wannacry | b70e85bcd6e8f1c9c65ac57d7c4c46346fc4f0194caa9b45e3f1d1ff8d9b6d7e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll
Size

5.0MB
MD5

dc3a1bb107a50b9271e9152915d738d0
SHA1

89408dec96650fbfe2713cc82865e935f7fbe1a7
SHA256

b70e85bcd6e8f1c9c65ac57d7c4c46346fc4f0194caa9b45e3f1d1ff8d9b6d7e
SHA512

47aa4b676685ba5d64fbc0c9487545b7769987375f4af64ac05857064f3e9dc4dea576a41878d0e901840fd91a23b04f29f8ea33971b5710f017c8ff54d06b6b
SSDEEP

98304:ADqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HND527BWG:ADqPe1Cxcxk3ZAEUadzR8yc4HNVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 25 IoCs

Processes:

mssecsvc.exealg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exemssecsvc.exetasksche.exe

pid	process
2456	mssecsvc.exe
1560	alg.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
1164	fxssvc.exe
4256	elevation_service.exe
2584	elevation_service.exe
3028	maintenanceservice.exe
2020	msdtc.exe
4960	OSE.EXE
4676	PerceptionSimulationService.exe
5068	perfhost.exe
2044	locator.exe
3996	SensorDataService.exe
3364	snmptrap.exe
3612	spectrum.exe
4892	ssh-agent.exe
4396	TieringEngineService.exe
5064	AgentService.exe
3168	vds.exe
3112	vssvc.exe
5096	wbengine.exe
1576	WmiApSrv.exe
3044	SearchIndexer.exe
3312	mssecsvc.exe
1624	tasksche.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

Processes:

mssecsvc.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	mssecsvc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\locator.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	mssecsvc.exe
File opened for modification	C:\Windows\System32\vds.exe	mssecsvc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	mssecsvc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	mssecsvc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5b11d4c0c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	mssecsvc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	mssecsvc.exe

Drops file in Program Files directory 64 IoCs

Processes:

mssecsvc.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	mssecsvc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mssecsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	mssecsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	mssecsvc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 6 IoCs

Processes:

rundll32.exemssecsvc.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mssecsvc.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exemssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000f1f201b5bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd688f03b5bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f3e2002b5bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016b6f701b5bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032b69d03b5bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8218c04b5bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef647305b5bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe
3284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

mssecsvc.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2456	mssecsvc.exe
Token: SeAuditPrivilege	1164	fxssvc.exe
Token: SeRestorePrivilege	4396	TieringEngineService.exe
Token: SeManageVolumePrivilege	4396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5064	AgentService.exe
Token: SeBackupPrivilege	3112	vssvc.exe
Token: SeRestorePrivilege	3112	vssvc.exe
Token: SeAuditPrivilege	3112	vssvc.exe
Token: SeBackupPrivilege	5096	wbengine.exe
Token: SeRestorePrivilege	5096	wbengine.exe
Token: SeSecurityPrivilege	5096	wbengine.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeDebugPrivilege	1560	alg.exe
Token: SeDebugPrivilege	1560	alg.exe
Token: SeDebugPrivilege	1560	alg.exe
Token: SeDebugPrivilege	3284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exeSearchIndexer.exe

description	pid	process	target process
PID 1544 wrote to memory of 992	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 992	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 992	1544	rundll32.exe	rundll32.exe
PID 992 wrote to memory of 2456	992	rundll32.exe	mssecsvc.exe
PID 992 wrote to memory of 2456	992	rundll32.exe	mssecsvc.exe
PID 992 wrote to memory of 2456	992	rundll32.exe	mssecsvc.exe
PID 3044 wrote to memory of 3812	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 3812	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 2192	3044	SearchIndexer.exe	SearchFilterHost.exe
PID 3044 wrote to memory of 2192	3044	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3a1bb107a50b9271e9152915d738d0_NeikiAnalytics.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3364

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2192

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9bd40833748a73f61f3b3661d2e34dab

SHA1
3e1c04a06f317665e30a8db4ac7bb32cea5d11c0

SHA256
959aed73bf4a82caa4ce82e3c11f4050191916b8263119ac2f15d18bf591a872

SHA512
89a9f1a946b99c6f2e60843a8c68a37ee8a8bee7206db2516fb7fe8f94f88962d2608f678b86d818016448d800970f73ed16746b99d0fd804a688b363308ef44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
98a68073d28869c9139cefd8c21c93c0

SHA1
5ab2161d50458648d1909973777eb5a9f67d2d15

SHA256
2eb7dffade8173b4fd37faa379c931dde353aba3054fe1a00207f2faa019526a

SHA512
f72fcb16100da200217cb723a26dbb6b8ca45d1f15d692a4012bafa97d0140178e135f7088cc6f8fec81884cc215e421d84580a647192b23aacb0d319bfd7a99

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
abe18e6c041dd2f6a36ef04744835991

SHA1
fafd0aa9158606ae75154a229f085bd20e0d5f9e

SHA256
4b61baca5b1e3030ee72d0b000a6e1a756e8d79ef5a506d19d6d122ce07fc673

SHA512
9cd87408ffe9c7744174d26f4ec41619d1e29fb00758bc82e2734cc61e9aa727b649013b8ec56fe76a84366b039ccb0e75cfd9b6ace6b6d2e259aa5961120dc9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
90d75c1529201933c62294d960af4896

SHA1
8528ec9db3888340de9f797f4f9ef81506fcc3a6

SHA256
a0d1f0902c9acecde488b5fe18fff9e077d09a5acd7e221f5af9742ed52ec2ff

SHA512
ea7199d73e281a6a61b096095c1eeab6f6b96db56c5671ea9dc8a8760696acd2ee72e254a8e5852acbb839fe6cb258da8a430419fdb8ffae6d6fbd3d8b1a0f60

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3773ec2b9d92db7cdad2d5962d29d694

SHA1
ff874f1d367c5e8c73a1bfd22ae8f8ef6379ea18

SHA256
b3456b7a38f3e4cddd158d7ad2a387d32e7a2f0d78067cd7a9cdaf767809b569

SHA512
6828c8a0f13c0304e0b36535af6c689e709501b7cb0347e4ff8b9a82b8a4b60d8dd3388cc8d67f99c3885b93cb9598f4566993e92753428b722b5f371e65a12c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f93f23316e8dcbf9c8f0c973e53ab7c0

SHA1
ffe0c8faba9881a35cc7e2b3e9b38cf9dbe4b938

SHA256
c204979daf0825bd78551b4d60fe57718257d54dc0b9dfe09b25587186ce7bfd

SHA512
f429da91a0c3be368a59bff2e3f5407300cfc0fb53de26810910e4513952571c966192f9c21c51fa73ef6a8ded326085b2298ebd9492af8c73f89d5a980ae88d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
30f03e8c5978dc3d146a4aeb248f36aa

SHA1
39ff64afc6a2ea83345fbd3c111f9e6e848ae646

SHA256
a484f465021d7791b5fbeac23932abe2688361ca741ebcfca443e31f1a8f06a6

SHA512
f24961c6b39f2eb05d750e198fce9c7ddfca2e3a92e99eb7e80d3b6440f828f951f86473107cb26a7a95a8250e031ca555d9108f973ecdb554aca51b28739a6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f51cbfb1baa2a78c5cd1a8e911c02769

SHA1
e8b4467bfe2e69e6828f733e47353c8f50008ce7

SHA256
d4c7d921c88fc1befbd8b73e56f4ca7035c7ff65d2a8b7e32aec21716ef59395

SHA512
a6c97af312e8cfd6a9d83fff9017c6500d8a94093ceb8919180549c6235de5341a83ea92215266aeea0a213c12dd44e16164fe664cb6b6379d0324e360f9f254

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d8998ba4b17acd873fd7fc31e3779659

SHA1
35fcbe33d87548023521d8b03565e9c9ceef4aaa

SHA256
80f9764a81393535378bb3cd868a194f3064667008e0c1c8de6afda517f6719a

SHA512
202b7936a51a551d08fa75b918e6bc224014f77976ef9058ace20d2db12c50c3e96d2fc32bfbd6c5cf04caa932cc7022b2dacf756cd64beabfde3c85032ee432

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ae55c59ec32df611994c0433d2909836

SHA1
501eb5ea2132773ede010c19b11f7c53c6d7a729

SHA256
1a57181bfa0c35ffd660cb88054f372a9204a22bd275e5c09b441b39433249e4

SHA512
bb3de9fe0b1260b013d92e828638597d757d6dfd19ba81ab0ecfdcb458985cd0b64e9f74316bc7c96a58b484d76a4b7b3b751771910501163c1d772c4e89d616

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7de766ec89e79561eb53f3915d72106c

SHA1
caa5172a047964d71348a1ef7668ed6d1bfc9c8e

SHA256
1709d169f234097ef10b34fb9c2f8c42201f937fa9cdfb25439aef67c8f6b7b2

SHA512
e5f3e75cc67438ca70b02c67780ee4cae5024388edf5a30efb405fa173c744f6b2c47a9d85fc0d242e00aa489f368e5ad89d973e43268404252d8ea2f096598d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a456713be304423ea6c1c66f1155debe

SHA1
9920152604763956eb2ec4ec6aae8eac088f9aa6

SHA256
abaa1101b0b37e12e7025344f1e65491595fcec44409655af7c19beb453c89e7

SHA512
848c267838996d5a392fc22759ffce5a0bfad0947485e2d337d56698b89e10978bb6c2b1ae2bc41040cfba2e303952d3ed465fe2da31d35726f13f17f203f049

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ca31ce2caace2c70c41bc16930a366af

SHA1
9bb12bf148dd46ebbfad447ab6229c7d11471530

SHA256
bd7d196e840098ff4ed58eb7a9ac3894a3aa683abf86e684c313bdca33082325

SHA512
b944d882f913067ba32d8d4740aa55ae38b0ef06d8b9f4d3dcb5d1740979b44122e4bd7f29662ddf8f60bc037ee690c8772f5583675d57b69e8db790a0d98548

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
99c69295919df8278c992adef58f734d

SHA1
34ea214f013536383bc603e04253cf8eaf0b8307

SHA256
8a3dc5d84c9d523dcfc05dba00ed5bb2af7d633ea35a4c6aced76a7d094d80f1

SHA512
a36fdad999c0ca309f889d410dbba72bd8a16434657d6ae28e12313e4e7a387f30760d199bb5f9cff0a1310705bf8330802b986fe0be61f865731c1cf97d5689

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
512016cdf3dffdc2dfb09669e464df12

SHA1
cc674c3b28f2e8ae2950c11c648a7cf9d88514b2

SHA256
29414b45f351f8d395c14baf9154b94f5dcc0425c6026df8fc0d6a42cb114cb0

SHA512
3a9020674616f4ee04e92e42734f8df7f62da24296f46d66f204ce130d040d3ab80ad388b89dd7a09bd97bf7b731b00d23c82c159ff0ed8dc3b88da1a9a5cd6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
19bfe500be13dd1a9649b5089aa95934

SHA1
aef3f47ab5e61a1ce2787c8244c7f4decca2487e

SHA256
693f12c0010ca66457d29bb22b2e06b0d47c55b77db8c1f77222d1c6498b9c9b

SHA512
f8a7592b3a1f47c5cc24813506ece716933857da8613ecec1a1c434c75ac66b4704f18f674759530877a6de9157936c0c2ca0e683714de9ad6223c7e1010e70e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
05ca4b7eb9c4e7a7a1fcfdc087a4bd83

SHA1
54058abdc320aefaebc486185c0daab8098b1d12

SHA256
d1aec22aa0f925020fc6f830be0179cc686094244d2ee250c62568dde303a6c1

SHA512
cdc203a92736372f12f8d96a6eb5257451059495a575e38f30292ca4bc9ed7ee1e4b7facf9231bad7a8edfaf10c9e8abfbd556cc12c9372e54939491590f1cf2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
92b52564155cab9daf0ca1475b33ee2d

SHA1
7c4e384aaaa05e260517e9ca871c8ec208ad01e2

SHA256
5a7d64ae6b5147eb74d089d03eea8e7075078d858a4111cafa4f0fbaec88bf7b

SHA512
ffe408f55b6229f5e0a8d4e76e9e95125a027cb3ae3c9e2d8f59a474799a49fff468b4f1bd968fc0780a9aab0677a61911b6a39faf4dd93a276ff70a3dbb4484

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
69727759a8ecbef4609116971626aa30

SHA1
a391dcad97e3dc9f3a5f6e473d436f26f5f15005

SHA256
856e480a3559d55384a9bcb013198834bcadcb4c30ec2b12f06a5aea153ced1d

SHA512
80cb112df53e8ad1a01e43b60ee347768f2958cd0a97f4d8f576e09b8597a46619340328fab451765790b7a093771ea24c7023c97a8fbcd4628fbbe02db7618d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3d027512c360f92c1c042042cba928e0

SHA1
10b3121a8f35256ac73e8a4bfc9fabd8f1ca12cd

SHA256
c4045ee5ab642a91ba0adb61620f8eebfdc7ddf9bd8f6ad5c81ceb89abac8a9f

SHA512
014eaa78ff27e1ae3793c9917fbb1ced80366b5d4bc1f60f98d736b991612dfa0d9fbf2e3747e0ab911fb73e9cdcbbdf3690045dd97bba36bc546501724f42b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
df0ea51473f7e54ec2711cf866cf391a

SHA1
c2070c8fe372b62df7c0dfd09804d547a0b0b751

SHA256
6ccc614d39496a864ffc7a030c989b76ea58ebe1acbcb6b8f635fe7a9a3b7b8f

SHA512
256855a625cb55a8cf52e58e2c2da1df4bd027bd65e17afec310540c2d4b315b0983f9aa2250bd16267e61080bdc9f6f8c6cc38a3c6fbb0a742a0cf1ec710830

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
aa97d0f7c3a1bb414193bf9af08ae4af

SHA1
ee3b8015d57bd13038b33fabb050753427a111e6

SHA256
8b901dd739dd8cd67c0f7c931eed135a5fcfe2ffd5f5d031cc5d9b22850832eb

SHA512
9bffdf29f4a4cc093b3d7ae1d92d2462e3f93fbe791d4d9c7a5f62e1feff40c20839c9c3554e333af3bbcb0865b51d1e349d815d3fe8c712bcf04fa918216252

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
56dfff32063807924d755c8dd0d9b00d

SHA1
3c5e189e26e8413c27f15c5b756a97bb559849b6

SHA256
1ecbe7aa6fee01df257fc1a30311ed3db619cbca2cea27f2cc194a817fa303c1

SHA512
d81cb907ca931a98a5ed13f1ee1c5f17f5df37f9bf79df4fcf8786ad1316fed3c3eed3e4672fdeb9b8f837a7157b4ffdac0b9fe2f0a4124a1e5325c76d711313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4f05f3f3991994a45e2b286600422aa5

SHA1
11faeedce0e64a9cc3ea3adc21f17a45c9aaaf10

SHA256
65db790024cd433167432b4437b24cdacf137fa4b1585a883b66fcddd28f0957

SHA512
78e393fc6d493eb91ed96350dd60eed3b103c67865c6432bca66c79a30c5ae1d0bc955d5ae437c06f74f58903c0fecf30b13384cf41382c8ca9a25b2ff3b926a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
04d7aa003e2ec1fca28fadef96e7d139

SHA1
65300590ceccc3f5eefb98e6929719b04fd0bbb4

SHA256
12c3bd1c3ab99b20d9a0b18c9bfb45c09e7ca33c997ec250135be92cac161d46

SHA512
41b98165dbd9ea78d3532cad5ebbf109e2833eb640af7730cab90d024af793658842e8010e062c7f8fd32a12221cb83c8f0f7b551c674cfd0db9e9227387ed37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9d8a6c9662afd33f9e6d9bbf8efca1bc

SHA1
a36f1d0136ffdbc8b005587d380a5ff2a17fd7b4

SHA256
fa9efbeaa84e32c60bbf18e8a5865c912ab23da3b43ab99390ea1ed93a8ee44e

SHA512
ceeff8ba13fc944d2f8fdd976f44a1fe3bdb9ad155c187cd8ac494bd72177ab1af286c86348688ddc6f3572d1d0e49e07b11f60847757b71e56de79dddd35488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a1f97e5f1109c6c80f056530bf98a56c

SHA1
f4794f1abca7a70c5e566b607a5116497019bcce

SHA256
6cf9444dcd490683f5e3c0b06c06f10da8e9d519a15fe1a48a95f69100aa4188

SHA512
44d9d9ca20f3529e0b9b0a55e8b30ab98af94dedbe0425867af6be6b6b647d722a4ca7d5d06b33050bc049c210fcc2ad61cf54daf42a2852366b4c6f86399fd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
cc183e3cdbbc045d6e4a3aa1d93e903e

SHA1
1e567f2e12a3e8e14582224574321ac6968761c9

SHA256
81517fd973bddc4f3b36f2dcc10a24b734ff5f66e22f992b038e6cd0ded85088

SHA512
1526b8fe65e458c45334b5dbc40a2b487f8ca7b3956b77f7d2c26e8e9e85606420b14ae49ffa7691fcde8aec020a1303a5a360a7d9d1d2a973710223b2d3d686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4d7bd140f115d50b24f512797f93d02d

SHA1
2dfba1f3dab60c0fcdd63801ee84ffed0f2690ce

SHA256
9965440710be74d9b8a31826b3f3e8e37f08ea2efd22e684ed6c5f9f0e229ebc

SHA512
97e372bb017a5bd1cc26af5db59968bfe87d1310fc2ea57da41fa09c3920d6fa792d8dfff8fd68c97021c2d2f52eaab6d14246d7809138967c16caf062e24d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d51c3bf72dc5ebca3e88c79f007c44b2

SHA1
8d599862e22e1adca3f4223910997393a9d06b1b

SHA256
ca88feac19c78e22f9ed5aafbb4524196c7f45648deae20f35c62e57042c2d2e

SHA512
4375c19b7f7dba45ababfff90a806de271bcab01cd5587500963221671ab2f5922fae048be16a42ee2c21af7f7828ddf2834125a260fbf868fccd1662e93dd0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
70b21f0870418e076ced0a40c974e5dc

SHA1
1bbbbba169217ebd264020c87694f0d7f7d6d99a

SHA256
8aec724b20c05abd74e84c4e831bcb9c756c161c994ec1e7d0dc69476bba0131

SHA512
c75b0183c0f57e47de7f62f2c45c3eb40fadfeb9d6733619709a7f3dc8950a5d259b803a4320d273ab56a728c3b785af99c574279eac6e9d98b637664f076f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3c31ffd8ab7bf99046bd9e4f165d6d07

SHA1
e0f7e0155dd544a65751ce88186a308fb692b3bd

SHA256
c4647cb5f67bef1d86a9c9e86406bb1089a7f7f68eefb7f6f5a2aa60631d292a

SHA512
977124f4c56adae7f1c471e5d6954b7a8a58a6b2e2e8795ac96d1126ab2c72ac482d0667380f3d82acba8f3260d661ed8631bb84bf42114d0bcbd6001b410120

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
eaa67a750ce7843e93ebc0ddd5022f78

SHA1
0564ecc2c4f575320d546152fa0444d78d66ec03

SHA256
3e1ce563856a49b49752f5b3b1eb8e3fe368ebb19240542c815981ca101cec88

SHA512
3281457e2944a520b02bee46f63e21d2d6476558a2622cc79eb9ac390c8653f3773594f81c2e85ce9823409735e9dc0772f235deb045b3a41699e582758f8174

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
708b44d574661e53598e98fcc05f217d

SHA1
a108fed83d3339f6260e9f1abd257aa3c77ac130

SHA256
be9fa04bed4da9cbd31274caefffe28c50ae2265893b6a23cdb32b206e78889a

SHA512
4800a30b770def4cf7f394e436b0736b85b8c93f456585069c4fa11d38114bd156fa2da75c03a95de43df4001accbaa11bfe3eb923954e4dcb4a08151718f8fa

Download Submit
C:\WINDOWS\mssecsvc.exe

Filesize
4.1MB

MD5
8887d2e5d2a6d5c3ba67e14cfdebee97

SHA1
51b6a6a3c71cfeca04f975a1311d2aaa904d9a8c

SHA256
1f410f20aefc51a4db29d5c067eadb197b55921a39a104e6e8969c2b45e12880

SHA512
89f776389a88923c76be299803526b5b8357c4e06541e98f57a5434c9af87f6e7345520fab000db41ec99c98bb1467d429cc01c47fd66de2f499051db3707906

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
252c6ce0cd7da77d18c02c70d7ba91fa

SHA1
93b09df81a1ca190a8637faf43909f89df983e13

SHA256
de38f23fc18fd291f4b3599e00543cada26b156f61e265c9cb32df8961a3ed7a

SHA512
42f18faee34630997679d9c841e275b7f2c08a23f95f3f6c6f4f4970a32e5a0482dd0c1b30fa49fe10a2bd71fc17d411bd389603cdf7b42aef74f13024802259

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
924d2cb4988c500eaa9308cb972ad48d

SHA1
ed3caf4a2669ca73a0745644ffca9e56439f135d

SHA256
7b2405bee3a9a4f7f7392ffd21b129648e020d7a9fb4749e5c3b9cfb0df4c4b6

SHA512
8359ae4069d61cc02b400a38289ab8df87b76e2c6c04fec36f79664ee66757fd55b33c028d904d61b537e64baefedcde8158c5066782e9e7793c155480f16a8b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
caa3e33379b3b4c82cb60c9de45d2e70

SHA1
eb12c2912bcae4cfa61ebb7ce3703f0fd776777c

SHA256
09d8b517f1798ead6f6040a610b594f47ab14bf04ccef2a22ba505866a872871

SHA512
c26666f96d2d6bed7eaf38b2095bbcbe49d8fcd1fa2baafe7db192a2d25754763dc9e29ae329ae9d6f952b65bc570b77a66e7361bf9b457dc59926817aaa68c4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
99d6d478d87d62deb4a71850938d0af6

SHA1
65a20032d992f4b83da463d3bcf486b757457e97

SHA256
27faa514c00ea779e7c16b4729e94b4101e072957e536874f6c5aa40b16b4548

SHA512
93af87d6c67970e070700b613f94516a3c88f5fb5330c39fcdb944ce639649161b312f5484a7ef46eed4b78e5fb1ce2ab64eb5d28a9d31997ba27c5061bc40d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
64118cf9fe51f3ee4b3925f84a62b86b

SHA1
ea16b24213bf7cc0d0b1c2012231d70a437a945a

SHA256
6a627ec3d002383c61296531e3b1105a5b23435e0165a3c8fd1ed568c5ab77b9

SHA512
a1d1e8f1df9a9b4d4ff830a04bdb022e9a78b3b8a2e2519aae57885de3ce2f96b6a1d50374b87efc71710d669d2feb108e6b3444725af700f341c5f4ccec6f3a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
acbd0b211b9af6c23d12a5c15504ce0e

SHA1
fc501dacb4e2e2ea373053637298a0981f6e7c7f

SHA256
ed6b583f3a15510a1ee05bf02754ca6cb51292da6853e84bfb11cf76fc3b5f6b

SHA512
7ae211ffdb00bfa58fd2f83b4816bf9f3b79c125304c2377b7598e6570a7f5959a3d2c2d703c0dd9b3fc6261be7c8c3d86719a489fba5228f40880e7196bc257

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1817d56fbeb70f50a42a57e9c8e6fe8d

SHA1
d8cec5ce9ce75b75ebae70f34f078f52767aa040

SHA256
a9f486e4972f76cd0169c473ff50ea87feb0676a7a31cf650fd172614ff6de41

SHA512
16715eb715806b1ccb59c5f0645c99333f97d4f4409d57fd6a0fd2cf1696c3a56f856b169c6362145e35f8958987b1d3bc27195d536853e672bccee28d3e983e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5bb24f7ecbcc187e0002be5251923fdb

SHA1
233725c0be10d12083bd275a3486022f127694f3

SHA256
b7f7b87f01f73454587c025a1e93e9755672855d7c3e5e564c574635f304bc73

SHA512
01b7e47d42ee0f545d4e97aa3cd937588905361037df0abf3dd41b447589cc6b1f301d361976c2f5bbd7a5c03c3baa7f5eaf22fb03b317945b882021449223c7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ab7d65dbdbad3fa41b7125eed839c9a1

SHA1
a89c83bac901e24bdd0896f2e13dc7291f367e17

SHA256
51cf2dac107516724755180d62083358e1133ff343c0646066a06de1a07d4a14

SHA512
dfcd4ded0024638063d9f52aeecfc32d9361180ac7d2946447518cf27f5f61e8aa6f1178602cee1039503b5aae5cf1c6320d93eab9d68db3d3604cac8f8b098a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f32745357b7489caa4140ebcd0de0fea

SHA1
aa6146b23cd23b159e4949bf139adf3b87e07f77

SHA256
9be59e3deedb628327c02d3529e188f83ee500c99e8b40c0f687d4816ccce849

SHA512
daba1d9ae17e183846b5e13d2af4cf1bee57b0c44e0ca06af52221fc2dc1a83b90c2ad18db94377eca5b0b0974544faae29b883d94a360bf3512b747f961838f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
471aadacf74cb37cd163a2e14896e2e4

SHA1
df68c7eae73355883ccf1d43b435961439b97ef1

SHA256
5d56007994f51263da4897738dfd222b0431939326b5bd50333d7aec53040390

SHA512
16a1dc35b429728b86eced3ffe469afd1fe286f19db7084c6168ded02c060109d17c022e527b2ff8162f19f50c635d73622fa338546feedfa55add55d3c767de

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
74cc50c1659a7cf80253585e25ac6208

SHA1
8d948c2460efb12b9d7f3c1bdb99b72da7fe9cf0

SHA256
276f2fe8d6f4f923fba38b97d5e8816df5965a093c9efaec601fe7506d1cf20e

SHA512
7850d3e370c7ed21612a8d49e47274249dc9cd5fcd6b1c94b81e249a908681b475aa7c431c0a403576e5b358a7c1be784486bb1aac8493be171a1a5d019a953d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dce737bf3f7d74c3ddc92734e12a5807

SHA1
c2c2e1cba76eb28c7602422fce12b542f49153a1

SHA256
b84c8c9790ea642792dca55799ddf991ab1a0edc0b46e22a0d706041e325ad2e

SHA512
cec6092be7c0c00937467aed01888beac922eea0376ab2defd526dc8006370358312f279e10602182ec87820e22c689e5079933bb4270743a0a873b05657fe5a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a0245e951f40bca44b4e493e569f6178

SHA1
1be0da93896a2b6b57037b911b7c025721576bc5

SHA256
230a5955f688d0f34c88ec6af5f813643400e3667e9c40c59c14816473dc4874

SHA512
b68ff28526caa1a472d3e9ab700ccab3dc4b9655346ea3078c06518eb31856804970cf7c6288fadd614f3166782ebf9372b4ebe5cd595bfd4d60b5f56bec6172

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c4e9426a9b5bb4ae1ade34bcaf5d8eb0

SHA1
c5432ed213447e48b3c831939ef24ba4e248ba15

SHA256
c0608a1dc4b66ef436d3835eba19b600f66403d79ba03a83191e0345f561c8e5

SHA512
4027c153fc1665b49e4e9e6318568cd0d4668b4b9c58bfea0984b0e85f1e80ae8c5304e090ea69c6e5cb7b9a6535600e2220e0bb924bdaa4a58c2ef4b30e3b49

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
96dfb9b19e5004b851beabe5e7724b01

SHA1
8149c9c90b8eba6b26a0e752e925be97ccd7f731

SHA256
717d2a3450126eb854adfa95eb51168efd59282af5829f98fca2535aa56e811a

SHA512
8e7502ae5054d79baa2c8d30d960daabca262d79915ffa82e3cc1fad9d55d393bd9c124982715ded8efbd7b8434fa05e9be94f1be9ed918b3680d6659b3398c1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
dc201cca03dbcc1875df66e0c3b86e78

SHA1
ccb0b9b067a4bc2c2079b096399c403cf178d837

SHA256
7bfaad08109f39aabb6904c706a5d3c71041b918874730920213c24cb3c9e18f

SHA512
f1348ba5eb1f97bf325004ee229e4decdae2d711ae0d76c7fd6cdbbdffa7c8445d40cdebf68e4c26277771446a21b01c4764a6cd295eb02107f7db54145ea3c8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18ff0387ae4dbbb93cbcbe24bd210a22

SHA1
6248f9d96659610b42f5d62fa3bef138ca8c58b7

SHA256
e3bf70d86ba204a59750331cbad65c39e9b38701039a616d680ba030ab5f6a0e

SHA512
5da1f4403c249ad0da6423e86fd5f6faa7a8ce8079a8b2c73c21664b7d6c4c917e7d41fdb483d9d09266bd4082ccb5a43501a78b44d2050bcd70d9860e20fd27

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c6f1fd8a1097fda8496fc7a295497ea2

SHA1
ef5d47fa2065cc01c2ab818d8cc001e1164b736a

SHA256
afb548d7a17b91d4557dbc0b7ba49000e82273ad68df18d3ead2f8a1c3dce750

SHA512
462b0e1d7607aa05b5ccc71e5ee9ecc1f4a17aac4284bd08512ee1e572c5ccf645a93ec9c13ecf88c0d7b3b8394628e9f04e5ed49b578b0ea079fce505f20cce

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2b3a13ec11015323d005741581588549

SHA1
d7f42688804a51eeadf895d09f817b58c0e056c3

SHA256
b040beaced3859ff78670a9d8db0150e538b6174c07479ba856c3b34b4d73b30

SHA512
2c48cb9f90cbe6dd3d7b9394fe13a17580fc9aafd64a4db71abe81d811a6e9c05a75c547d9c2faba90e497ed90f6e5073771143b5a79644789aca67932cf277c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d9cfdeb1b3d27b859525f37a4505f959

SHA1
5a7848635382bf08cb9ce76eaa7c86223e333313

SHA256
b6e37f67bd76ebd9275bca108100598f5dfed65d9a91a9c5c43f28046e799501

SHA512
ac54a913704a24df931b7a37e9a68aef68353977cb9066109314ab603a68686abf6a77aebbb49be46f36efea8ef1b58df9f48bb6f6774f935ed38bcc2dc1bc7d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1164-41-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1164-50-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1164-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1164-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1164-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1560-132-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1560-15-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1560-24-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1576-566-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1576-254-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2020-111-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2020-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2044-142-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2044-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2456-534-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2456-4-0x0000000000D70000-0x0000000000DD7000-memory.dmp

Filesize
412KB

Download
memory/2456-12-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2456-110-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2456-9-0x0000000000D70000-0x0000000000DD7000-memory.dmp

Filesize
412KB

Download
memory/2584-192-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2584-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2584-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2584-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3028-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3028-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3044-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-567-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3112-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3112-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3168-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3168-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-37-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3284-29-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3284-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3284-141-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3312-493-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3312-570-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3364-397-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3364-157-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3612-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3612-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-497-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3996-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-53-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4256-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4396-519-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4396-193-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4676-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4676-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4892-181-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4892-485-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4960-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5064-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5064-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5068-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5068-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5096-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5096-565-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download