cb07c8d2590ef7f2539ac50daf4b8f52a57af7e41489a2cd4ce26ca489d18d06

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
Size

1.4MB
MD5

cfe161eee0365094a619eb98bceab3c0
SHA1

c8e5888d8544a9bb305249f679bfffb3bbb35c07
SHA256

cb07c8d2590ef7f2539ac50daf4b8f52a57af7e41489a2cd4ce26ca489d18d06
SHA512

2d609a87d4b1c6154c6e9fbf17606087aa553de669a0aa05f374b5a59af1d1369a4784510ff948949e6382b254c84986bd438a2ec5849c86611977ca41b335b5
SSDEEP

24576:+vyZwOhTJ9pSRQ5UOOU62FBnO+E222YJbNEUQKGOb:+ifhTr5UbU62FAQ228QKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1948	alg.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4984	fxssvc.exe
1504	elevation_service.exe
5144	elevation_service.exe
3440	maintenanceservice.exe
3620	msdtc.exe
4048	OSE.EXE
5424	PerceptionSimulationService.exe
756	perfhost.exe
392	locator.exe
3260	SensorDataService.exe
2872	snmptrap.exe
1528	spectrum.exe
3128	ssh-agent.exe
6072	TieringEngineService.exe
1848	AgentService.exe
3484	vds.exe
3812	vssvc.exe
5272	wbengine.exe
4012	WmiApSrv.exe
5728	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e8841453293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045af36c189b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de45cfc189b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5244cc189b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055eb31c189b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b69be8c289b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0018ec289b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe
4412	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3408	cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4984	fxssvc.exe
Token: SeRestorePrivilege	6072	TieringEngineService.exe
Token: SeManageVolumePrivilege	6072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1848	AgentService.exe
Token: SeBackupPrivilege	5272	wbengine.exe
Token: SeRestorePrivilege	5272	wbengine.exe
Token: SeSecurityPrivilege	5272	wbengine.exe
Token: SeBackupPrivilege	3812	vssvc.exe
Token: SeRestorePrivilege	3812	vssvc.exe
Token: SeAuditPrivilege	3812	vssvc.exe
Token: 33	5728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5728	SearchIndexer.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeDebugPrivilege	4412	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5728 wrote to memory of 5108	5728	SearchIndexer.exe	115
PID 5728 wrote to memory of 5108	5728	SearchIndexer.exe	115
PID 5728 wrote to memory of 5092	5728	SearchIndexer.exe	116
PID 5728 wrote to memory of 5092	5728	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cfe161eee0365094a619eb98bceab3c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5144

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3620

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5424

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
da03ade1d6709fc9d2aee529187d6274

SHA1
ca0f8a420513cf297fdd41e1afcc0600456c54f6

SHA256
2ae581521a1c3f9f4020653bf993fea50dcfa1250969d533983490fed62e5ac8

SHA512
8b099d069fc8c6b5ddda21b8c252d44f87341e70f9a7681c8babda7784b65dc4a0df09ebdaaca68b0c664c24c974992446e00d519a14bd93f0fc5037d64d5cdc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
669297be3b89ecb0ab121a9d495e1bd7

SHA1
968bf6e2f467aad4db55e400d114337327cb4fcd

SHA256
30e1ef5da578dcb613fa1a23a6b432557df73e91c2bfbfc69a11efe4bfae2e21

SHA512
98cb62eb3983748d3c6ecfcca53f4212b971e897a5a60afa04e60c4b7c94d3b1d57af052f8e4b01a8a476e708dd1f09f2094a67bb03882af2adc6ebe3e511d34

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
539aa1073ab6d25a8454adbd9b68e425

SHA1
baaefba39063b9a874ee46f05e315c2456c88561

SHA256
857775530e2612863e717b423d3fe50600b1283382642f347155703dbcee209e

SHA512
e8a63df45bf2200212613e7a4667447aa66b2c255bdf2dcdeb77a5dc3990108f78267d3992079bb557a500d66b286f2b2c86f3c8e92ffed49871baf209f1e64c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
523ed39d0acdfb3a7fdcfe275da99fb4

SHA1
ac7a5a710e8fa91e620b2ff83f115b7a0ffd58a8

SHA256
115d7036d882cd2605dbfb23145cadd570b84444376de6db59310733289ff446

SHA512
7790a4aa619cbeb69033beea58b1d934a746994330124e7044b119670f6acebeb4f3458511e1fbb290f549aef6ed4f9d9f9a505fe836ee17dc747db74581f34e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2a937270911872e62696ce6a9949908d

SHA1
db93ee7fda6526b95bffbf0dd3fc9e09441800b0

SHA256
3a52d64864efaa10460f865885f4b3eaea50353ada0ae06637fecd58551d8378

SHA512
618dd1c82bb233b4e25c1317a7b59efb7765bfac168cc257f7bca1a181a0858e8be7976be3d99d2fdb2957ec70533cff703f1cdd500335a62d9b0385c5a1e767

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
227c8380e6bec2546fefa94df1ea5d2a

SHA1
90cf6491ae4d85f4f80f8f6121e8c77e30228d60

SHA256
1ee17c406cc1f668c329a503a7ceffea936b2f9d192c02f9bfa7933e0716740b

SHA512
f58e9348cc68c0e522de9facd3fe2b9be55d0fb451111f43c0dfe901c0caa980f78fed4848120836dd95dda203c01f38941459fadbc777bf7cbcbba460210267

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b5408585cfa0d0debebb8017da181180

SHA1
9718f4ef9c67e28f1e5ddcc68563107c38861423

SHA256
d9b531ece6a5ab4bfa9e775ca151451874403b530bd5c559dff9c72e73eefd4b

SHA512
da2be0898fa09ce380329c1d25b28ec01c8230f2839088ceb45a884973c49162488f3459da833c138eea2c06605f03bdd3656521cba2f0ae8312cd90d96797fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb75750fcd9463acf50c56a41af3cfbe

SHA1
a5e9d3cafa61ed354be10834d6d15bcdcd7e4c47

SHA256
22aa505525e138e6cf7c18c761c7dd6c98c3e1db15170ab52d0932821260ce68

SHA512
018e7d601230787c06382bb6e498ba6a9e924163c9f6332658c3f0201868bb2cd379a73df182e6c6c2de719a66991b4a5a3899ecb857c50aab58c38e409bfce3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
11d94bc09f939481b8c8585a6ae83ed1

SHA1
ad6cc923bbae79271a13fc783b640643e12773e5

SHA256
9b5ea9a51aa467cd9a8e3b541b5ea0a14bcf9bf3f589af1c2974cc7fa91fce1e

SHA512
196a45d34ffe9d52cdde298734a6c43b39a555c76967780a4395683c1a94197e49b0a615f862460f2e25942bd37435498a2ce589b0e871af4abdc3cf3a6de142

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
566dff8e9ca2d21ac601d577633701d0

SHA1
cb45a127dbde68a545f74e02ee03c63d76740117

SHA256
4588ea63008eff6e1a57f2901b8ddea2622f37a32299cb349de7305ea9176e89

SHA512
da25bd290e22a92fcd42140762f85c4b8a848786979f7a02b75139b79b58b688bb1f70e9c0f457d3f0dd8b0f04244f430455424a6b1f747c7481d33657434f6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5fce8158213cfb11180f07bb375296ba

SHA1
9e6f6a17d7e241402f284fef620db744a7b53f9d

SHA256
0a2307cb6cb769a2ae47b31d411c191875ffd71596586b6b221535f05b17127c

SHA512
b57f1d9434b595cc72ce172ac170747ce1a116aaf5147311482a8b5ed20b4d1a461b835764353b3cfd185ec7dc8d79901beb1b25a0b3fb0cd2a2af877b9b4f5d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
225a042baba4f06d030c5b0d4d0e81f4

SHA1
1b95623c4a819198573330bd5d1ebcdcba45dece

SHA256
d683a30658d259ead85e9fb13f49ec00e75f07877f9b4093c41154bfda588d81

SHA512
6dff99cefb1ca93176438a2e771a2a06a3dd62532775b8c9a56f344c3b55ee6094ebc588b9d5aacbe0160ebfdaae2e24d5c0917526af24a35d154d69f7b71c20

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4240dfe49d1c8c6cdf17608b11f4dd05

SHA1
8daa38df9f5169b5dd6aa62a29705ce7c7af1ad0

SHA256
6eb95604473388d07daabb6035ce8df043895fa9a39134f99a9bce99950880b5

SHA512
836377c81da430a8869395e81302a44ca1eb1e8b59d494397a7aabacf0e623352769fd7e9cc1b3b4ead34de7cea8938a3a684ac2c67bfbacc1cbe580d2d1d336

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
07bbbb1f22dea2094967eb4016b23cc3

SHA1
03556744409254dbca34f34027c2566beb4eff48

SHA256
1e5f8fd665f55fbcbb84c8ba5d0a16e815fffe632c82baa3b02366652eb90a9b

SHA512
1cdcbe624591a59557232790954fd7707a04a72da247da063ac07887d9e9200b49428a5687134a61ad6b856d04a344be84c9b70de71ce55f10cc3c64688a3527

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0383ce7db80d7e7176eec2b0b40b5d91

SHA1
41c3b224431a3d650530b00dba2552d568ef9d09

SHA256
5a44ed640ac62a95c312374c920373bc6cf38414e2f07753dbedbe99b60a0779

SHA512
2a5c6770911704ce55e3de94f82edd203bc52211002af9ad828a1f84935da51863cc9caa79af20f745574057984aa1c02f232c2613ea063de288448b208b7745

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5f8e0a3603900de19ec08315dbe0e659

SHA1
5908e61eeead8c4a742d3ba7b309c65ccfbfbb81

SHA256
62f4aede688b543d0ee70678b2bc21c294de40d3cefc932ee61f1a4045f9f65c

SHA512
d496dd05669255c84c81d499c20613b74efcdddda41ff5817f0f5b571412e957c7984981e1d723f7bcfc0f2e40beabb4bb36781d749fc4c2789a2a15a39d904b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c270d942d2283bf1e424b20867a71829

SHA1
9d98d03d9ed6f50ac82143fc959bec95c3defadc

SHA256
ca4944c029615c9f3b80838d818a465f58766917e1c6b9249d271f5d1571eb1e

SHA512
ddc7c91e676da58c9c902de68b32ac5a1ec66fc4915a9a5b331c686b51d7495103ba32645613d3a3d1378a1c1d8b1a85a2d9a681ef075d64b2b2ebe7cdba51ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cba306168a6b9d747115bcbf4be8585b

SHA1
473de5fd92158383cbdd385af1299622084aa1d4

SHA256
9be8f753b3c13636408dfe766f556b09f112d2218b47a47f0b25da986b8d3b8e

SHA512
ffc10644a4a2e54f7c24df04176610d61ed332b609e1f2d59a080cd5c2f4b909d2c9a5d89f5148311c785fbbcd00b658573ac1d54b4f701f56a5a0e0f49bb213

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9b758a285c6471a7428d6817200f69d4

SHA1
21336e212e6ae74f2344b4131c0c7b8dc0ba87ab

SHA256
fc5d486191f110a58fe52c35d87f379f589c95ad2a4462cd02f62325fba70b56

SHA512
8ad5926cb2e134f505c5c237823f27d227694a552814ad796cca562f1aadac4c167d9456037631380d6e903882208733b5086b7a5d0d8a476064f830ac2189e9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d39c3000d08889fb39490109999e6272

SHA1
24052e48819d00c3f400d225975478b1f2c68cc4

SHA256
9934516ae15a4168f2c968f04036561b1be8e5459588aac030124042c95abae4

SHA512
05d6380891da94320ce3fa38e83091872263a8e481361d8b90099d526ebee2e2c9a9368bbc826e362485a0ca4175825e1c22eb84ab920e35966cdad420c74c1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
25cb3c0e880fff5311fb6e1d85ef63fb

SHA1
dd59d6884a5d926557732dce9e728bdf0b1dfa38

SHA256
94ca0ea6f99bcf1db72ecec1b82fd8be7abbbc66bae954653311d5ea10a03af6

SHA512
29dd0e9b1df665121d64a12bffccbf3a28a833474c583e993fa0f479452a9b381e3847eaed3cf166c874a02fe4d0a76f203f213e59073eda91ecd0972a77e6b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4272373402f842e6e5d94a76e3476d9e

SHA1
193fa8f3ed5fde45ca3ab796105a9add8fc45cdb

SHA256
a4ee8c010ee4c5f4a337598e91cbbf4f54a1c97504cafe94e89ea88a086ab069

SHA512
3e687358ca2bbd4d5ce96079cd8edb693498d16dfaf34b612b4a6b9c63cf20bdbc3c011c9b78985094f3245d0e5cdcc29c24af7bb7b164c36b7fa444b95d5aa5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8de5c6d57c71aa06d4a206152911c175

SHA1
0d5e8148fc833f72c4622c16b0b52a33b0159a79

SHA256
b0bcfc00863a576fea3397a78763e3c24862c42ac51a46ce64f8a104370a6164

SHA512
a0e3b56ebd64ffa7e0a465a14741d543529726de57719e00f52178cc36238281565290ee0bb74f6d953392f7b221fc2d30afb2f51d7672d6ccee1079c5926cc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
91c05bd97821951538810f2d7150fe51

SHA1
55fc7ebb40b7eec2fd387ec894e31ca09071719f

SHA256
90fd2a50cb9e3c80996bb67fe27af06c38d2c781928213a320e8773b93e7c372

SHA512
1d3a87228c4154cf7b6bab491bf3172669b0bcd0a22abbb5025b4a442d2b61d2d3545e061a7233bc066008376559928365af18868eb1b03b69fa60c677827fb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
92d761b0e3259de35f130593aa8bf1ff

SHA1
882499a3d2e37131f00bc9f9cf2e005832da07a4

SHA256
94bcd68a50e2688ba5460e61c5d525f52f11321cb76f562ae5deec1b88599f6b

SHA512
b0a54872d601e587e82c8a2eb98139681a87886ead2e59764772d35c8014c45eb26bd340f139d6b1041a159ad6d2165f58928b75586285d07e68d0cfa37aaf81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c360e8bae914e16d42babba05e530ff2

SHA1
df4ad69e1a3aeff2104301f07b6a014ab1cebd68

SHA256
f1351bb6ba73d6df917eb3fb3dfd5da508a567c1ad74057f5e38e68051430a1c

SHA512
bd07139e5439bce4ce8fffd40710f9bf426ee438c4486bc86a6d9f4861425c0d50acca8cfc8cbee9f0a826d604dc12a39f37bba73bcfd6362b0ca07ff1304978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
992a2425fa58da49cc9d2d154fe53ba6

SHA1
069626f123b1792b8c03715fd059e36e119f870d

SHA256
dec69196da4495cb70fa47ee952e7c16d0725cb1064ffc89fe679b98865581ec

SHA512
7424b99b2e97706c7f82788115ac34a8919d001a5af7ca3074af3cd7a4dafb9bcab6b086351a672099e060df2747a52ad45975e8a97b6192537f6dfc2ee09513

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9bb853a17cbb39bdd5c3d885d0be63d1

SHA1
f1db222193641a32dc65e4746462b31317e19928

SHA256
c537d9b76c5668827d147d3dc03041051c9012070aed713ca85ea8e6d1e99593

SHA512
bf3ad68eab63dcb23e4481655f5a64770480eb7cf058f5d885c5682b7462958cc602f906581fb0efe210167c1083518f98a01f766fa422abaca8d5b7a5a42e0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bfac95e74585e17846629e46135b8975

SHA1
7a8f6e0a60df54b9e68474a2844656b9b50f5748

SHA256
8a07b9bc31963a89b5370c46491cf6dbc6cf95737139111760bd36d0ae856cb5

SHA512
7b6719db717832b47debbb5c5778c20fd1cc97ae11ce3ed3d66114c2c83914146dd95c9b8ea2bf22af9036dafb712bb1afb1b998bc5e1d8ffc17e1d77be9f5eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f3e5ada39d088eed05b0216fadd280f9

SHA1
b671b168735c29a6b3d5d1e5164e40ee0411866d

SHA256
7c09a78789a257cae5d9c85fd535e35e0d0757089b8c61bebf73962710ea1346

SHA512
68949b62d677a5774b1d7898bade1b6146f1ba6fddaf59ca0ab95e096f65f311df768bec5fdcc1ede6c579414a9c9d988513bbc6e996f404d301d7c96ed87f0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
cc25bf99af2d7f8939c23bcad6ec0d02

SHA1
a265ac00e9812998cf157f8cc5830d03765b7c4f

SHA256
6a0a17ce72b39504b3fd88aa0d6e1889d7774769d195e7dc9fde93e1215bed3e

SHA512
e3a4ab6b7570dc8f6e8a30ad539bdf036dcdcc00ea41a0f31516d066207e9aa68167b56aa53aeb01d0c9852ddd4b176488e966b9fa3c90bf21effd475453717b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
562b43f37e9a30c90a3274bc3cd21675

SHA1
64de17a4364c6f183bee8c577038a159713fb8fe

SHA256
bac25c59080b21e712eb0fe8df49f97d3ae38b4a73551361de6396804f7cb975

SHA512
2c9f4635a5dea27069f30a06069691a09244dd92445839f8d19bda66abd779f58b8c0093f06ae5db6cd38d8988099df8d896a5f713737fae43d3c1da4a994945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
02b10ae86c7ed9763f53224117e047c5

SHA1
e115976309c1453648bdf57648b1ad39c790ea86

SHA256
de33ee744e6fe70e78863f011fdf7b05b665135418b2b1078ae34f66ecbc9872

SHA512
5d73f0165493c56483623d88fd9cabcda215b1cc05db7a19608417aff275f5d06f33a02987079ae5b49360119511aea0570c265efac6407dd025d04e8454c2f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
af66ec4b1c1c102aae6bbaa6e654973e

SHA1
8e97bcaf2e694632fb5a7a1e574a997bbd5c5f6f

SHA256
617f3f4079cd5eee45bdbf647f6d716eb6454d38b9811113e50b05ab0ef257e3

SHA512
3415863494af6c49f80695a49df74f2c24ae0837d10ae4d4364bea7641934b85bfb2b713092ac2c2f6d37685e66faf0cb0350018483f796c43e4d6cf0ee0ecf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
38d9074c326f5f6a41576b433f1e8591

SHA1
efa2489b35ec910c34beb84c7519fa5d61fcbee8

SHA256
e1e8e99093bfcca8e3898d475d4ecbf900301a29d713848dac999e56c465e918

SHA512
ed0b279d40b7575506d8658ed06ef99dea0e881ec636feebd3f64d7cae78463049f2aba512e036cdc0ca9d438c3b9cd8606745f7b9503671df7f61678bd59029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a33d20f494ae18bec4299278269660c7

SHA1
feda30da736a8f74960e0bdbfff167773788b39f

SHA256
4822a2d8147b1c8253b3ff1ebaa2f58841880cdc777317ebd2fc129a0c0e4704

SHA512
ba46b449aca4e6e619210b3710d47d7210f5571a64666d11218833dbcead30bd9ac46ff5fc5b242913d2e871f3bde6d4f01ff9d22c8da51955be29d47e744a51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
e1003ffd7c58d9f8a9cd28fe2c41a72f

SHA1
32ec130b6652758a047f852250a262972de4f49d

SHA256
c14ffebbb1ede7fe092bd4bac018527b7ea670f38989e2e3feba762f2eef4366

SHA512
77d47929917c43ddd5583fabd7e31a4ef37a1cc0065c7f0ef31fd6255aaad50a35bf2882e72840f6bea1f7f39f1598347c589c8ffa94ff4c924fe22b8d598329

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b39b7985f26ecbb0629dcf2d62809b04

SHA1
174d9d429106a8583dc3e417a75e01aaada068c7

SHA256
1d3664b1238f1281ec2dd226067a446fdd8cb196b1d570be290dd4555d33c079

SHA512
0437e4be11187528595c340be5bfa6c5dbcb69fd9ab05d3e0f0fce0d23c7587dd99ffa85d7c704b1244e9d16046c135142f51490d6c55fae85ee8a8306888bc7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
db942ee5a3950ef8ce9814c2655bb264

SHA1
948e4afc500e8ca8a6634a23c626b57368aa7468

SHA256
c96adacb379fc1df8d994f4e11a497ae911efc17f2cdfb4a0e95661ccc352ab2

SHA512
a7532a92f38748c756a2cc63c3ed5f12ab08a5fce781d852247c8404c252e027cff619a48a749a88aed76fd3cfac3487e200c3ccbd6121de5381194384c8abcb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e0ef651220ea4c70b32ad9ffaecbe477

SHA1
f75b1b1f2c201f93688de78d8df316b29e66d443

SHA256
a1a6050a051f4629c4265f27b043f7a7ce77e46e4b6e7697dc2c3ed7681b857c

SHA512
ea9ff6e8cfa54149490eb7e1512774d73327fc4ece0ebcf25c8b3b9fbb62e4a506dab221c7790c484d961cbd221d3f536abd84a00f34a5d571abf50b11726c8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
674d0ee5d1144807540bebb4305e4547

SHA1
ed4e044b79762d458b64df90e7764bb4b8967b68

SHA256
025f8eedd3bdd8829ecd82ffda4c0128a74874af3b3a0cda8b020729c23f8c33

SHA512
99c6600945ec88663e1591ed57687feb58b53f8c90ce2873cfe03dbb3917193ae3ea271f1b176842faffb4777f6512cd37976f98836a14fd9ff6a0ea0d4cd083

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8de1e2b6ee115c77524700640a6dd911

SHA1
61f215a413d114baf6dbce6de80fc5071e62b1dd

SHA256
33cc7a5e1cec9b92c90d5fa28bef195832c8dea71a3deab390291fa6fd7123c1

SHA512
70b5271caa62f6f93c8e4b9d17946df81f3ff5884cb73e4358e04f554663a19794184e42d31b2dab65f394ae016b80ca51178eb4fddfb4f9076488e231c3b450

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
de45c453e3e745c303243f6b5c7e347e

SHA1
cc266dceacd92c16e4973bcaf06f867d35898bb5

SHA256
90ef09c0fce16d63f24fada7e03677801fe583e0364b023b7838447709c068b5

SHA512
36fca77c6d74ebee1489af862164966184e94078e7278950648de4b5e989fa05cd08e19abee630c3eea9955b40656e04a4ba1d017161025c4f8b5e2807183f45

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b25bbbb79a52395097ecd3dfa2d1fb98

SHA1
d0d82616d2c00624b7a4ebd67980b5791559b7e6

SHA256
51b91737b64c1ab2d8b4a67670344a823c7c5aa5ad6b36ad0c68e02e21430166

SHA512
a01b1a86a8b92756329208c526ff6f2d37e67df850f56f0010908121d786923543015f121c353f7ae92ef1bef6c3cff1aee2351222d9a867f66017ced86eb3fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dc781d851fe1d7aab0b1af28bc1ba57d

SHA1
9fb3b51a17aa75cc55b6e8e2db0041a1c5bc4fb1

SHA256
9837c4e9471154853bb08fb81908a42be4266155f21acb843e198e97ac59eff6

SHA512
b1711621ea0b5829998f3d38b303b32ad16e17f929c8238a57520a27881bd0a0b2c16af29668eebbd324f6aaf489874826cef1387f82a39f863a6199b67a4df1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
484900fbccb0560923d9920a9d51fcb2

SHA1
5b58e2387799fe2c2acc4325816bae77b5fc6cdd

SHA256
d94f48a2b0475bcb2a4bd1021c3053a3b039f5f39968d74137a5a1dcfdc3d514

SHA512
7b8745ad4f5bd7bdf0203e82258f5d0bd28cee69772c422a67cf5039434a4387243876d080daac1681063be4e94c3bf6b42eff65bef2e78e514c69bdd58d4605

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d1590871783e58ccd560e970d5eb0155

SHA1
49b4e2b0cd281a43b33f66cfdc378bb14182bd50

SHA256
8e268a0a3985e14cba72348615c5401e8ed37777be3141e6e5f527938a8e49c2

SHA512
0ef2f1ac619bea28cd6f51032a33a0ff5f1b05b0e729401cd8decd21f4d938fbddc1519a73a11e0fac45428d8214ca5c74b7d7c4fbb5af05ddf6a2a2d9057d1e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
471a14dfa032b58a851b69a15b710d72

SHA1
aa607d22a0b88d02dcae94654b5a2d47f0430b3e

SHA256
a5a6d0d397d77dfb53c24bd82440566eb04aec2a9513fb60fdbc6749154e464b

SHA512
8fc81ebf6ccfef5f874c89c7294ec11dc0613a0a1dbe6749b93d063aa061af568b78ca68500db3a86be40299bca238589e5a61fdb712727dd2829298365490cf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6a28882b70af1d7c9a0a7f4b9ee1204c

SHA1
6d9808d51f6d9274c8e05027f4b85c37608bf0ea

SHA256
e89676ffbe75dbdbdd8ed0a28c9f6308fd422bd8692aeba11427b2f8eaaaf862

SHA512
a9019d51524eeded52a6f87a82ad02f88e833f82d01448915890f5a80c55bdd2358a8d24bfb30fd8fd30133f3326507d8ee3cd8b2990e95a276c7a8cb9af4029

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0ef0d03b73ce1133f586677ca55dc0a3

SHA1
1e74e49be0a4575cee307e483903a631d1174174

SHA256
e85fba5ea2bfca72fd38eaefa363678342f5ff209e8ae85891a4ea236c08e0b3

SHA512
e9373bab1ac7677421a68b9c171fbedfa321615d38ef6c27c423604e2552b6b4823b5674424ad7dc6a4f5ebfecc0f099dd3a0cce751c8dd85f1a7c439e0993b9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aca634c2c68846f109d360984261a08a

SHA1
a41c46ecfad5f98e41ead726b4b0eecec634b3e7

SHA256
37b9b15b8b2d3045422f0caba5d5d1177d92d8178c770960330c16c3da12126e

SHA512
6dbc4896602d8cdc8e9c6cd24227a8de0a855deb75db92bef450d692f5c1b67f8dd3dfaf0aa751d78a5820182e477cc2c93844dbc36bafb0a658686b02fded74

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ba9977f050a9e682124dcfdc89f219ec

SHA1
d8f31d3c2eb7a33120cbc2ea35f89e413db44ba4

SHA256
d8faa4b92c84f2355e9cc5038ff115495db2dcc43dba783cfedd336df43afc14

SHA512
e1c240e601bdc24a8d91d062bb060b6b6069adf291d850bb6bad43e97b66b6fcc1c1244a72414313d5b16dd1ab85582535f3d42be634363f7ff9ca9d29179567

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4230711016914d0ca2c7f8d9109e30c4

SHA1
63b77e15d049b6424b3f312fbe3c141d2cf1dd40

SHA256
9522d90ab238a83b3bb4672b5c9b42756b0b2171d7fbf8c18acad7bcf8929143

SHA512
c487fb9fa9c8d765809f469a70e65251ca36ed8e1bf921374a1bfac1ecaef7b2d3797c6da404cf1ab161a089269f606f21bf59bcec1d6aab3a8fe243075b3ce5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
59c047f8f4c3bc4cbc159bffa23fb24b

SHA1
eadd2f051ae5e3faee3fad350950a625adcb534f

SHA256
f4b521d3c3409e4edf326c4abb783ac47d309f9bf961ba6ed5ad439fb44a48fd

SHA512
0c50e7ecf77623e0573c3339248f572f4d13d448b68d937c45d0e4a805bb0681e3c44ba689c4fa66a16443a5934195fc893e8e697e89b3ab06e1733527c60998

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
edb7ac1834b21f73f84293a82ba7a372

SHA1
91cb7fdef34e04da748ae4b58a0fdae6d3735b61

SHA256
0cf2d50688b0d8c09de05143a2dad9222418bc2aa67479f044b1a37a84ca3d53

SHA512
6882edae79c7e5f9dee8e91f90a8952f55d031ce47eec03c4846619e522f38285780e8e4c73ad436580ee063f17a1e3c4fc36d11a067e8225c81aca40da173e7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6198891cb61aee2a5f4d3ca4c16e83c4

SHA1
ff6a69c2deace373ea6f87ac072c1197c880d1fa

SHA256
74877162b406b35ab1d6bd2a684e835b5e32e09a713b211acb2f71b9015ac6cb

SHA512
91dbd103b7ce9cb57d7e5d91092f8222c625afaeeaaed221c2e314d20c2e01b0fef752edb6f7c00bc3723fb38a1989b4d3d421e39605d1318d59a69b57e52c1f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
22f1eeafc6f287e694dfbfe7a2162962

SHA1
0ff22360760ff7a665d036a06d4e273c0c4903b3

SHA256
6c06cf6f56c31e200c0ce32ef9da0b976812dc5e5d307ab9c8fa3d4ea3ffeaab

SHA512
fd9f3547de9a5295544a2a5051b80d7381330da29aeb4ca5d4f33d9d9a783f0b352a1874168fa464a985dfbdb72f77427ab1f7127c112dd8ccea3f442b026247

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fb9992f50fb291378b3278bb8d157391

SHA1
31c11a45d660939e7472282642163788fd3718c7

SHA256
da640f348fa40a57eb2272f9dad4aae318ea8bb16f5a31bc4753f3e86e0d17e5

SHA512
66da5c291240cf81d5f50da968693fc0148c679ff483d48b8d990e4695a66af7ee00f67baa4db6b2b613cbf078a3327237daae76cb479974c2dd6faef070e84d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
900032a88820e2ed0bd75dd4da06d8e8

SHA1
ccabad18f92583f5d84adc5c6f50c38ceeecad89

SHA256
5bec6e7f018f22415c17352b906f5131140ab7bf16ac9025afc78eca4c177126

SHA512
9140e7a574725277fbd604ed9b4397a087fa9051129132a27f90da9eff00f47c1257ad74a8e91cb5dbff4c8838a38bdd68a04c3da803cc293fab822dc4404bbc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1483afa53b3435b22d0055861a645307

SHA1
d35f8fd45857dae6893301eaf4b2c70503172539

SHA256
31684df717562154e74739ef2d72474370419599ef6670ed09d5c6036324fc1b

SHA512
09a719fd3399300a3f43b2514b3b211a1c5cce7502918383b5f85ed33e21c534bfe550ffa83f7bfb9099ed1b14340bca6761f483ed21b59ed73f2572bcebfcfa

Download Submit
memory/392-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/392-140-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/756-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1504-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1504-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1504-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1504-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1528-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1528-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1848-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1848-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1948-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1948-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1948-22-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1948-129-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2872-515-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2872-161-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3128-179-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3128-517-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3260-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-508-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3408-405-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/3408-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3408-8-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/3408-400-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3408-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3408-90-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/3440-78-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3440-82-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3440-88-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3440-85-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3440-75-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3484-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3484-665-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3620-92-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3620-202-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3620-91-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3812-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3812-666-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4012-261-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4012-668-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4048-111-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4048-226-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4412-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4412-34-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4412-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4984-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4984-39-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4984-50-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4984-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4984-47-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5144-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5144-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5144-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5144-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5272-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5272-667-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5424-126-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5728-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5728-669-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6072-598-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/6072-197-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download