564d499a

SHA512
d39d69250d209b99f14ed7533a6fe91dfc2001762e3c3848c3854540ddf68293dc96380efa8d5253fe40f5beb29bf55eb695870d208ae3c54fcad0ee176e59e9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7b5e40512b081fb502300e923d0fae5f

SHA1
2c379453daba29d925e6a13fb3a141f2b38ae4eb

SHA256
32de0cc282a3cfb84063a08a5e9193ac222da9f8db5f78418bd6a2ea81db2a32

SHA512
56c7fa83acff3dc19bb857294dabdfc7bf3f4ba5506129436dcd047c0c47925e7f5cc202c7c90dadcad13d2f03325d11be728e21bcfa81f7e74698eb92dae8ee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8b43439abb4cccc0c6b87af7401c2a0d

SHA1
aa940d5ad8256f168fedae48fd70fdf19c0d874e

SHA256
06a8a5b8adeba6f52f6b3621921fb82c7d34ef1ca906b2776fa4129729f1487e

SHA512
cb83d894db1a35e18a28fb7f27b8ca576f4a5f83e60db0928ae53cd1ff8413232079adaf4651ad6ed92371ca610c3e4973f5511f967322c0804ed87a5d0b4f49

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9bec5fb75995ed195d7f62fd32c6d90e

SHA1
7ff69f994be65c8f2a896e2b854eb42885275312

SHA256
adc0814107db48449eae644795d1eef59acbb25dc3986576f0d37f1f38c6d049

SHA512
86c5ebbd16fd04a81bb057eeb1237d087117cfc43ebbdae40fb0d423c4fa069ee6b61316b726538053b083e27dd8041461e143b4f878ead3ccb7ee3dc8ed0b6f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a4f004e394a3eb2fdd16985432f7973c

SHA1
5d1f6ba9de8da79b5012ec4893a109e5c6ff7f80

SHA256
5ab4677805d6963546797eee658fa3fa182d8052bb9515c4d23957d55e4a115e

SHA512
8f420bf5262138abac075a254083521df8bea0efffeb8d834a2a097d3f5ecfb4db39d1b8094b981f5f4a517899bcc283b42a36b1aa693a194942a1b0f9ffe423

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
236aa4ce430066b2c61aa179c4406079

SHA1
07ba28083fe2a1ed613c8320c9396f33c9fce7a4

SHA256
90aeaac82a5aa21b760014518b5ddfbade37f957ad2aab4709171a2d1f18d4a1

SHA512
473bb94a19ac0addcefd1750758ffe1e7af2d82babc6abc28204e8c70ad4d7d7af6063f0a7839d45728c38bc6301bd03b99e334ee9a2523e10c48b5e2db9deff

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4bde3e98f76e71c0245caa102e6a4659

SHA1
4d66b1beb22a491b0b47a27ae3008bab58f54a77

SHA256
97fe844aafbef2b79de689b3be8212334d30a4b78370064499f0aeca9d961152

SHA512
66ec5395cb35b16c36b5dae54fe241aba52c9115ec04c9bf7afeb8b503b0221c8f381182a5031c4a4b12423163345377a3e7d60ada5ef693842b372a273977bb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a04ae44088fb9876ddb2d9bf8e767372

SHA1
6c61f7582181551cc9ee8dd9a88906f0e303145d

SHA256
7ea9bfacebc0aaab1815abd8f6321f63d224862573385c4b6fc41a5c11ea3c65

SHA512
f13cc0bc8f2db7c9e195376cd15ad28e3822ff010f7e16fe97db93cf64e5ef388f0c895c1c2adbffff8572da2b70242e5933cdf9f5879e2a49ad824b8760adad

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4814695fff7066594a5f6167e64b8477

SHA1
aadabafabc3083b1c125f8c715c98c5b21ea400a

SHA256
ef347a885579cf70be9857d769d9ee735a973f4da80a4cff2c23f2d812d676be

SHA512
c14f0bfcf7c5d9d8d867ef89b5eb852120fad42865b966417184e1764861fbf2e1c59d528ac3946b03640facee08111ee8eb2b8c50d65b91c6684048c3d2eeef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bb0e1547567026ccd09825a501ce2bf7

SHA1
8c66e32d49cf6df74bcd8dc68c98e5082089116d

SHA256
cb55270ad85a9df15576fad312ba6142b55dcfca0e58f4a6256d5c5e09168237

SHA512
7cd38c9f5ef7291bcd9f4d39f771742ba97fbbb161c6092bb790c7f2a4f6ccfcdd449dfd53cf3ac6598b73edb2b56b1ea049af2c6ff4d3ee5e0734a9c4b30261

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
de26ee0109917202c880bf13b1054235

SHA1
469bab14036729082d52db6996cef880233e34d6

SHA256
694afc6300ef24f9d751c56a585dfd61b4d8773697d69385598293795d746a46

SHA512
ae02ecc5decefec1f319b818749c478b58a35f087b5d06b13dd1c1cd6ae69b33756d090cc2a04f9e593c1620789a1bfeaf6595c01415e1ca6a3a43d807cfcb07

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fb56b55b1117d120a3cc30e83b7fda55

SHA1
36404bfe1f2619c2bfc3463c8110ab4e07f2ab39

SHA256
62e5aa47c850d9f69cd2325109a546486104719c4221627fbee37956c982593b

SHA512
a6220c39f6f9292093a9a420374f2d18a92a5a2b4a082af9c68e97c3604d11a8c935e2fc99505506896fa662f9ed8c61f52ff92117d945a4cc7c8b9fce42c5a9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
09b79f00dd50cf4470b1f68c8cacacb9

SHA1
88a71fc05028ec3ea3e33ef9dca2f69809e978a3

SHA256
a4a89040952c0aa7cdf60c7581cb0c3d57f15d2e67c38b85ab4bc3f0ed2172ed

SHA512
50516e664cc9f4d55bbb1c709d4c03a121fbf9b9ebf29dc22a8c76a9a907b9b536e330dbaf5a056257f67833383ab3072b638659e7ac3521fc2071ecaca9c146

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7e99c5a9ace5dc9a2abd144f3d1ac96b

SHA1
55a5d91f49dd35a9111de32846a32041bf22d468

SHA256
50d0906c3468489e384ac13584c753b73e38c683259a319bef719819d66eb770

SHA512
a686f4971d9626e485e28cab6f4eb6ac59056b252a38529a1a2fc9911d022d6291db1928a94d532adefa209e602a958d93361990d919eb0ce1182b8f6c8179bc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
e0bec8083482beecd0710819ce6f23b8

SHA1
af123544aee7bfce77ed6d460a5314c1a0986ac0

SHA256
14790fa793de456076043b4830c5609e117c2daa1318dbd06a566c177f84f3da

SHA512
bb143c5d1c07205fc942682f64e414d315574f19658cdbc8c503540a1ebe09bb6384161e1f52bfcef49612f13cbda9977cae83b4bb2dc1468471f26fc05a83c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cc396bad21f065f2cd1ce54736d40962

SHA1
5644e9ff2a702b5a4032222ac704ad69d9bea98b

SHA256
3ea6fffc765ee1357e9fa68b8331146638bd8498edaf843b0bee2b32aafdf0af

SHA512
dd2401744aed36efea6187d6aa4af880e93649e681706a3387bbe24c32ab1ac811be2812524d6ca3008fb71ea86d01d2ad125835552a1c4e1c647d88ef8f08fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a14049a5a4431599cb72ab6b812dc08e

SHA1
f6a4692dbca2f6f1fdbdd8421aa28dea3d6d5c9f

SHA256
cff026a238e2fe32460c125cee6366042b418a922526eec0543a921c02567a11

SHA512
dcd3d5bc61bc3824105c8a32b8caf6a74758544a85bc5e98f648cf05d0dc3bce34c8dc2756678ee7657802d543f6856184dc57ec327a581894b18b2b8add02ae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
50d503ed6c02124cc841d8582e158613

SHA1
6630bb321a1e04b600413eee3ba554fc0d7d46f8

SHA256
8870d3a8019c8dc1a4412b98897cb22c1a3e747c46b0cb71e3c5b729186643cd

SHA512
7deb2d1245db00d5e2a79a4968bcc255cd3c5815aa4d0e48465438a5747342b7f37c8193879aa52cd1d30d25c02ebe6e5f2004c9645efdd16bb9ca288bac8552

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
35abddc46bf89147873d6ea413755478

SHA1
aa079927eda8fdd61a49bdfb201fa5dd09423f40

SHA256
f1e99dce4043c26c88bf941054e713c1be955254ee05051aa789f6f3e91b7bf9

SHA512
5414f2778dc01e4be50cda3c9ad3487bd20acf2505eef3887b7ef3b7108d2838cc3c2494456c0cc473f60cf1ca1d6b9f791c55be48062c34c432d4b9883d4eaf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
e10415abcedbfa476526b3fe178125d7

SHA1
0bf728e50c17e20b9f16b0c3eecd0204346c7c69

SHA256
9abca1983d87d53166ef029862c9bb60e25a184f942cddf5d7b71843be5d3512

SHA512
dca34d5bc4ccdb0b1e1bffc1c1e50009c1e2b24bf57d769944e5cb390bd0aea60dd401e84eaa596c2b3451ff3926df6210140d4bb7ec177158b9a32bdfe38a8f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
dd007bc17d05c40624e7cd671a09fab0

SHA1
099fdcf3785101205633af5d30af32bd8870abbb

SHA256
91c01f631661eaab6a3c5b4ae6af80cdb43d74938a106b0275bd63f27a0a69c0

SHA512
e68c0356190e6b015550da7d10797c23b868ae4d831994e2f9a411e434bfdc289891a923a0b076134c1591eff7027f6b1c5bc99c500e67436cafa05cab7faeb3

Download Submit
memory/112-206-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/112-327-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/220-115-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/220-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/220-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/220-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1384-297-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1384-181-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1912-150-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1912-142-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1912-148-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1912-152-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1912-154-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2148-99-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2148-195-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2148-100-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2148-93-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2380-158-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2380-276-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2380-159-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2404-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2404-650-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2404-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2644-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2644-20-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2644-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2644-157-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2944-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2944-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3004-474-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3004-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3004-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3004-4-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3004-141-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3084-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3084-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-303-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3156-184-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3432-316-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3432-745-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3532-315-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3532-196-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3536-265-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3536-740-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3664-237-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3664-596-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3708-328-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3708-746-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4692-312-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4692-742-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4768-747-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4768-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4804-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4804-741-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4884-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-105-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4884-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-111-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4884-139-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5044-126-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5044-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5044-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5044-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-716-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5072-254-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download