d9fa21561ceb11cd0056e54cd9c666325353757b120a2af0fa1e44b741215247

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 11:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Size

6.0MB
MD5

76c159bcdd396bc852b55376c322b190
SHA1

e8b11637b8b55a482895a8343e2edd8b4718ba68
SHA256

d9fa21561ceb11cd0056e54cd9c666325353757b120a2af0fa1e44b741215247
SHA512

ba7daa82006ff6f9aecda99482f9410e59a06e1e4c2ff6c675a16a532b4637fc5c5b6ea575832015057b0b97b3a1a09df40c7b39388b5cca5356f3fcefe5add0
SSDEEP

196608:h7wqheSVYK/bua/BlWWnuVhsus8nm+q4Oe:h8qgSmIbr/Asb8nmF0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
3208	alg.exe
632	DiagnosticsHub.StandardCollector.Service.exe
2324	fxssvc.exe
3948	elevation_service.exe
336	Setup.exe
3480	elevation_service.exe
5032	maintenanceservice.exe
1636	msdtc.exe
528	OSE.EXE
4332	PerceptionSimulationService.exe
648	perfhost.exe
4960	locator.exe
804	SensorDataService.exe
3600	snmptrap.exe
2392	spectrum.exe
1964	ssh-agent.exe
2292	TieringEngineService.exe
1548	AgentService.exe
2820	vds.exe
1912	vssvc.exe
2600	wbengine.exe
1512	WmiApSrv.exe
4736	SearchIndexer.exe

Loads dropped DLL 5 IoCs

pid	Process
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a780470c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009c6b67c81bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b46a197c81bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c409f87b81bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a20e9b7b81bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
336	Setup.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeAuditPrivilege	2324	fxssvc.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1548	AgentService.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	2600	wbengine.exe
Token: SeRestorePrivilege	2600	wbengine.exe
Token: SeSecurityPrivilege	2600	wbengine.exe
Token: 33	4736	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4736	SearchIndexer.exe
Token: SeDebugPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeDebugPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeDebugPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeDebugPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeDebugPrivilege	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
Token: SeDebugPrivilege	3208	alg.exe
Token: SeDebugPrivilege	3208	alg.exe
Token: SeDebugPrivilege	3208	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 336	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe	94
PID 4584 wrote to memory of 336	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe	94
PID 4584 wrote to memory of 336	4584	76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe	94
PID 4736 wrote to memory of 5296	4736	SearchIndexer.exe	118
PID 4736 wrote to memory of 5296	4736	SearchIndexer.exe	118
PID 4736 wrote to memory of 5324	4736	SearchIndexer.exe	119
PID 4736 wrote to memory of 5324	4736	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76c159bcdd396bc852b55376c322b190_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- \??\c:\023f50d8f36404c8efe5fd\Setup.exe
  c:\023f50d8f36404c8efe5fd\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:336

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:648

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5296
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\023f50d8f36404c8efe5fd\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\023f50d8f36404c8efe5fd\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\023f50d8f36404c8efe5fd\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\023f50d8f36404c8efe5fd\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
bac027876deb339ee3df4a555cfc6f94

SHA1
a705d7d71d3717b123a473e0799dc680b207e55c

SHA256
ef1ca544a25b24ec0be37185e5ebae1171cc2645770861e6beba217494e11cd5

SHA512
e9c7236b9c07b1d65ddefa63c27b43de91c84673b0ee984ec331b2af0609f31e322f5b23354d1c560128550b0d1323aeadb2e7a7e2634fda8735e0377956fd5d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5628ba77e90573db6a71c71f29cb45dd

SHA1
7ea9c8a381a35b636acae28ac472c4c688b5f2dc

SHA256
f2c291f751f8d8eca7b2fbd1f1b5704804e677461f8520206fd40662cb708e7e

SHA512
d6e2dd8d41de5917f7b08c2bb9e43da5f9d06e024f4bead40142aa799f88fab1a677a6d937d180a4e11af0ade11507c9a9f1052e9a0dfe25e34a096a7943589f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1babfdcd7039aef641a2a7cb09393545

SHA1
d0b9ca12f26738caa07d694b88c52d37ddde892b

SHA256
46fffbf44f5ca2f47d23a87a58da84505b6d2cfebe38631d9d2efb0cc83c12a4

SHA512
8b0c34182d79fe5446ce623536a2b727552ebff4744233090cf104f6a765b3ae247dcaf8fe85192d83182bbc16087e8542c645873e657baa48715909d48c7a77

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d00bfb8e4f3829358c33769bda326974

SHA1
8f511853d868b5dc1370adca2032ee212ceff036

SHA256
80e39d2cd54043db78b1481eea6301c8c51884335467e0d0a5f0a345e86329d2

SHA512
d32dae4fc038d40ed37541aeb58b2de4ae7de57684f0c706c1503211d4b0d377719ce6a274526a928d71e9e0c37f7fd4d9bfcfeb373048fbf5ee49aaa656e64e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bbbcfb2f57f909edf4835f65e6d48330

SHA1
b74fdc2564aec0e04d4a23fa423318632e8c8826

SHA256
72e4c7adb9996f640e47a8d97d8c0eadc4f23b4b00d07ac884c23cdf04f3351a

SHA512
4719cdc246d76ba4cf262ec800e754106062ca2ff5cbcea8b3592e2a7033e7702308adfa311ac707b001abf7571777a40ce91264dcab2aea46c87184f1a6a656

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4b5b48562d11d5d110bf8fcc2a80cb44

SHA1
6817b34b858c5fbe6703f415b21310aa470fbcc1

SHA256
720fb2099dd0fc844aece41625d2d976776cb05aa6f6f3a98e523eb78d3d2740

SHA512
85c4c10c3c2276176083fd7084e0a15db3684734161ecdafa6791c5ba253141d4a727520be87c9ac9b3fccd9d9d1b214425fb2eab96198ec0264093ec5590ed0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
89b1f6c66f72c66020f94e9abaf10c78

SHA1
e2ccda2c4762dcfb9bcebaa5126a9b3585288b77

SHA256
ed5a90c223cf8d4ee682195acc71de3803d4492cae2cecb908dc0cfb4a06c7e6

SHA512
f7f50df0e4d66247646e69b16ab1fb79b1807b76ade2d0e3657ca57582f40ba7f4bcee30587afe4e5822bd1dc026528d4167f8057931985faa8e2a3c550c4664

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fef97b04ef5858bd94e89a5ced15ebba

SHA1
a47df3eb5b0d23726ebd169e97e3f673bf34a8b0

SHA256
a6b1d914994cace80851d629a94c53723eb37e8a4bcee75d8370b2bfedac7d8c

SHA512
fe66afbd65025a4ac9c75a992c563043012d2685dcecfb0ca177e26ec51cddf9ef6863769859e5c963e258ba4b1d5078b481cc1a376061a425f58178b01b1de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIA8.tmp.html

Filesize
44KB

MD5
b8264f412c86969d6ea698ac3637578f

SHA1
0029d102d379794a1eb5fbe898e4c65f6e0859a7

SHA256
8e8b2b5273ed439d3a6a80a4cbd6f4e21ff1e9fd0cf54b136d6d124300060f7a

SHA512
d4c0f4835a424099bc21c817a25b572a3a74ec7f58ef23ecc45df842f12e884d468eb6a106ddb58c5ca959a776230c5f8a38b64dc8eef23542d12f6c181ad883

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fbb39c4bf990ba5c3b1d3f2a8d80df93

SHA1
c51978f54def0e1ca86d182dd98940d308cfb0e3

SHA256
bb778f204fc57c94ca6044f550e5b877e0437d385632febff27861452dffb89f

SHA512
1ed02b2007c589e2b5e3dab0493c579d5c9ee58ec4a9c5c4076ebf60828154290c600423eb90b7cc1351784a29014a0ae6f6dc4571bb3f18284aed7b75a22e84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
be0a51842ad4ea36701ab8710b736936

SHA1
91d7df9b0cea85b70bd500f27c3643a38bcaa7f3

SHA256
5b02de83136d7074eb0548c7380b529ba0845a042d0396cdd25f4e401a9039bf

SHA512
da679332e2657e5cc6197dd5190aa66fc8bc4f03a350a095de89b3b9c29b1796c50ef1c84eec4f0ab7bac3ec6fe04cad5fb61b0486e9d995ee2b3da38a6c4ddd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
aa439142c39758388e0f15fb4056c33c

SHA1
383bb4c842411b4a1e270794aa534a94d5b10db2

SHA256
2b8e4f77669c14d256153905c2bd2a1a2a86ff8d941ff3bba39d3ab197c5975d

SHA512
f1da3f3c3c1795bbab8de94b2e436410741d162e8cdffddbddda72e3d0cbd666a35be883d88b1e57839f99b4222aa9b23265582b997045533a208f2584fdf4b7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b75df8ceeb1ac00d1c60266550ec96e1

SHA1
b612c18d5a562786aa51d08563e8e03b4923518e

SHA256
d286f41b5412cf95485278dcedc894be3d6c9be1ba905fc2a7c0a1f89b3d213f

SHA512
02abf2dc32a8afd9f100d5f00efd9692535eb4b0a82ee41235c3fdf57aa607940ab8e8b6d76032c87ce149db7f3f9526dabecfbdbb1c9985cd802b186ade2a91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
84e541c82a8b4cae3c40a8d4f28f9261

SHA1
aa79154a5fff3d5f7bace8059c1bbc77e3c5efad

SHA256
d3c242b43821cec695a0d085f877cca9535943ae2a482e0f96fb401a9420c047

SHA512
e8ba182a30a62ec14f868ae30b8dcadede524b2c17eddadacd3f3744961fff33c4883c9e70bd656a6f3f10d96f9fd3d00b3b274467d0c47accaf9e382dd29383

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
944ce86510044ce2ca31424de9a114c8

SHA1
23c15ee3612a3dedf87052e974f5515cda103d35

SHA256
cd3a756ab5619bff32a994c5566b8d1116c6806caf9dc95838ea6c15b3d1fdbf

SHA512
1416661545b32227f0fbd87c2df95e77f212f6ed60f32c6d73b8d432ecb98fc3f67160e393f20270375933960bd9581ee428d1360737a01ef1388e2303fdfe7b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
33b06f47c01b9593fc0c9cc9a31c6fc2

SHA1
8c401087c6295db1e1af439a6f09594ae8006fd0

SHA256
23e34e4b98ff6252a2da57ba265440b87b23d49d62782f54075b9ad465f900bb

SHA512
afd4061671e8e5e560cfe8a974794dd40cd5f33ec7621833128b91eb3fbcf824a643d001985516200ac1b9640a4144dfcb90a2645fd419d2ccd1137c62ee684f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9a70d35c23b8c35f98addd8980cf8301

SHA1
fdcd08b54fc582c6f07d236f4b86c9cb00a3c7d4

SHA256
8388ef6ce27b2e238a5704834239fb130d058e426272801b3651eb23b7a82c41

SHA512
2cf2ffcbff3bfce3d537515ad5e6f7b045e78d325d33b5b8c5510bb41258041eba6bc2e2e9c17cd782580e97adef7a0af6952dbab5541ee17fce6df50a34680c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ed8dd6b7eb283417d17f91d9f0364ea3

SHA1
9519484df6f8cc1c8d97d55a7913a9edcb81379e

SHA256
ff65004d4012bdddcfb678f4904b7f7af87805c3f162ab758172aca688ab2773

SHA512
417960e3f47b6e3a1f0cbb6310ea107e4f2cae6f0a744de3286f1c2be7b5a7709db261501b4155221ef121188622bd3b12c4b3ba6302517c5943b7fc8fa9a03e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
16c4a89b524e493e18eea65c0fcfb636

SHA1
50e48cb35fcd6265fe2f352804fb98ffa44ab1f4

SHA256
a0f0d30d1f1ff062ceb4a749992b926a819b3bc5674fcf64d1a159c476f7c261

SHA512
3fd18c04158a45141e3d554fd75699c64e8362f07e256812ac721624649894f42b3bcc614d6015127ce7cb0af8903a1125f43915b675df12255dcb22d5205a66

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d023139e79cfe7421fb0a710e88b829f

SHA1
8e5e74516ea099d74f929b8e8f028e7bfb3f5680

SHA256
7fda67811a03ea5dce9715f9f47da3552a797fc417b27ef818a90913a4825602

SHA512
8095d059b6c0bba836cb0a8e4a85263953266491f3178f4d48e78b2878a509921e40c76cbc256b01fe348ec3cbdcf09ba14244ed43d4e8c8213dc85dffceeab3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df9460fa7cb480fc08ae7712b8b4357a

SHA1
f38f163557c08537286d6f768b03b08890932552

SHA256
9109fb3d85160e603cc59a1e90139c7ca2c15c4c45b0900904953461a7e35b87

SHA512
a7d2a9ce79f278556a889f02880ba7665fc747076c7e965a5b3cf35022f09008ca2f1b418a470135b3b25b8a508de8e5cdf522277630ef9af1a6cbc8d58b426e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5c9f341196727e456b194bfcc322c937

SHA1
e9383b23e3afcdac9bc3fcc6beb66c2d78304ebe

SHA256
d46f1e682b81bd11c3e725e270a132aae8b96aa31c7ecae354c2ac38327b4831

SHA512
19cba7ca2cf5c8b978c45b84bf8343249236a02b58383ae79f09ac3ee1cbdb5dbfd466f67f968d56295bf50f527c0693094885695f369dc12cdb526ae1d2f24b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b9eeb0ee666737f372eca450ecc3ad1a

SHA1
e93960a2a1138bbc5d07af02992cc87171f0aeaa

SHA256
47695a5a068f0bd34c329e99af5a6225486c7a81f3870ba1fa1972a366d647a6

SHA512
306da4f73b644fb930e1458bf4e1fc902e37cdb0159a3b1e2fbab1a944b7c188cb6e860bec1f21132f2c7598da7ffe5ba799e857be8eda2ca8d8e7876f0fa873

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7744d0dc2adbc978d336bb514b9a85a9

SHA1
e287054bb6bbc21a965a9f028d754a6b8bf4414f

SHA256
fee2c2a30a7059743553af8854d0c9b4c4053f195c7698b6c6839e606e7b0d99

SHA512
710a48c0e979d31f3eca6285361acc1374aaaaeb2b4957ec01d81f5c26d1c6dc207e401bf45b2ddc7f755e0fc2828bc891a395591719383641216b2f5c1a8227

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
642e1b608ef8081281ad893eea374e81

SHA1
a7e3041787752c983034b522dbf2b2f0de1ce4d5

SHA256
124f7ad5e3f57a349e5729c1c739fa350513abbbb5da67937425e825e6ee244c

SHA512
65ff4a633907598a95c51d6b5d58b7f4d65c8bd2509d56fe17219f64ac38b929f0f90cf9405b5d61c8644095e1782e6bbe36cad55c932065b21a4b41a6720ff5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
dbce53c81914a21593fe8f21e0d35a04

SHA1
7a8976df209d695ca09e99c1d6f49c5f39901c8c

SHA256
d3061ca9a56f578cda8e767418ff859fb1b8d9abd066f42b5fd4e881b285accd

SHA512
4392f28af34a499db42966e26419b867cb95282b5da6e8c3682744ed9af06db3e033be605beba66213244746a029b5540d1bece4492c46ef6c03e3adc595746b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a0a0416e95457b827644098be69b05f8

SHA1
bc062997311458f2257de6f28269395a9388b632

SHA256
c033c0beae090e3b7dafe3fc309cf8a378c6220a1339740405368f11673587de

SHA512
a0479845f624d9ad93e4f4e54e43803c98f086efbd33f16dba46c7001d347c830672693945fa0d23fa419c453c2603e0ba81821330fe7ff26628df758e1f339f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9f5d94b9abe7c59171047717ac30cfef

SHA1
747bd9c57ef6f75bfd4f4c1856c972fe100a0a4d

SHA256
a3381e3877771518556987aea4f2be0af50eb1138d06e14ead104619a6e53ba7

SHA512
1f2c7aa857ce9a9a73d01e697200617c2f24e1f30a76ccdcbb579a65720c13f98a16b3c533694f38fd571cd42c4f04f5170410bfa7fec88c5e8eb3bda82bde37

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
bddd39c72c008b14e1838f0cc5c52fbd

SHA1
7fb44009573d1803ead1be2c90573ddba947c28a

SHA256
fd08ca175796e23f9be5f2c50405a5d4bdc0ce5c471944de882093f00b523899

SHA512
4763e983c84643043b254674c8023dd9bc617d75a318c233fa807d836e2cf0d864bada822efd82c2507ee0093f192cbad124c826ce0eeb4428b498ab527f6224

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d4ec3d00de8dbdd31d73500e3b125429

SHA1
926943e4f1337646dc2228e6443f6f8173cbf467

SHA256
d2cb5969d06208dc8b6f8521cde175a48568dca1fe39d8849587ca15b0d610e7

SHA512
725f61635fd1e454acc80e2c5558c2e5ae660f9108d8d7bfaeb10a6509a6edf2b7ffc29a57a96042eeaa12e0bbccc8730987263c780b40df64ea209cddfc38dc

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1028\LocalizedData.xml

Filesize
29KB

MD5
12df3535e4c4ef95a8cb03fd509b5874

SHA1
90b1f87ba02c1c89c159ebf0e1e700892b85dc39

SHA256
1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119

SHA512
c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1031\LocalizedData.xml

Filesize
40KB

MD5
b13ff959adc5c3e9c4ba4c4a76244464

SHA1
4df793626f41b92a5bc7c54757658ce30fdaeeb1

SHA256
44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b

SHA512
de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1033\LocalizedData.xml

Filesize
38KB

MD5
5486ff60b072102ee3231fd743b290a1

SHA1
d8d8a1d6bf6adf1095158b3c9b0a296a037632d0

SHA256
5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706

SHA512
ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1036\LocalizedData.xml

Filesize
40KB

MD5
4ce519f7e9754ec03768edeedaeed926

SHA1
213ae458992bf2c5a255991441653c5141f41b89

SHA256
bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31

SHA512
8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1040\LocalizedData.xml

Filesize
39KB

MD5
fe6b23186c2d77f7612bf7b1018a9b2a

SHA1
1528ec7633e998f040d2d4c37ac8a7dc87f99817

SHA256
03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a

SHA512
40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1041\LocalizedData.xml

Filesize
33KB

MD5
6f86b79dbf15e810331df2ca77f1043a

SHA1
875ed8498c21f396cc96b638911c23858ece5b88

SHA256
f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f

SHA512
ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1042\LocalizedData.xml

Filesize
32KB

MD5
e87ad0b3bf73f3e76500f28e195f7dc0

SHA1
716b842f6fbf6c68dc9c4e599c8182bfbb1354dc

SHA256
43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070

SHA512
d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

Download Submit
\??\c:\023f50d8f36404c8efe5fd\1049\LocalizedData.xml

Filesize
39KB

MD5
1290be72ed991a3a800a6b2a124073b2

SHA1
dac09f9f2ccb3b273893b653f822e3dfc556d498

SHA256
6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c

SHA512
c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

Download Submit
\??\c:\023f50d8f36404c8efe5fd\2052\LocalizedData.xml

Filesize
30KB

MD5
150b5c3d1b452dccbe8f1313fda1b18c

SHA1
7128b6b9e84d69c415808f1d325dd969b17914cc

SHA256
6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2

SHA512
a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

Download Submit
\??\c:\023f50d8f36404c8efe5fd\3082\LocalizedData.xml

Filesize
39KB

MD5
05a95593c61c744759e52caf5e13502e

SHA1
0054833d8a7a395a832e4c188c4d012301dd4090

SHA256
1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1

SHA512
00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

Download Submit
\??\c:\023f50d8f36404c8efe5fd\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\023f50d8f36404c8efe5fd\ParameterInfo.xml

Filesize
9KB

MD5
03e01a43300d94a371458e14d5e41781

SHA1
c5ac3cd50fae588ff1c258edae864040a200653c

SHA256
19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a

SHA512
e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

Download Submit
\??\c:\023f50d8f36404c8efe5fd\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\023f50d8f36404c8efe5fd\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\023f50d8f36404c8efe5fd\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\023f50d8f36404c8efe5fd\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\023f50d8f36404c8efe5fd\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\023f50d8f36404c8efe5fd\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\023f50d8f36404c8efe5fd\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\023f50d8f36404c8efe5fd\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/528-212-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/528-324-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/632-231-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/632-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/632-28-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/632-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/648-228-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/648-340-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/804-373-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/804-688-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/804-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1512-695-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1512-361-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1548-310-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1548-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1636-198-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1636-189-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1912-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-691-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1964-685-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1964-280-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2292-689-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2292-291-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2324-74-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2324-136-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2324-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2324-79-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2324-145-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2392-273-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2392-604-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2600-694-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2600-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2820-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2820-690-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3208-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3208-21-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3208-205-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3208-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3480-279-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3480-181-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3480-134-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3480-128-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3600-546-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3600-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3948-117-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3948-110-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3948-111-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3948-266-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4332-225-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4332-328-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4584-1-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/4584-8-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/4584-197-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/4584-0-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/4736-374-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4736-696-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-238-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4960-360-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5032-187-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5032-185-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5032-182-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5032-160-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5032-166-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download