d4916968d352fbaf173f61f5376824db7083984c77b14db4108b2d7be2627ec3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
Size

592KB
MD5

3278db6bcb5c22339f24845bc6df2bf0
SHA1

3a143cf7a8b387fbf8ee774766ab8c7636ca3553
SHA256

d4916968d352fbaf173f61f5376824db7083984c77b14db4108b2d7be2627ec3
SHA512

2384843956e2cfbe14fc67b089ed6f757f90d1f4680dc66338891c28368052c57842cb1e605c3838f693c7b43d36dc54ea3b0060e5ca0c9cb74f0e8290bcc201
SSDEEP

12288:RIMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:PSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3012	alg.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1252	fxssvc.exe
1628	elevation_service.exe
3360	elevation_service.exe
2584	maintenanceservice.exe
3320	msdtc.exe
2116	OSE.EXE
3928	PerceptionSimulationService.exe
1612	perfhost.exe
4420	locator.exe
3712	SensorDataService.exe
2652	snmptrap.exe
3108	spectrum.exe
1564	ssh-agent.exe
112	TieringEngineService.exe
2748	AgentService.exe
3356	vds.exe
1092	vssvc.exe
3080	wbengine.exe
3648	WmiApSrv.exe
1504	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed28bef9e703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e700393b7b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007861a497b7b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090aa6996b7b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006a98896b7b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b17ebf96b7b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a013d195b7b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc960a93b7b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000740b8b96b7b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1252	fxssvc.exe
Token: SeRestorePrivilege	112	TieringEngineService.exe
Token: SeManageVolumePrivilege	112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2748	AgentService.exe
Token: SeBackupPrivilege	1092	vssvc.exe
Token: SeRestorePrivilege	1092	vssvc.exe
Token: SeAuditPrivilege	1092	vssvc.exe
Token: SeBackupPrivilege	3080	wbengine.exe
Token: SeRestorePrivilege	3080	wbengine.exe
Token: SeSecurityPrivilege	3080	wbengine.exe
Token: 33	1504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1504	SearchIndexer.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeDebugPrivilege	3012	alg.exe
Token: SeDebugPrivilege	1064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2632	1504	SearchIndexer.exe	111
PID 1504 wrote to memory of 2632	1504	SearchIndexer.exe	111
PID 1504 wrote to memory of 2404	1504	SearchIndexer.exe	112
PID 1504 wrote to memory of 2404	1504	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3278db6bcb5c22339f24845bc6df2bf0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3108

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3460

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
07fddadee3276b1af9acc3f7f1def59c

SHA1
2cda8a3d10bdfa63895ac996ee88f71cc2528c8a

SHA256
cac59f7c1ccc5641aa51362ed97c5b1c3b1b97911b9bb28a990a046d869d271f

SHA512
3f2bca0625f711fbe2cd2feacfe8a1fb109f132187e632ad4e61caa9f1976d15530941abb6874118d5fb7eba539bb24ef8c830678e76d7d9afed4f44e07ff508

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4dcf67ea14cc27b48c4040bf39e48d59

SHA1
fcd54bb238a39295b6153c60bebc9504ae68cc62

SHA256
b4c3fcba933ba969398d5f6bb93707c3ad85a71b849e174a51f2e8c6f151cfea

SHA512
df72ac86768972cf1086415e67f45a3ae2e4aa5d1ad1d31149b996e86398022ffb0f0ef4a5e3c8addbb8d0515650f4e6e4b537330de671a7f945d72f0ab98a2a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4cb725d3f490f4a9814a68c8d3303e97

SHA1
a019077cf409b9a73de3a424c1dde8279ce0f2ee

SHA256
4f1d6709baebfa1149e8972a8778ccc8dc92c7ff7bde3e0dc78081af944ebb14

SHA512
bfecdafdd0c4382a838434cc521f67fa41f875745d23d28e1f1861c6beaa717d6133534fceeb859ef221a53dd3143338be5070cc6116efb15054d84ac6925e23

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
32f21a39ade7062f3c3691152f41b0bd

SHA1
5265dc200d4a737e7351dd1f3ddea8e2b2b6b1d8

SHA256
92efc56ac501460d0d425b910518b929ecb85bdabba2043350f3317cda49e4ce

SHA512
8b1e1d770cb12195c0dc779c49e0980dc30de5e1d35037b242a454d308c03a542673c65a696c056024baf0f90c0bf18cc85d2ef9260daf7bfab825d75a92e5d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6a3b7332696c14f02fc1d889efefa2ea

SHA1
3a23295b1ca0f573a613c635600ef7bb07b47a18

SHA256
a2cbcf94af3a0a0456b7efc0ac20a3680e4116675459d2ce60740233b81baa8f

SHA512
7aab0c1915f2de1e808c22bb1978360b3ca708a30f6cc834ddedee1a5e512e015462cbe1a8bf21e3e8176e40d6c6c1e7b1dcc80a84b9020588ec005bfaba0f76

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f41304552f255839754dfa40fbe75d72

SHA1
9b69f2fa3505d5e11144068c7016c3481cfe663f

SHA256
523792a99b0f0111455a84a4c45fa2bc8bd7c8e50facb2548bf022553a8f93fc

SHA512
0ba38300175fe839fc2f93dcbd80a307960ae0800e61b666ca2e9337a30410c68c6b156265a37dfa11609ab55d43a4447b5a6238f442d10d73bf6a11ce38899a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2004689a3d6425d7305c33da00ca0616

SHA1
03ff7e068e445dcb714c881b9f6a6e668fa89884

SHA256
ca90ac8642ac1595c309a7179948293cedcf81fac7aeee621319c40ed9507583

SHA512
cd6b92aa270a8517433000226c5e8711b3b059510db9050b4ade9d6f902f23889c42637c0719da5e36b74cc3d3f084e5b17a214f4e3add7f22334230b4f9cbe6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f095aa8a77700c890ad8fe154103272d

SHA1
bd76b0a4a8394390ab1739a7c81573717021d451

SHA256
1d0be5cd678ca3fa9b53d8d1e0b25a899128d0367ff59ee88c464f895ccccfd3

SHA512
7c572088fba6e11d2c66a1c8018abac27f70f0136941c76d43532dfe1d61fb408a3bb4a5651201eb8eb7ae193c05c572904c4068e087e97480b098f1a6af0966

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f2591ac7aa6820ea426b23bc5d727a34

SHA1
2fa63f2bb0519a4c7a966051b977205ad5a54181

SHA256
e7670fb90e69636cc2c84c2f01358d79c2729580d43e403ef0ac4ada8302c025

SHA512
1e85d59ed0079c462fecac234381266c0fbf51235ed0ae62aea69978ef6ee20040decc587bfa99a6fc925e60a6bcb2400e1b12c26136f877c82f315e2cc7a402

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7b53687decf75506e40b791643c1c6b2

SHA1
9099ecd871b344ef16f9f3cde943c66eb04fe057

SHA256
1ddfd9cf125ac279b35956c725f40f368d1832fb28f562ba644edadf082983a6

SHA512
372bca43000da4b0e031a93ea086a4adde0b6dce68d9c89daebd4661c697749776be389a7868b22668ebe019678df649eec3d85e68debb9f6e95399d9c92db5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9ba2c87bb6cfba709dbcdecd984c2c51

SHA1
a08a3734a2fb3d1292feb089da20332191040e69

SHA256
dc5fdaf6432a0ec230d797e4f0edb24f7a7d286902868d0460204f01bf0eb967

SHA512
b8628929417b2165dde6955dbbe7ecd85b9ef890bf9e6bbf28a06c5ff568b3d0e451a425253ba946a8712c70679a03458db3190edcb71038d818678b098ac323

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2ae3123604115364ac35a337d26ba490

SHA1
9904a6a31589c93c56422243eaffd57488de56a8

SHA256
d201a57935c8e08e5b2d05054c1391be4ea83cd771ee33e5020fb89cfa3aef1d

SHA512
05a1ea25ad00db68666188db058d349518b4e34569ac16cc231cd3d400fd6da66f8c6de36f3edd3182c45b13319caa3419888f6e8b809a7d49f16c22f2eab78e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8940868351f6f46ebbf07f4c26707d96

SHA1
43c62ef82af2fe2a4867cfa75a79ef6f619f6877

SHA256
a0f1ac055a139a8c45c745d1b893bca2410c6ec6b4ee7a59606c8cdcc79952c8

SHA512
4ca0dd6c8e8927c656b4544d038a9ab1d43e67de2531f6543afca25d07860df91b2bf083bdaef2af9b5ef30cc97f2c4f0a9b4db3a53f44d5acbac505dd578d24

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2154a80426fdce91171e95f83e47161e

SHA1
8c29bee7300fccf4a6900fe6d4d1eeb5de5f41dd

SHA256
df737b06b3e56c29d3751995c7d2ba7f96ad24e10004c20d7d271baa7a50d9c0

SHA512
5e65b400b973d5260087ca21c5f22d274033bc054310e857023dc326581b128cb65526b1004b46b5a54a6bc0a5757f15989fc59581f6aaef040187431d1c3525

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b46640ba7981a400a264a165208c4aca

SHA1
3ba80d90ed62f116c82976261c0598601ca24fea

SHA256
406a94f93da9f824bf8e446bf2de01d8fc9fb31bc8cc701fd5f835937d1ae066

SHA512
7731ccbe2bdd0469650395c5b9b6c6758db05ba49ba5ad807348e76de216b26d11419a72126a7193a2daa64e08ecde70d7513c314fd18b8ce6bce8a6d4233f8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5597925beec98568f79d879de09b5e02

SHA1
9a7a5dc12baf20d4c29ff35a873cb630fe214ae1

SHA256
7ea45969ca68d010ec19b83173b2a384f48e6a632953275cb3f77f0c1147e576

SHA512
6cfd6b1b32429471ab5be95874ce5b90883caeb9b66a2578100d0ab04a58259596abd9f53541f87728fc5023a71582dee1f7e322e948cdf6bd1eac6b4a00a8ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0f15bf9419845706e738050893587765

SHA1
f6a885c26383f62af12bf4faf14f3f5b86f77069

SHA256
0fd0eb6ff1b96800dfe722dbced7d79efc6db9c033465da0bf47f5a32962c922

SHA512
fdfef3edbc84a9762fa5865182a243102217a45dcbf76b051e8c9fae541aef71b1541c5c82bf225d11ad60f817a9d24798474171a7f7f17a044a8e5e36f984ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
11b61d0af6b8a40686d41566663f291b

SHA1
06b7cb3a78528e3627fa1bd8dbc3cdf3fa61a72d

SHA256
7ca37f98a119198aa4ac22840edb0ca19257006f344ec5a759143f3745dce4bc

SHA512
d728623ce2fcd23b8bb45beed7d4f877a7d1e337d2c3dfa2bf63eab4b5b3a6d3a61b1c3c98a42803774fbf606c0b2e0208abe121f6bd84136ad6f2ea75471f54

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
23d8192bd7017865db4033995bbfc62f

SHA1
b2f4dc9d0833d710f560f88bc15469f5ea22e0db

SHA256
5944d7a8d24605d93569f95ba8d457ecc0c9c3f187f0e1a67245931f38c7a4cc

SHA512
b88ecc842b493aded3c699f72cc4bfb3b53e2e79f85e7047d8c2672234138a579a6580455ed351d846e47a57aee9cba5eb1c0570656e143efa2ad029699063c7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0ab90c126f3e56abd9efd57ab849c87f

SHA1
90f7c7a6418013701f5c55bedfece15e0c1255ea

SHA256
82099202f40ca3bfa39b7f5f51600047f9a87d8c88c9f9cefb880353647e1b39

SHA512
0bbb4fa25e7a9e61921041d5006117dfac641fb8739245728cb92a64be6ff9d191ef7430f2f63952f2cbacaf85ffcfdc463a64b8d300ec645e73a3601bea544e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a6a87df4bad29e1e7537816a6391d9ac

SHA1
d34ee18ed1c16be59562b19f8b112352ddb6ccc4

SHA256
8c513454f2eef31a47d80c24515a1ffb759d51db05361670fb053ba755656cb1

SHA512
86283c6214266a49ac581d8f4be5f9d7c82b56b276565b0e33d16949d3b2201d41bcac273c410ad22ed3eefdc08ae35f83427fa87c3f7d7c88ce38f29e5dd594

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b9f1d4e762b0b216fbb1fdb4c5745798

SHA1
35b4a75f1e8c0ae8687246b00581ba1538da6156

SHA256
5cbf798be6df0a4dfea1c88377aac3aaf7b6955e4492b2619c3e52b6bbbb9ce0

SHA512
6c64900947bbdd28a074508364fdf4d102dc431779d1302019abe19337cf5429512092dd0df22727c7d2ac199bb440c3600f0980672f3345e51d4238fc9e1127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ea0a9a2f12259c88606b1d198785a650

SHA1
694d76e90f711831dd7f6bbfb3b68b0293f9563b

SHA256
c10f8a586c2eea6521b323e67f216228478b52720f37502219e6b895a48bf80d

SHA512
dd7c43df14e46c0433f7f9a0f6aa3468801853413b3f2336da39477d0e374fcd791bbfb9cfd06c69b02696a4b9156833ca7ad32b52c1d5ec7af16e1dba3cd154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1332286276238606dbb9f5f593587260

SHA1
53327cc37f9b55c1c305f5c2d5fa66c69b4f6d97

SHA256
327011ac6ca39eb92068e8f02d4989aa52d7168420093448edd0fa74daebaab0

SHA512
fd3946ae51ad89876a5cbf08314dc23c30a01dc17afb2a42f0092d345efc39b895c43b4b61291ba8ef8e474d886ebaaf277b519eb906c843128474e7f1074dd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8d87e63f7b700763723fa1a756b07ccb

SHA1
dac501c4ccc36ed1fd2befc5b1f2bddc38451a6b

SHA256
627a57a7556c56700a7147a1e7abd105a586228ea09c488d6ed8144d8c9ca147

SHA512
ec993164cdd29773981d5b53b792f7e10cfa2c0eca98820045f4112acf2fad2b78e186150dbf723576d8dcdf1c90552eeae9486e454c691a57414a27f76283ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
657261a1bbc12d95ed972e763861796f

SHA1
e34583b8f21f7e87e5af384093071dbefe888d65

SHA256
6ad4646c7304155a49f62fc64d42306af9774f94c7e7d34cbe930402c1f2542e

SHA512
589d9382c9a3d5a3dfb1cb9660bd84511b09ce7322a9db48ec1ca0aa575dd401ba9705e71d084c4e51e19e359cd36285a427eb18e03f4e3695e3d87fbf4d0847

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
564d7591ca2c234eec1c31a97a7929a6

SHA1
dde058cfa6be429964ad6b2d65d299c42f3a2165

SHA256
4ead958020dd0c154d47b2b69167df4e4b656e1a886d545bf8f27c1ef30dbc80

SHA512
0c9c335dd39d3081a5016b9f27fcfc6313d4a999bd3d008224640e717f139d5e507773a735406a6731919c5fd58de43774997f9c6442c8926aef20b3752be4c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a0e87d54a1debbe74570279a7efa3756

SHA1
1e078ae51e5d1adebbd5a0a5de85d6a06efdff21

SHA256
53c6151b33381cc4119668af2a0ccea4056d1ff29adb9334d1b42b4dbb4462ed

SHA512
dac70b6068152b2a56d848654ff24178834fe09f96dfe95ba2504a690d553b9f5c83f52e142711e4983e03c2433055ed7ff3c1b6b70695dc3d3af942093a40b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8b8f5b4dabba007c66a790d102576e97

SHA1
7c69fa8ec7cb8d2ba0753e277000082187c4ef4a

SHA256
446f89a7cb72efc417ff5288073e328d81b143b58fa0760b1b01bc2cf8138439

SHA512
5687c9e45bf2bbef2083a8186acbd532c51f8b295bf4b54391f4386d4e07dbde2b691af0dc5a1d9166996310157dc1d068acf4589393854dd4366933403da78a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0b52a7e3a32f4fae134321fa7bdfc6bb

SHA1
83fa8c3d3f632995f25e54e8c0e159c864db466f

SHA256
72ddd86889444f9e8042da5155fd3c82adb72720f56a87389e750b91066d15b4

SHA512
0098a44d20cf085e67c21bb52f88178b4d942a642e23ff2bb426870934a2ba77b5ffafb3aafa4f3898e86dfb2a40d6cc2710a4b33b329d1748482b3c1387b2eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cfcd34d89c8890b80eb5e7f08f200b4d

SHA1
044e9e8ae2e4e0e7127f5e2d56a042cb152b2dc9

SHA256
e1a96896bfa7204432bba44532896f10bd2a378154d223a431ab432374fdee31

SHA512
8309f466f1e0249353f49a6d61da5b7e23f9a6cb96fef752e469b3a05bbc9e01f95b7c2d8c12cb638ebd89b5341381bb9e32674ffd6a8dcbb5a025c37e5c4d25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8b6f9f1fe57d8c1ae1b0a86b35450990

SHA1
16e6be7b7e847b686fd284cc11f42442ab2447a0

SHA256
086428144bc2e04969a1b3ec0d1f117aea5080b8c2bf8c0f177fd5090aa299a2

SHA512
f309ff1e3b12c87512560c4eb56a42bb48a7f6b798c664e83698c1443d0132f2b6bd6486a012cf4ccbae6402b4e6734a28aa192c1047eaa2d5b5003e9b24ebf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
81a4ee751360ac279b8b3985902855a1

SHA1
d68ae30d3b169150c2be44cf90038ca199fcba56

SHA256
c36e51db8f3ff265fd0bc41ef84fd791f4424ff9a663028a47bf353a79ae7d23

SHA512
d225791e230ce4a59f820e0ea1cb7a2aaf09679fc200b59e235871a071dc49ee8f4c30a8dbf374f70869bfa7ab7ba873d20c70e8be494ed35dab8b1c1c894206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1ca0ecd3db81b095bd598b9009d93195

SHA1
ebbf766cbcf0bc8a212165d047701bc82508a73c

SHA256
d5e7f1b11f050bf792d9fb6c5587dcef9fc088614b8b36b7a09ed1a94e00f6a2

SHA512
dd123e4c0a43dfc9e784dae38859b9b6675d695fb3c9aad7a8038873f7d45b51dde51608a548e49c2c39b176368eb32b53d0274a3152d47c6d1516f014de717a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d14e0880294aad594d542a3bd64957a2

SHA1
96129a52008e1587111c6fd2fb8a452f054b41d7

SHA256
4fbf8f785219a84acbf9d5cd9e7bc19e27f76efbfcb38f00b9707da3c6be9a6a

SHA512
6a983fc708a6e455820c95b689780606e86e060402b912f7f3c260b6642a85c977556c5293a7eec25f03fa716dc4c4cfc0a052dceda5b96ed9c3ceb6c3e618f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a30e50e9886fa0eb068c8fa75c4ab74c

SHA1
e03724b71154e527f00c95453d364763373229dc

SHA256
ec05605543e77c4d1f46ad764e0350672733225bff6c3fe3a376bc4a126990c6

SHA512
effe503ec4bbfb6fb6fe42dee23b63af6a2bdf4816a0ccbb0faf3985a336c58623467d331b3d08bda83c68f233c2fd998e8d3d12a6810884dd8c578bcbe3bfed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
40ac4d6cad040bc79cf9f12f16702b62

SHA1
b7bf35c099d107993ab54cfe9cbe1d650bed38d7

SHA256
6f14020cf480bd5db840ef50e6f9367b64f07fd3f550783e7e1b9fcb5d387002

SHA512
0ce29c80931d53509b7d48cf9040886051ee0870456e2d04e465dfaa5463835d12e324dd3b07481369c57132c06943054b721b61a61bb615cf9e48c6cfb436de

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4671c260c7588348afd41d72b02cbb49

SHA1
46ffaa6388954a957a4013257f350a6181459b26

SHA256
f293a79b1f021ce37f183ff48cb5f6a24efd93ddc11bbbb1a789ae43481f470c

SHA512
20f551169891d13a177c903222e00c9a2a086631bb9b81c90c978e1322bfdf957819077def327d9b0a8bee097d0a9e841f42f5121fbb5ca50842c75da01b6ad3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
04edfa6ea72a4b65833a999025f857f6

SHA1
abc994b0e0b1c7cbcc85c8e7514a5cdd3869dc13

SHA256
bdc7f5ead0f83b48e581a542ca2de50b55c5dcd120834ae304a0d6db78992ef3

SHA512
97c79c2ba2ad260fe7f9259e870558ba1dcc718fcb88f330b4f7280977ea6570e387bd7fdba80b68f6cc0c27bd7bfb8013b2707f999f4c0a267f26df5f1b917c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
238189cd3f88b427743bea1f3e005f9c

SHA1
94ac8ade9732eff3cfc6b6b1de301eaca6e74f04

SHA256
9e1029363b6ec3bac1ebc5232a7ba839a9c9da536b3c92d77f9aab1d5312845a

SHA512
f60e721308a093d463b5e0164868f55f59f0e49b8ecb68c65f9b1e27e22f4d4a66427301952085e715bc02c3c5c095ded8bbc9bef4ee68717cbaf7db5b8a7068

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fb377b472738f5b3ebef8723ff8cc6c5

SHA1
e46bd5bbb3346834d6a72d00a9443d4916e62870

SHA256
9603c11d093c20a0581aa3c2da853e468379452a75748cde6cebe343d92743f5

SHA512
bc29aaa40d768ddf958646965f944fd30c343d2a5a6dc0236751d16833df97b2c5c5db5fd958267bd01767acc1cff29902017c536bbf183b5f98d0078957519f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f618923982b8fb49b2c9b3cbabf8b8e6

SHA1
245ca1b9a011e22fbb573fb929d1e51b4e7bb41e

SHA256
402d7f5f1b6411e413eae0f2bb0aa6807dd1ed7c144a77644d7c05fff138f848

SHA512
b83a37825ae38b8beb49543c9dcdb7f49415ab0ad2c525039cb80d5932c1a938f0f6421d9f755f915771b9ee28fbf514b7a879fc1a972829f230055be300a60c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a7ffce61b876d2a5f1978deae428b24b

SHA1
7323dd96b8e555a1ac9c2fae7a98899c1e552758

SHA256
42174fd1a548794b15ca7bb1edc9af65e0439d6a9b239e4db7b4f3b0de805c95

SHA512
2939f04eae8303e4ed2102839486402a1482c26633452e3bfdb13a70c379fa46f053f9bbd6b4a56ff9a1865f91d08d0590723ed5750b8c2fd1fa554878dfe0d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
56f67df7ad9b79d9c5853b82f440a727

SHA1
8200253bd1c1298741c4163c34f071b0eb4d6602

SHA256
ce805a0abbac0d538a5aac1cc606962b1119b3974ee23090129694b3b8d24906

SHA512
aabf1a6767ef6d5af10bb8e7129762fc4bcac8298c49d0dd2b32feaaf5ab61984435122a637728e26c6b565b69f6279accf19a5d441ceb9b4cb0255a508a3ebc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
36467a0a762ecde4397dfae1cb0c46bd

SHA1
14208272c52c8b6948a79b24f7ff94255d3f59ef

SHA256
4d78fbaf417b93516d4063312294cee33b9fe4c8e43eee91f1630a52f3de84c9

SHA512
14f4ed445d0314606d206680c9337235500c7b30a1d238fe21f0c5b17ca73b254310953a7005efc2fed1bd91ff05ac7d993e120c6ef2fd4ed83408b8c621461e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0ce856424637c52646bdf4f5658f68bf

SHA1
124ebfa28dabba3ccc5777889d2c7959961dd03f

SHA256
b94cf7e3d5d23d0484831b6f68b958f74d41e5c0395fd1cca06f2629414ee657

SHA512
82eedc7bacb01573dda57b49ab7531920a5d06bd4fde96bb56c956fb6b614000cf7328ec769f95256b6326fadb8446b03323b8a25ca1fa1bdc25e13f8d8aa791

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0c4fc23c5e5c6c07fdc6e3b623decef

SHA1
df4b3b65c976d739faa6fa3011418bbef9680ff7

SHA256
00912b70425a0782df51ef5bfc479bd44c747e936d764585fb314998dbad38ff

SHA512
dd6b9686c28c24fcfdf5ddfd95619bf7a7d6794bfd3b16b9100d4413451e67013fc46509de40979e247202039f83cab9c328b0be029b7137c70a74382bd7aaaf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ef5a7b66175529be15c75b65cb985765

SHA1
249461057237d46cbc4c431784bbd759134c00be

SHA256
da3e718c47cef2bffac362038b945180f2f20b43ebab839e682ff0952dd62359

SHA512
de4215f8b52cac800b8b50116517b58397507b42caadc6a325b5b1ef19d5567a3c05b89bbd0ec93b38710ff229134882172b0ffdd451be75c3ae62f707c4e948

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f0fbf330d7239ab36bda97def0c18a23

SHA1
4f2f9bccee7aa066207b61fe30984c977bde2b60

SHA256
e13710694299b230f7ad52a963925d8396e30f8d2cca3135fd7b73c1901c14cd

SHA512
bc6b17f45a262a3f589029ec764d5ad51da8624273513293a72f9c4d59b4f28b922571a61cfa1ea65040fbdc8dff73afc68a81671575568987bd70ad6ab8851c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f194746925e0f744e74fdd3f74196c59

SHA1
e96e749b055a07f176996d547418bf583c868aa4

SHA256
51e4397d763e7d2c6c0e04928f7df2ef773dd99e04cff50746720b2fc440bdb6

SHA512
d8f57c57e2d15cf76bdf1f3600b4936ddfb0de0e9b7c1fb682456ba2fc943a1d15882533691e5ccdb0c9da08cd0275faf40719ca6d7685cbb5578da2d0fa0af7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
08bda01c5d860124c32fa15f6ede6977

SHA1
1cf96a6bbe8ee545db8990b1a76bd31402a5b043

SHA256
c854623ff1d7422f703e3c14da1f0f733b80fc0dd0e5eb17dd5132faae2e8dd7

SHA512
dd7d29993b34b57217082da6f0c7e3485a45a60967437e499b2eb76823adfb72bf2cbb611fa06fda0cb0ebaae829fd20228254ad28879944816ba2f20eb23be2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2aa50e17881b60d8d843905f40de062f

SHA1
fbe0c7bfa3b6feb827f9ea8e8fa112696f6f3f92

SHA256
407dd47101c6ef65ffad0aee2ec84afc7b22e9c2f29fb9923b4e33a234256f17

SHA512
213726e50ce3531bd2ce0254f9f16e2c32ab8b309e526f07adf6a61c33835cc48d7b765f919aeb184ffc57aec5662b0220ba4cbcad9c39eb0e865a0e13a250cd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
06f890609c2a113df59861143f5580a4

SHA1
3de5b20eb4850a18038c30324399b0d699068dd4

SHA256
0d625e686aef64e8f74b69f469357d3701a613746404b4d3117b76db1e11f291

SHA512
6f571c8c57edf293a31db7790db44dd744afef843ec2fc9a3bdf7873407a648e5a27db5e51be4409edd6c35f0ca5f99372c8e76666b8a7da2d0a777b307accbe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
49e6d4da8f86d9d129c34277a106df38

SHA1
c815748687287d971636a5d4e1a404f434e4c218

SHA256
2c5c5bcef6f1f027cd75cbaf786d9e99e495a3f9d09236cd0317ce4ea6888858

SHA512
494c42128d34a5758ecd0a145a20a0c690347dd5c5f5b0a5e94fc0d9fdf23465a4c05fb1d0fd2f5f924a41a78a3cd3a2358f3d34b8d5fd7bdf4d87419929be30

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
130d43788763a52041f95226d3f38773

SHA1
a51608aac3f7c003d1ad339e28685bdfc723987a

SHA256
9e5e254bffc1b9dcb569f5cdb4aed76f334515c08f47110cba8681dbdb23e928

SHA512
98a0698cad6863226ee15249d393ed94bd29e95b7eb994d958eb11f021f338c97aba47286dca1a01396f1b663bb471629dee01ac6ad489747693abc91e167f81

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9a48f54cba0a24d3b8b78afe76ceb598

SHA1
148f58dd528dd25b0d915e3ef7e9ea968f6d73fb

SHA256
704273b94ce3e066591a7c085c34cfc8af210b6ab174e3e708207eaa51d1c064

SHA512
89e29a31cbe555a84426d9f71b9b560c7f8d7063f9c1dca002fcde9686e9c0bc516dd1b825f51d92821e25d4d12b01e22b2138401297cb5bd8457faec69c9afb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
49ec252171f21412d816b6b42ae811e2

SHA1
f0670d9241376340ddd0a5140efc4a9fd9eefe83

SHA256
0eb4f916c4f37783c5f8a095b6abd802f59e718783750c24f1faa710076afc9a

SHA512
b6044c241264c695cc4b750cdd9e49f2074ce7dfe0eb6e737059a4c7906f1c48bc22ec0c9de008e923032a57d3c0f884463f1ae4288c5ddce15c5b6f114248e6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
891dfc991c64555525a197770c963ae2

SHA1
b9687742829d7c4a217ed796dc31d357e9dcd173

SHA256
da2f44ef3298febae7608dc984f681003e726173a5be15b29c9f39637c5a87f9

SHA512
b6e46f4da15ea94e203f6f0f7d0d6bd3f192d962be6abe428176a6db2956fb7fe53a0ca7f5cd94558992babc1ab96468634cc4a5b9d7511511bc0f9aa1b4b39f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
15ea924321742ee1e1b1d42e134bf962

SHA1
19a1cf17d3d0ff07b14aaefbd7e1461cc5633596

SHA256
9dbee09114d39abcb4f28d2f0b8603a342fbff4dcf696ffb6f97e180f5f17e16

SHA512
564330da945d3ffcb8474676050e8b76825459f5008be10149c2dab935c4165372e529beddd34e7786109fa50d24d1d55fcb828ce3950aa999e04b658310c26e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6f632747dbb69ed5146c832229aaf442

SHA1
926053b9ddcfea732ab07b8d3daf36bd63510073

SHA256
9f6746c41c1d1513f888d5fd778bc3f1328403d0396a61b3762a6ab99e69b3c3

SHA512
bbb49cb2952257cbf14ab53d88a78b24f9d53ffe0b70d62b8fe6a2e2e4031372001ebc4213fe6c6fc57eae0ae8b9e558c38741f634c35e5e2a4e749ad47e53b5

Download Submit
memory/112-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/112-635-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1064-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1064-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1064-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1092-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1092-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1252-37-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1252-43-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1252-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1252-57-0x0000000000AE0000-0x0000000000B40000-memory.dmp

Filesize
384KB

Download
memory/1252-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1504-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1504-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1564-634-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1564-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1612-264-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1612-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-54-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1628-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1628-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1628-48-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2116-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2116-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2584-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2584-87-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2584-80-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2584-74-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2584-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-548-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2652-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2748-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3012-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3012-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3012-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3012-126-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3080-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3080-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3108-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3108-631-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3320-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3320-86-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3320-229-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3356-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3356-636-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3360-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3360-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3360-193-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3360-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3412-1-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/3412-6-0x0000000002350000-0x00000000023B6000-memory.dmp

Filesize
408KB

Download
memory/3412-85-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3412-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3648-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3648-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3712-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3712-536-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3712-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3928-244-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3928-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4420-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-269-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download