54a52361dad1dfb20b69e5d221af7b2342fc21a0ad64e9c0e58a4d38c86c0556

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
Size

625KB
MD5

07ce4be5e8cf10f9a061ebdb66330c60
SHA1

366ad3519361045b62dc3f25b5b7115c3b60ae38
SHA256

54a52361dad1dfb20b69e5d221af7b2342fc21a0ad64e9c0e58a4d38c86c0556
SHA512

a1a3e58e945f31bcb3f17ab4a50e775a709ba1ecc029db3883c1720c1f9bb5192edbae3677b0355d6e9a9622b7adf4016b1f7d51ad5aa37fa561fef6fcffec7b
SSDEEP

12288:32HeSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:mHet/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4760	alg.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2232	fxssvc.exe
4516	elevation_service.exe
2080	elevation_service.exe
4948	maintenanceservice.exe
2228	msdtc.exe
2008	OSE.EXE
5036	PerceptionSimulationService.exe
3236	perfhost.exe
3224	locator.exe
2560	SensorDataService.exe
1332	snmptrap.exe
2220	spectrum.exe
1452	ssh-agent.exe
4472	TieringEngineService.exe
1696	AgentService.exe
1056	vds.exe
456	vssvc.exe
1632	wbengine.exe
2616	WmiApSrv.exe
3408	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee28b835d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039d20bb200b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c744e2b000b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d424bdb100b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d4640b200b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000718fabb200b6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000521150b300b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe
2932	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1800	07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
Token: SeAuditPrivilege	2232	fxssvc.exe
Token: SeRestorePrivilege	4472	TieringEngineService.exe
Token: SeManageVolumePrivilege	4472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1696	AgentService.exe
Token: SeBackupPrivilege	456	vssvc.exe
Token: SeRestorePrivilege	456	vssvc.exe
Token: SeAuditPrivilege	456	vssvc.exe
Token: SeBackupPrivilege	1632	wbengine.exe
Token: SeRestorePrivilege	1632	wbengine.exe
Token: SeSecurityPrivilege	1632	wbengine.exe
Token: 33	3408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3408	SearchIndexer.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeDebugPrivilege	2932	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3944	3408	SearchIndexer.exe	110
PID 3408 wrote to memory of 3944	3408	SearchIndexer.exe	110
PID 3408 wrote to memory of 4216	3408	SearchIndexer.exe	113
PID 3408 wrote to memory of 4216	3408	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\07ce4be5e8cf10f9a061ebdb66330c60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3d47d2e687faeeaa367beb825bfd2141

SHA1
531473d765af176fcc6ff4fd3c9421b599d64561

SHA256
58d2e06014b3acf3d4bb555003f19271be1022145bd647ee2b6711c21ac64f93

SHA512
31263d4426bd3334d06005507fb81332527774267b629521ca9fb09d157fa6990d97771edd5dc638b5aa6849d81bbc868e71768bd46f5d36c7dcdc46206b3d11

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
99df8dab415844d5ce8ff59dfa11df84

SHA1
5d59c7ca3fafe6a6a83269fd0a72718adec3cf0a

SHA256
047804841b03531267ceb8eebe411525384fa893127ceae41ab2446275f5c808

SHA512
3c303f6dd11ab8866ed4b1f0ab555501d81c8f2c232b914deb2887d6cdd463540d400dfd8e2454c079ba2ce9317f1531e51e28a7ce34f9589e10168b1f4ef23d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c5ed20899f3c65263a6982f9278ec91e

SHA1
bc537e2f8959a7330261c5c9b8ca49639ad561e9

SHA256
76649b39c21a16d6539fdb3d54951c44384988c1fe133d1625cd6b2e6bc00bef

SHA512
059b8532f241f377e726d757ebf82d9a476d5b3195dc5093411e895ff2a56530a8f4e8bf7bf8bf610fc3eb6aea0a175c8ea2231288942effbe9eabf6eb72040f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dbaa0a6568ec775272f4091dc11bac08

SHA1
057a24a2602898a18ff1894142e7b0cd85fbe628

SHA256
d4725d8cb868e5ef91ae49876c689d69461f7ab714bf0744360a519f01757bd6

SHA512
2566d0afe5e7c168b5434cfabdf80156baf801e6f2b0f740e940b182a75d24330b5b56e36f1d07914358a44e60347bad955f476cfdff284ae27d69d8c250ac96

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
896ba4edf9b988c433ffc3d1afd3df65

SHA1
2e4fabc312ff4cf448909b7f498d2bdfa432b694

SHA256
34af0270197c5a41ce1215f1a1dfb65cfc5eca0c77a4d098d9ebca5302df85e3

SHA512
26aac50acfc71812c3a3a81f872a65b62b5cbceaa14aa7bb56d7ea8a424523a790de112bb408e246ecb08d98868b8d02000bdfcf2de69063bdb0372453b9dbf0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e111e6fee04eb1641bdeff10f224bbf2

SHA1
d97d6d9b1399205046e01cd73da0f4534c16322d

SHA256
afcde043280e17df92c2aa38d8066d48d15eedcf29518c0b0492144278d4d8da

SHA512
7109798e7c4cf25688e00724de6d1b1ec1efd463586e48fdeb910e8479bf0ac8a8d5f2650136f01876ac5669903651db82146348d1774f6d152136e116aae33f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5aca372d524fa0c98685dd32d83f2558

SHA1
6a9bb7a3122c06b91c60ec7c0eeda20a15e85081

SHA256
104a884f8feda287e5f8b4c1fa656812efea4f13b8ed82394e84312a1249ba7d

SHA512
4e195baa8e179c728bccfe71e844c67e80ee79aa369eded5fe566bc4f61e999fe0bac53bf6928abcd1d13843c3581fa637789e5cb0b41cc72480feddd1aeb86f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b09533be5f07d74009b0c67b6929c0ae

SHA1
0c2bae4fd36c69f079e7c51beac667aedd7ca90e

SHA256
44b31fa21fe157ffe36b06b4c2ce22dbc854298857d467c19ea38eeb78ced962

SHA512
b42af7b07739b9ea682c592aae35c550ff2cd2baff559f301ff95c202dad7c90437d9589dbdba6fd38423ee61fedcbcd95d3d5365f682c67efc6c8c86a5fd0d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
872beda1271518204a3bfc35fe1ee3eb

SHA1
51c3dc2d2cdbbf32c177d260845f8890e321b90d

SHA256
1d619c7f01364e46ed5ddb167971677be81e6f7ae0a997917a14002e7902e418

SHA512
cd6f245949f6c96bb3dc1d396a5a8ab2720313154f31eda77a18bf2b8ae436254515d291caecc1b14cead3af4706bd2f210d5fba0ee8e1c70959bc8bf9bdd167

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a6b2c44d45a17e700a47bcc06eac3208

SHA1
13ba35eefaf0d8182aa69896704673e10c24a4dc

SHA256
9611507441da4d802b884aada1047673937c4d6ef99cf4f0e380b1e7a3dbe0af

SHA512
3108cd11f5fe80c30f5d8590a496e3d99fb5236c88224f96b278eb666ffc54dac619fbb06e7843714b2ebe94f87a121e5110719572c4c486d3ade303289ea679

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b4f509ca511b025cec97956e5484429d

SHA1
9a6d33c236871ac1f2ae972b1c969bde401170f7

SHA256
48b867128db56b6c63e213885ccc6df0bd0b7219c012f653457a23b29b81b625

SHA512
59e529aaf8bf92c6324ece4758894ecb85414fc698207f306c5e158560699556fcd9c824a18ec14a67c28216bbbdbd96146d71787dd3343231c1a0e593aa286b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c74ee6273e2956a9dcbf1e9ff98898df

SHA1
7dd5f21bfef7c3220129d674998ca646be0a6372

SHA256
750648896d6f25ee87f066c4e479a3e044bfcbcf035facf73ea712b7b1354646

SHA512
7768afd280e7d8924b8bc024127793af954dfbbde48ec53de3c5f21e7e938cbd4624a135934d75ee2d705d18ad5523a8a3ae24eff70c2f20be873a5b5a3741d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ddc37c708688411cad148aad8d242f23

SHA1
eed57bb2b53364e053846119e2e0eb8e7ab1fb24

SHA256
84a3f9459bdcd4d7c1eb7955379fc531f6152b1afbc3036af990af052f4e2122

SHA512
cafac3382f17231228d9370ef14e1fc4f968b45a97e4ab44084e83ffacd04492548ca70830c748ba1bec60baa388a11bdcdb281c34da93f01af87bd50159d49e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
29b99c9a30a054bb8c6b41afa4eaa27c

SHA1
2af369be6c01cf5fe70196baca06e99504982c1d

SHA256
5d7a273d3589a996a0ebc49cbe54544570c7513f4c454dea3726cf74c531a800

SHA512
978b8e3dcf47d7673b9b033d05c095322207888299ab53a05f0f94b53d304cce731421e78964e8f00a174fe99e95e06f19c575268bf7697324adbad6ca72bee8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
30b9676192d05f47b8861ee79519abae

SHA1
48078ac401735fbc9fe60f288042530b8d9d1407

SHA256
79617a77bb8602da773320fc3ce7425b7e05b53de6417f3a92ed3cf700953dae

SHA512
48eedb3d779f66f3b9f66b43f38f9b8adda96d7bdd2a4a5de101d13047f92c708cb6ce560a8d8bfdbdbe60b9c139d8adf9780e7d57b3462c614f2afb52558a65

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a4a398eab847aad9acf6eedc2db5e5f0

SHA1
9f054c18d6f91d9a823919ea201968ddc84bfa8a

SHA256
86af2c9fcfbb1fcf3425ea0a8c96f9b35b1159af31c0959956cc5ebe6d787f99

SHA512
1811105bd568f993e928f0b3d32bffe120a536b688b0aa487d3678582caf34f288eb3e86836ee1d5d2ae7fbe281901a72f2540db94900f4b115e14c17482c874

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d7578e07f705384aeb03b392e294c253

SHA1
1a11922d132abefea5a37b31f5b9119bb998c5b8

SHA256
472c2b742aad6ca28d827bb68456eab7d51e1f22cdf5cb722b17933508a7b84f

SHA512
fe91112bf21c64a2aff0abb244b61c5fe2a05b146970f682f21cd0efb39eff94e2c5dcfda3eebfcc537179707c5ae6be47d13d0ab3b7309c7be0b8a8b9ae237e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
19fdb11adb901dfa26923b5b6ee480e5

SHA1
b1d8e683224e73e3a45c80090bc266f61fcda5da

SHA256
b3d492fdadae97bf89e0c0a7e4ddbce6fe150f5e8648a3a019ef75b9ad61ede6

SHA512
94fa2e8c895037f80f5bed1b59c9d2963e6abca1abccda1f1f1742a9b9d4f7e2440aeab99da861f4d8dc6a07568dd21a76fdd93990f7674b281c47dea337cca2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d277c3c7cc8b85ddf88acd1c40022f91

SHA1
e63d6537f1442b779849640ce00bd36d3fc895cc

SHA256
6610d026001c908910bcc6dbe24dbc967a2a9bfd64cd05b644c0b8315e7abed1

SHA512
941dd2e6cddd924f3e26b9cfd5a2c5e8739510d583a60d339ab03e56fe10af3c098070b70c52f0a257be97695d0874459d4030a3396a483fe5864ec426ccd90f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cd05cced3b31e93ef733e05e664cf26e

SHA1
4ada5b428245fc1e98b5496753399fc5b94990cf

SHA256
f6eeda041065685e77edc20ddbc543bc1f47934654d32e59f9af44a17c3ed060

SHA512
8c4808b5e55e288a2685a338fb68a3ad16f2dc5672b0a93bab060418ddb92d5b209db49d17211ac46e1411b52bb59a8f7890730d736da72cc2f56c09271bc842

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
898de9bf43e9b9de320dd8b4cc81023d

SHA1
83e2a8468899f8f37b2708ef3cceb4490b77a267

SHA256
e894e7103b5139e2c5f5c88ff112c2041679b84570028bbb10f48bd09c0ee195

SHA512
e72aa31ef0774d790ef0847963d0eeeb961c2398995c4e00bb55178e1828168355cc7ddc75525627af6412d0abb8e19f2a83336bfcc708e16d3a07fb86837f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3bd6c81b52de7bd923a938677c455759

SHA1
eb041fdc68119f2d4a854f565d888341ba9bdb6d

SHA256
6acd51335ccbcfd46dcc1bc46b92d745c2e3a94ddef8aca923d793eb5503f9f8

SHA512
e6e611bded81f784b69e37fb9567cfff86c8c5f7ca781cb51918d1a58573806f893c36b8ec5f196b1d8a262e2fa4d5440e9d596987019b2befcbfe09b0dfe733

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
90802e17c4fcbf901199104a05565a59

SHA1
4ecb0d6cfd03c9ba14dd02ce69a4ecb2011a1786

SHA256
884c19b589c000f05ab73cd11435c539b327d22594e16d73ff2119a7240b1338

SHA512
c73d84e8faa622dffc0d522c5bf28cd05cac2d38d3ccecd6f92ffb9b059254455d72620cea22e6d1deec37f8a6660e7df0d3ac723deb94e9b115ad41e44048c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d75741d3528315842b241d4b7121e661

SHA1
3461a42151e06a725026ec86dd3c507d495aefce

SHA256
14f3a2aaf98f6a43b8c4ab4a1cd2c7726ce197587b794aa3827cd0805ccdd5d8

SHA512
8abcfeedf97f65e71b6e2b461449b75920989c7be1a0674bde2f33909816478bab043b97c97c3681aa91ab99c51329f3bc31cff0367296212c86f632e4700ea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e6c992b74b41b8a7053d2f1ef56ef347

SHA1
22867a5578982df84639f2c4dccab56b34ff1324

SHA256
55c530eeab2afd3c030f8c8df2f1d9a70e47600f4c9804c5b4c72f2e1ca962dd

SHA512
06f21c1703432f29c37c82a23bec51cc21dc047f22706f68db04a6e9a427d093211571e7705455ecdfc2942e2475cd7529b89f73b2c6ca2df334fa20b5a2a104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d905b395b2be19d8dd24fd589cc7778b

SHA1
25741b0ad92e42047f47ff134e3513ee8dffc185

SHA256
28b5f54810dbfdb0807f35820c17a8e7e7538f8da4b823b8066e3f6179fb0574

SHA512
162478993d55dc68b5e7ee8cbb6da824f7716e7935e83475ca0759665d9009fbe09cb3a986c0350f062835b2da87d6ec3e26f3892db16fde8f74d543942ba7ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5c6d484f002026e52bd08a8ab9349410

SHA1
a00383da07f981c1cf59b390da303747411764f7

SHA256
2170625afbfb439a9c62107ed946f918efb92e5337356cf65b1e626eb8945b14

SHA512
2401812eb0c25dd994b17b5f490f302b3cbc40f1ff64e47f506fdb7a867db35d4a1a6b7194c8089ebabd8e354cc95ba01f2983c822a7d2f39c3bbfba03472450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
00069518cae94786e6c44b3814dc35fc

SHA1
748aa5db298a65ba95bba90c429d3bd5efdf7216

SHA256
caafc4dfaf858319b091a8806c48dfd0e62facf0a1baa3be9a13172aa7e18137

SHA512
98674922772778658afda2d17028801b5a1ea38ef61acffc3417c92397595e5f8cad2d63c625175481ac5cfcf349123b8139dd85eb305ae8cf8a88bcccf0ed4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
342a9c7e910305a71c3e24a946567f2b

SHA1
a807a28aa2eb8d7cc7506b831ff9fa57394df9dc

SHA256
5805b9f38163fee8707095936ed79fb83dfd2f74e3fd8a5aed5bde8bb8a1c454

SHA512
ae771459eba1ac90f13c615f1bdcc377b8bbbe4d0da6f2b0b8e4d9641aac77b3328cc0f82d4cd4da4e6c259d63f99bbd0331dfd3cdcc974e7a4daea85ee62393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
241765fb848635ae4a748b946197c934

SHA1
c5b7083df18cef598bb8430f51cd89132858caf8

SHA256
6187966bd4ca3b4e5bccc5459ca9377be1e830f8bf12d55f067cf71267cab860

SHA512
37c882d4bbecdb6da0b07b7a233a300ae8eb35f3850612462426a817547de0f968ed1fea8f81f5050c61d1d7d9bff2158677321f9b8db210c25970364b207f2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8a6944c4acd92e0abc2c04378d2e2642

SHA1
7cb3adee740e1b816683f69997ef0ab03c213c9e

SHA256
290c23ae9f4e5f041870a55d502ead09514ad0cae4b40d754da13ac243358427

SHA512
13b8146e43b5e076a011226d5599734b45a9a29d29693f4b10da0a16ef088bd0718585244beae69c24cf50ad720a70102f0fcefe239958445f71b870a8a8a476

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
71a84c68cfe92e4189068de5e78a3d53

SHA1
7299c943b2d38fe721eca8f787a75cbf450cf153

SHA256
47ee854450c54bf5a863c0d0d6b2cb4a0d4890b1eb1faf208059cc45dbb850ee

SHA512
3840bbd3b5c2f923970eae11b7b4f4a720b7d4b8e899df4fef1e95794a3fa387700540018809926d5a7e92bff97b0db2df6f31fd319e68f6df56eeb37084ec2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
52db035a42e3af5449e3bc18a4e76ce0

SHA1
2f108a91f0078c9f53bca232c5e7e26956309908

SHA256
f82ff87e17738f424ddd0734cf53e1ffc2ba07a2321a226a8ddffcfcebeb599d

SHA512
f14e2db7cacc4e3bc25bd4381ffade8d2a3555103b53a387e0fee538c0da09bbc59576120eea00bc35b312ad8f21cf5cfd556659932ccf4a8ffba5f99b9e43b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5e8119c94fd7a8f3f69025b15e6fea6c

SHA1
694e9dbb1a2ceb6ed76b3cd0daf39a939ec66710

SHA256
dbc37243f184a6de1cbab119cf867a432c7fe8a21cda6d31a9c280dc2869533c

SHA512
3e97aebe092a0dc2f363d732dde1add482dee0edcb32ed9674e35f37ae16a6d42f92d0c988ee210b27edbef79dd798b0592a54585b53c4f13b721115bb9fefed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
497ad00dd604d160a6f048daabe72c5f

SHA1
c97130f7333d4866847784879b5ebb217e2da273

SHA256
89aa183dd99a4b2e77a4779aa7619ece2bf98a0a039ec12293da429e9531d7c5

SHA512
181a4be62b7db03aabb692ffb22b27dbfbde4725d9fa0cb90570b71c7a2e2f5bbf6eed31b98a4690207eb72ac366e4f11f89b1abf50c6b76fd02c3bc1054b8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
12d97ae9fa6c30c18db0afaaa76bf147

SHA1
0a41c9ea9ca61cf3647e5126d7e176520907f625

SHA256
0a3824548ef12dc26eb5b7570268ec1348aab107bb8a120e9b7db5084816c8e5

SHA512
2cd922340c64a87b63fed991089272fdb12ce74153106e0a6ca277026fc896714c5850c687e5d64a47a32bde13c96fa34678d9a48fe1a46a8e1392ac1f7694ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b674e11b6542a3034599481959db3236

SHA1
6762735c01dbd1a5658cb7dc4435a40544b340aa

SHA256
aeb3e50ef6217492ca27eabd750db40d8750b32c9e14d1dbc54a5b24d76e4b97

SHA512
f77f81a3f5ab61f97d96f7b3fcb2c2bfc2be18b7f6ef8c579e5d9ad5e7ea1e9c2386c0e374737d10ad4aff45ffa750c64aaeabe63029d444db5b596dd1e0c3e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
561e88c40935b1cc8a9fab0bf53aa122

SHA1
da6a9bd81a1d1500653a0ab38d29334238015619

SHA256
1021707fa5e66629cd8f4c724945504c269a34d29be5e9858ab4071eaa34f723

SHA512
cd484fc6d013cf078833738ed1007103c81eb66eda8af0129fba6e71cef99f1e0e75983cd54046e99b08b8afc2b617e06a66297d1ef835b3435ac0e4e3bed9f8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
62af4f3b60d0a5ac395b1128044efc8c

SHA1
8b3ee0a434b13738d802b3951a520bc9312afa2c

SHA256
f63598391121998faad94b959ab66d7e1e3a90e37bd52129ca18605c071d7e16

SHA512
65ae8fb7821d22d74df4571093a6ac174117c6eea6b02ddf7c5d5f6607ebfcbb84a21161258469cb5015598408cf44983a3071e197b021ea60a6c139106ff2d5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f2701457b9cfa2932ea8330ab8f49cc0

SHA1
34a9826c53c9f54bcade7f79364d4be917e49597

SHA256
af4e1ddb4493b9170b14c4efe37baa33f09847077e49e608e4cd656f684f9764

SHA512
600c6472762f96d9443318b3d015e2b681f15e0c95bc4ba0e8584342b97dfbb24bd772881935b8dcb7ab526196f02444e6fd1a1591709e4568c71fc74a8fc934

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c17665906c510b48073bb4d86e235872

SHA1
bd8e5f8097cd6bf91bb2e9ef0676cb81d547089d

SHA256
d47a657e54e06870ac3528d24148f7efbd86b2edeb3d680a7370595cd396f03b

SHA512
71e0c4babdf70793c63e8ad87906f7bfe52815b1ded9a707934807c82e95edf04bc6d8551143d3e032e730a777937985c001fbb09d49b08ec3590a3a8350cb66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6ccd8a223b2c42cd94655c33d436f4a8

SHA1
97630e7d368d2080ddc28576f2a9fd8653bce3e8

SHA256
ff2bbab20f1d1d827aeb044d45c5d35fdf6236c9734a7396eeebcf751a458b30

SHA512
ce95673955b0f0d8743aacb274d41abd6454e19e5d2f17850a7a7cad0a9d469bf14fb8a6f659b8766e6ed481ec9e872ba81875077eb832bf52c30a36198c0f60

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f98a85234f16235203c8fa038f7086a8

SHA1
3f9f2216bd1e6a3f4dab7f7e876ad59fb18e5e59

SHA256
df293f3b82110a51cda0129ddaa31bb43e62e05fe2b413e32dd425bd39d74ef1

SHA512
3ba4922b9b58d3eb680da93712c5e2a6aaa43420d65b737dc0bf0eaf9f524d6778c9542ba061b09f461dfb3defe0420f08d1628888031936e83f668bc0a4deb4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a59c2d2488a50d7fa67f1f7ab4f3d40d

SHA1
5ab649d62348e5950d50a8b7778068453b164943

SHA256
54130e9d9650ec724df14bac9b39675e8e10df3c9d49fe061cd4a348959aa92c

SHA512
89e30045b321b2490d76fabacd057fc10c28c2d51e4abdcbfd89ae4a3a1bc595ed739cf0407762c4f965c05e5dada5abc3f61c7e4597a089e09d12f5bd1dc915

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
67df0148c7490a93e61137376aad18a5

SHA1
16769b819c29dac341dbd753862ece7c9fc731a3

SHA256
63296aeba2f2c25aef126280a18069b0981deb689e64021fb0872399a5f93658

SHA512
adb9376163b452b0380b47c9fdf0d3f1953c6b41a7903d6c9af1c4303b08d956d10afe8c01f80dc2ad12810a4e4cc14860de0645a89ebd26dd023df858f86733

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5b976b3d5ac473a109699b16deffb733

SHA1
53d01ae9930e4be81e264e4f18dc32bd4883a888

SHA256
89b8238563031eefc775a2f91f28faee3586bcc0a336d18d9494b85333aedd49

SHA512
d8a2d862d89888ed072d79e31a69d12c28310cf727cea088b13d3951039466b075eee20f3606cf3de0f045a0d7aaab08c203d68eec363e4dadc4b82845b9a681

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8cab1fe42e4cad70c7894ff207cb3f64

SHA1
6629e0358e34ce29ab48a54da4b5252a019a106a

SHA256
d42ceb8b4757af96ab159e38cf21434f5a7ed58a13a6f8aa2eac4b82c7f08d35

SHA512
1d81de1766b988fc51abff20dc5e547f763b46381213fd6fa557812cc0b21c75c0121f4b21a787f1c7237dd9273a56591c3d948896b15071c9f90f2f59d8cc9a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
35bd514c3e27badcfca41aa682793d19

SHA1
46c3bad1849cc14a19abc6cb52b74bc1d809b5f8

SHA256
3bec389741a8a460da341ffa975991f03c440464b571909da215f9cd04ec0cf9

SHA512
4a58508f737ea4411a90bef91f95d680d476c6a5494a12a3762952749ec89cdc6a33f8e35e4f95001a847f0cb32a638851c584ec921e06467dcfd493aea65deb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
681b271455ee964e59d0a860586fa74a

SHA1
d7484010558209f9c5f46a205bde5262fa2c13d8

SHA256
8331ce54d86eba8708396b78d0a9b25b9c910781c4e718e91169164e31183743

SHA512
11a5b30fda44299ec281eb065b82f14a597f02e3979726b1fa466362a6aa4af9b41dfa5995b9d6a49370bfe1830e61a5fd159cdfd279f4cdd5d40b1664dedb84

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6c80a89e1a53e721ec066b2b64f07695

SHA1
938b10a6b2e42ac8386dfdc166e744024192993d

SHA256
f6ea72d1f253def87f9a8101c912f35c4d0124bdbe488abfbfc5b251a35c3d6a

SHA512
c5e18ef829ee7c7396ba832816e175737923b6867a850b9d63cd9fb1ed4fd87454167dd509d7a653ddede3df893d231a0e30b341d8b0e3b9368122a26d3e3137

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
39b5cfdf27a19ffa4bc1df588d4fb84e

SHA1
325e00b60757da5fe9e01c56d23aeabb8b5c3990

SHA256
be07a38e68122fdb236aa5869b6064e34f4e4b9c1b7aa62d0c71c172f58a3ba1

SHA512
7a47a1e53e4100eec895557bce43c1ab5bc5c283295ec1c8ae0cfa56adead0d0ed51dc5d452553af2702304890817f499c805692dfd7ba92ea1887f443ba241e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f8df84adf731c78c7864c19c3df7ab5f

SHA1
2c6fcbac67c28e327fcd5ea2d352de68c2f50c6f

SHA256
110ed42d8400a858d611c51acc6d1b8f6bc83f2890243907a99fcb28cffa7921

SHA512
941e7821a22d6cb37b74c73bec11a46f510acc31bee46ddeb0c24a0ec714910300d6dcb106fd66867be20d98d7521b32b8a064b2edd362edc67a5b1361889d45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
452c58eb82ec00bda40befc02ad2a1b2

SHA1
23bed402e0ac791ddbcce654ab581b658c5e10bf

SHA256
b5a91d2fe4672da52f7f0a54e1b3d01553e272170dd4617014790648dd6c6f92

SHA512
dd2456f72b605bde6560152d17c8bda01fddfbb3a16cc191c7a2f8cf3c65f332efe5068964b5f3e8ca0d3dc8771db33d3f010de6c3111911b3526e0755c3dc2c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0f6b0e6cc35d1141303c7e1782be2dcd

SHA1
854f51dbac52e3cae292bcdb7304b15133adf2ae

SHA256
005a2b09b341c11230023f19eeb6d4ec079a5dfdb0bb956f4236d05a187c8bce

SHA512
fb6685bf063856286ad0367fc81425dee51151eca17b93e5e03b0abe5c2da0a494e55d7de4b881401e27ed7768ff2e41c68436126011c09fc28811c3586d1058

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d05280a2256c4c0705d408fa2632c4a0

SHA1
af7931fdcbf03a6ee4603c4413c309da4b546e08

SHA256
21c9779cea17d764b9208683ce9e1a8e089a5b5b77e42e579efc22af511d9986

SHA512
8ef64cfcba2f18daa247958aa404cee79ce674b90a565565935703bebaa716158b378b450a7726888c31661a58c26859daa123a21ab234652d1d0dd88504ac50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b27f8ea2f40efb68b4a1abca92b32875

SHA1
0bbd7246dd9f287dc55006591e58b72095e1b23a

SHA256
67780331cec3e4dd157e9897dfd1ef2df96821804e0fa58133bf1768ae0e62ab

SHA512
53037b316e97c3d316c2cbcb93c5b5629cbaf0928da7f8c22cc9a764f9867ff81d79f38d598c200b7f4e60affda2296fe881d0d559a6e9f1ebee3a5c86c82474

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a909d9e766116d5ad355c1aa1adfe19e

SHA1
98572844e3951957c2ce29dafb79552d5e42ab00

SHA256
981cb5246c4460ffa395ebd8d69758a15cd08b6653abc5d4b2e2ff01df32ddf4

SHA512
0591cce70d20ec33233326146603b4b2246739abe9472ef471b05af13055e8695df3fed4c9e2ccba4672e3750912e44f5b7799d81ef9871f6bd4655ad7444730

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
31808de9e7aa452e9f99f0b57a484a46

SHA1
9df5db0a7eff40479ec1b1aab49a9619d24c2af2

SHA256
aef7e72473af40b1af3f27dcbd9e641640e175b61aa7ed5e892506061f199512

SHA512
0e440bc3ae42bce4a97d99739741e447fa16689601245e22ae29c4ac662f8889470c724358082a3995db6deac619f4b14753ea51ea0a8741d7ecaa6b0f56574c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
144b5c96d6f35521dcd299bf17a3e6ac

SHA1
50b583a6c7deed2ba7d76ba7c6198102cde705d3

SHA256
83fafd5af1b2c66217b713961b50f429f7c3b8396e4eb65fbabe44d84b0c2c31

SHA512
6712361140a9bf47417b4e2e61c5a8e900aad81cf03b4d7b45f53bf21b60300c01757974d417c96b101f3597f1e2867f0aa5b4eb8282fe11c298389355259534

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
824e41b6b862eeaa205aa5d7421af347

SHA1
8765b1f5729320b80de1b04ed1a9c08676690fda

SHA256
0934d8373c9ce7550ec3c22f636bb01e1ea0adb0523bbdb212e17d6963a6d753

SHA512
11abdaec95fc71b7838f690eb5918f79c16e9c9357f1b58aef139f00f69f4d514561f96f6aeac0aec981760bd909df203f3ad05021205613d90d6fde0a7a3b67

Download Submit
memory/456-611-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/456-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1056-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1056-610-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1332-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1332-485-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1452-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1452-608-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1632-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1632-259-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1696-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1696-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1800-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1800-2-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1800-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1800-8-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/1800-450-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2008-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2008-231-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2080-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2080-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2080-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2080-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2220-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2220-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2228-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2228-93-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2228-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2232-61-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2232-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2232-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2232-39-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2232-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2560-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2616-270-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2616-615-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2932-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2932-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2932-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2932-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3224-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3224-269-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3236-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3236-250-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3408-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3408-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-609-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4472-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4516-55-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4516-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4516-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4516-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4760-12-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4760-21-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4760-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4760-91-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4948-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4948-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4948-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4948-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4948-87-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5036-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5036-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download