5f7a81fc7f15841bdfb6c5bab2bc1123193c0b5285c0e37356fea16ebfb6ac79

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
Size

1.5MB
MD5

39a2fe5a69b94f5288413d227d394a60
SHA1

b24a990746de37d3770236f0e5bf686c3927578a
SHA256

5f7a81fc7f15841bdfb6c5bab2bc1123193c0b5285c0e37356fea16ebfb6ac79
SHA512

67148fe98a4849bbce1e1ecb331cd9687fef7e7e2b6922e98f50fb09f5c5058a68e759d20b0bee36c9799bfd57c18331c6c3e536402844b0607e813b65d38a58
SSDEEP

24576:Q8TNjx+mZCkt76f/24pN+XNqNG6hditW:QEf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
100	alg.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
2496	fxssvc.exe
4892	elevation_service.exe
3440	elevation_service.exe
3604	maintenanceservice.exe
2604	msdtc.exe
3444	OSE.EXE
3220	PerceptionSimulationService.exe
3156	perfhost.exe
228	locator.exe
4416	SensorDataService.exe
1368	snmptrap.exe
2524	spectrum.exe
4584	ssh-agent.exe
2304	TieringEngineService.exe
3416	AgentService.exe
4224	vds.exe
532	vssvc.exe
5104	wbengine.exe
4280	WmiApSrv.exe
2292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b80562241ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0f17ac760c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df555ec760c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b49059c760c0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000606871c760c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b2e57c760c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016573fc760c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d9c07c860c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe
4356	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	464	39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
Token: SeAuditPrivilege	2496	fxssvc.exe
Token: SeRestorePrivilege	2304	TieringEngineService.exe
Token: SeManageVolumePrivilege	2304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3416	AgentService.exe
Token: SeBackupPrivilege	532	vssvc.exe
Token: SeRestorePrivilege	532	vssvc.exe
Token: SeAuditPrivilege	532	vssvc.exe
Token: SeBackupPrivilege	5104	wbengine.exe
Token: SeRestorePrivilege	5104	wbengine.exe
Token: SeSecurityPrivilege	5104	wbengine.exe
Token: 33	2292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeDebugPrivilege	100	alg.exe
Token: SeDebugPrivilege	100	alg.exe
Token: SeDebugPrivilege	100	alg.exe
Token: SeDebugPrivilege	4356	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3640	2292	SearchIndexer.exe	111
PID 2292 wrote to memory of 3640	2292	SearchIndexer.exe	111
PID 2292 wrote to memory of 1972	2292	SearchIndexer.exe	112
PID 2292 wrote to memory of 1972	2292	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\39a2fe5a69b94f5288413d227d394a60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4996

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3640
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
df7def9adf5d190b6376dd1f2d438073

SHA1
f08d76c03a6c59195128f98ca42e8672671fb4f3

SHA256
dc6158ab2d1b51441b0665122932f5ca00d6c2dc8addcfe62fc6dc5d83023867

SHA512
afc3c1edbdcb4f4a5dc55057e3068ce31a05a1591aefe114e209160f2bbe1ecc485a61293948a6b2b116c1432cf42340ad0869d9f50015cbc94ce40b87736aa6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
47d9a82f7be61dc39dc15ca47d0c7aed

SHA1
5f647395f366582fda02357a19af48e03dcd176f

SHA256
a6e169c6cd6caa63e74b3c8c66ee4eecda6df0181181d8647597d16b85765f8c

SHA512
751f6a24206981f9c341178626a294caf49c9da4731bad226b443afd2852997f09f4cfc04c57930c1010c289967f1b2cec4e23639fc88f27f92e547c4d298000

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
247a8982502086ea3bbf869c27f2ac6f

SHA1
348f192060ec30f06a9e03975d8083efc1c61ddf

SHA256
e558935996606c9b559e325ea656a7dd6d86402dabff25b3fd66486a8483000a

SHA512
4776bf7f80fa25a3cd70b58ad9b5e3e89b7f0d24efc6a5e287b8d0d84b7aaa057397cfb25ccb473d62ed537cf8922e2a30bacbe3ed07aa01d7cb0f9cc2bf1226

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
75ac3522ed2e93edd1a159d237a4fd1c

SHA1
07d52466c640ca920d52090759695d8be44db17a

SHA256
4fdaeaf9fca8462b1dcf6937c3b981efca5c2a6331d6cc7aebaf73eb390f1fd8

SHA512
aeb9c501585dc1933b1baca2352114033fcfb10c971f98767e13dc2fab0345dcefe13cc3d9c052db33a7534cb3bc86caad98176f4496a8d756540eeeacd125b4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e3a9b948681295402c560449bc4d4f6a

SHA1
b7f860c20fcdfe09e979137cf6ae4bd250ee8534

SHA256
43b8eb2b29715bec4d439fa880dcfb5fdec0f2170a845be76092330ec70aadc5

SHA512
4f69ef00e017645797faa87f12bf6c963b783223e26af760be89c716aaed96169d606890c802c2dff65341b1606bf2a55a484ffb18ca103c7c29648a2e9bf671

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
f5226fbe02fe91015ab3764de1a2a6e1

SHA1
5f20fa817aa3fed4440b6738078208a99b9d6726

SHA256
7a228f0d73956cd7d7fa6078aef6914cd9b53ab55a3ae2a4a213befc2e4f5677

SHA512
8d18fa46cbcf30ba5e3086b984e3785cd60ca7d42b347356970d07c2489941a6993da16a98e3818c82921c9f15dfdb8339c3e91d3a051cc0b910d7bd2a21231b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a48f0217b6f563b63c5760f2b3846141

SHA1
cb1bd19199b4020b06ed3a68ec66c897ec909782

SHA256
461814bf0d96b8c2b5776ed47e87fa0b9d421d84390f1b3e4809b59f09d1e87f

SHA512
b7ea0957f787a1dfa197c1587872df871d6e398b540e4e38e783709f5ae384df110d3f6e431f5cedec887a1d7002c9ae3e042654b3c739f00659a1641ea76113

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
efca0ee98730f79d605992cde1d247d1

SHA1
418a05d15d5765be628704cbf0fe8aeb71c299bd

SHA256
ba2c425a394975d94340c12270a3dd10ce01e49892fde675f2cd6f7ce1977309

SHA512
5976e445cd9f87d40bf0576aa7690e51d8c536e8a5a4ff0960dee5e2b6684c2de2510ea7f212d46c0960be458b063657805cf37cea70f6b040ac6b398b8ca813

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
2a8f009bb0b4b8d500b7a1e569913d3a

SHA1
81289a24d2f7d2cb058f0b29ac1854e3dbfdb366

SHA256
bcb467669f3b62bc4b6057178c8e768dbb5230c6a453b1485b8f7e98d7627a0c

SHA512
36daca992935f65ba18534e2f19f90028a445193b79e3b219163315860d699dbdba8d976e79bc6d798f66e1d38eed4e8dce2f038b0caeab79aba4a4a57bdeed8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
883609508f207573563d579c42e29c10

SHA1
fa8e7461e3a1f133c456c319a151985d63eecf99

SHA256
4048c82e6b9778a064b7d0b2f9f4513b140430290a117d3a8a9c4af61e19bd11

SHA512
440b093544c281760e58ab880cbfa029a3f013a2d2e8aa16ed5d180047e08185f23e521088b9e56698450cd5a17452091ce6d9bef104e09ffdf5524a34e05932

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dbf6a13ed8a0bd0e1c78c4a855e1616e

SHA1
39fcbae4276be7ad8ede4409413ca5993169d013

SHA256
2fe9ab8f7f8123c76db667a8016e508cdb889a5e8b9f555101058fd9456ad692

SHA512
a6d841fdee4167811bbf0201db63cd023cc269aa72bafb5bda9acd98772d32cbd85bfe8d197ada80b1bbb71f3624e147674b2492ad3278871a8d666b3b4f2c90

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2e50e017a52cad587e3a49729b818b3b

SHA1
5dccf631c7dbedf26a754c6ab7ec3b1473c26ffa

SHA256
5fd68b8113f4edd01c719904b958aeef15ac51472d0492ca38abf119faf7e087

SHA512
01fc1477d985aaf35cac07abdc490a8ff83d6d1f62f1eb4c0e1b2587636e03e0b607edd202c99cc5e12d4fdcdc474b2fef763a4779d0cf197d50f8e96264dd29

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5cead5bc18ad3a2267f4a3b97d61efc7

SHA1
dc9c23119d4f353edd7f0baad64cd6992ac77adc

SHA256
00bbb64d7b54c8ffb1fd03bd388bf29d9ef8a9c5555b57c177810f01cb95300b

SHA512
f5cb939656cc46082667b017ff9bc43ee24151ad192d238bb087ceaa2229fecd154441f42a2dccfbbc3d04b00aeb674eba449274d04749fe6384c0f2c8e9e9dc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
936c6c7deaf4109f46c7d5ecd402082d

SHA1
6af008bef1ed34d626c4f2fc06a5bb68daa0684f

SHA256
56b23ea0b90674551130af43d7cf86cdd61377bbeaf8047be79c26b20f5875cf

SHA512
fc64dae4a08eaad483097d565e4298412d0a9d28b6fd8bb75b5a945674c58f182328f47df4ff95e4d8ec0ccd79572af45b59c5268950faabd5edd0d9661e01bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
976c2b26cd2db34bd42c44ad1de2ad0f

SHA1
d1667f9935233a72b47eadcbfb120e395f5b52ed

SHA256
7bddeb206b0c2096481e96b83db77f956aeac64af089579b6a44ad36bf7d3d19

SHA512
1ec80df8163185b45c817ccce43c040ef0f96c1ed331a7b350526dadf7a7663778861d3b48eea2090daa77b8d741f3e8262be9196db1dd5f90af932fe18ce982

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0a90bd55a0a0426be9a6639b2c2e7054

SHA1
8094649e09175fb00157729530085e035b4e4728

SHA256
af5c3811833467c4ec9d41f6701dc72195ee16aab3ba743710f18f912f451b0c

SHA512
2a0eb18c07b33c037fd5c25dcfe4858d78b2d71ee4e34a35ba88711626b2869ebdbededa99c96d03ba9b7b82f91eb44d27abfbe01df9dfbefcd14e6809e6f055

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ad9257da134bd02ad7ab5c1bf5c53c83

SHA1
a7e16eafa665d62fbcd2cdaefa8d3fb4858130c9

SHA256
37983d8759ffad742e510429aefa7738b80bdfe977f937c20a740e559d16bb6a

SHA512
ee414263bae9054bfdfc2ca8b8b4b93d8cd7aaff101185ab145d595364fc32d52b3b3d56a49152b3397d5b15205e6b4b873b67ece40db72004a7d44cdadc9767

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
55c61ef492913a64f44d17205f541cdf

SHA1
3d73e6ae8271fdada84c37e98deb6625f59e601e

SHA256
37e2cdcfa959b913afec2d3cc080c5b029a2f095a59cc3ff95c28f475cd743c8

SHA512
dba60b87e1addd2a53d62772abc0dc9fd454dcc3936199c38e64f4e9e65ef055eb4cdceb4169224f8a918a948a541193b644a0a7a6414a88100ac8379c1dc658

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6db0cc0fa61799bcd0df3d8eca54985e

SHA1
c65bbdde0777f5619199f73188e0ec6581f95e72

SHA256
dcf2a262725627fd82f38741be1c9197b4f9bd6dd23897408126fc9d2c190e90

SHA512
b12030c28e84c38ef7da7b54962286eb93f66fee272c1622ee9e1366449c8d87f51802ff55232f66bcc2ba6abae688647be51f1de27baf9d78439f59e8b272dd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
106278578fa8b2a66abde565bbd6b043

SHA1
1e57f468c692f2b735b88a673d66db3009b7d3a4

SHA256
1116e2e0047def438b028d273edc8f84b1aec58d7313dbbb4bf502c18bffe843

SHA512
7aafccfdc35c4f2fda2fe4108871b7419b4e729d14c97566da934c16916f4c13c2b4e6f789d9bb517031ab8e74b356aeaedc1db0b0b17d94b76e4da3589646a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
9e38c5f6bd447474ffdb746a64acb537

SHA1
ffd26142cbf133de548d353d02e455f5d93075e3

SHA256
077510cd54f54829bdea342e8d3bbf5c08a4092c3c05db877bb58e482a670877

SHA512
458c245fbf01fb5276720afe8c3d26d680d9d7cf546d2e6e5b0d9679c479d77eea2f33b906bd10a8eb1d0f9cf529dfd873ae630e0265ca163b55ac41cb9d3d76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
5c0e8d10b770352cb2fafcf65300ba4d

SHA1
e82c83fdb8e08a7a4141d1c165a8e9061ffad971

SHA256
232efda163cfa603e0c1cc25fe160c842830bd677ad11e2cb90af500d17e09ce

SHA512
048c847e11ca9a748cf58c10060049519c9cc66e3ed7a4e8e1e8d9049febe1946f8899d16feb56270fb3a409f6e540920f109c8584daf3a84822c2f53fceddce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
01c18a961c1fc61b528a8a1317ba245d

SHA1
f23276ae170fac2b871803fca9c758358663e3f8

SHA256
7dfd3d18a92c4cec63e061e5677674b0fe15bae03700e461a07a108e6a5a741d

SHA512
720bfe99fd8d3b13e97687527eaf0f4ce13b0ccba81d51b5c283b78781cdade5f09134fe695bea426ac796d7d82f2e7892d342ab0ea8112c1b46e08411e14dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
85e0ed847adfc8194fb8c4fe6a04e5dc

SHA1
df10e24559870b6568586379f32d27e99a3ceb67

SHA256
3965408f5da1b20431d907686bd6a24d3bce82aed72c45fa47a94ac272d9c564

SHA512
90a6101bafe04378dfd1f65484b49c946689e31c187d490dae222d6b852b8abf5084b4b0c480bdbf35e0157dcb00068039c0623616577ad938e97d8f5f190ab3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
5f3e9e9d69e0a1ab1a745bff86326b41

SHA1
c5e7dd49b9406702fd5207bbc2f0230fa8527d71

SHA256
7cba68d546dfb3a569b79a0355defa93abc2b1907dbb5fcc9ee490ff00332555

SHA512
3408a9ee12c666c200b2e53b1e9c030378e429967587231b490d7fdfa2df15b0c94dfed0ac79c287f307ed0f3254b300bd10350d021d5ef97fb66b68052e582f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
fd61ffc2a680254c63af3747b4ccc98a

SHA1
6769db0c5d4e9950e652fa3a120982ba260f2640

SHA256
c601a0ed7717a4f1934b772904033f3861ddaca260668879506db4a4090aafe6

SHA512
c230c57c769ad89f017d59705ee17477bab6419e2fcf25753232bf897690f3cd6434dda26586111559ca8cb6e9d22da7161cb5182fe1f5ee158a7fec4c02970a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
ce87df23c5ea90e96664052cb3c47377

SHA1
dc65c941ebd34a232ba9ccdf29317bebab897944

SHA256
e9cce4f4b220716078b0e351e07c432e5474f637a8fcb426286e189dc740c3e9

SHA512
6c7f11dc87a7ac2a97d1c1b31a772ed075d7a19ea0957bdfa1a61b115655b50edb2f517c8bc1f68c12a87b0203cfab6a9780450debf5413c607237ccb42b2d67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f6d482513d34b6e8b1c8127c46dae420

SHA1
f140e9d76cfe5bb381e8dc9b3cd7458a09031cb3

SHA256
69b6c2c5a458b6aa105ebe7f0da0bfe527decee8f1bf66453297a988364db1a5

SHA512
addc4d494e7f46947cfabc08cab24b93ea369d61e7616a95b266e27ca093ffb4a0fd750c0a0d139b63d5c1ba699e8aa06d5fb464da7371aa9a11bdf66a7cdd7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
03ab7004dba3607b222ad91e75fc7403

SHA1
ce19ebc98d81a0b617e1ef15c068f53087fc88c3

SHA256
ea182ebcdb3341110788a2b806402a84c0acc7f4f5e2478a36816e376f59f278

SHA512
7026dc088ed007ec93c0a2feb7b15456e5273089ee0e7aa4c88e5974d31d4e6c8e7d67cd13110bc3f387b6d6d561f5f9bd03e966c7cd072e40fc2e0c8c339083

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
13769b2301b98a931e1c1b4a790df291

SHA1
588f3641aac39277175caf579627014289882860

SHA256
cff92e2d1fa3cb1f69bb7cc42936a8fafdc7bb24edc85ecf69720f04453e04d6

SHA512
e5b46b537afa56eff1adec9c7e1c15151ab32af32334b263cd2129ca736836ab531c039c03c8cf0b73e94413e9178743d5f0335355314e6dd2a385ed5009e376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9ec7dd329e6fce27f27a0f33d0a11cbd

SHA1
cc50421df61e17c795620cb7cb07b7aa441025d9

SHA256
04b9b54ef19ea8cfe092824d5fb8a08c28daf56b722b38f1ae7369772864cf1f

SHA512
6eaa93ecb876c95f426cdbc54253e18aa321c3a3a620931d71b4075948cda5a1bcaa045299b7883724ecb29b0b9252154c99f82675042c206a30d2fccc27a2ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
aa9903b980f3348fc1a065def3b2868e

SHA1
c0fb48ff72252c8a18504e9d502e8e894fb6a7e5

SHA256
2d93dde61d97c664cdd5d39d801fe0b4379c9f531a1638346c7ca4cfd917d18e

SHA512
ec312e6466469b1b928637a2fdccb58168b8af286d29b0ea33f0180011e7865e6dfe81a8bf61ce2ecc8fe8bd5ee2daca3d492176a51a0997c751f64c47397e5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
8120ee64c409cb3c705b71a11d25853b

SHA1
b3f2e89dea72ab86efd300807eb73d116e9dfac7

SHA256
756cf07b2c9b7bee3904d78780221989e7912880ca5abd96a08482bc340d540a

SHA512
e283deafdbbe77989ff9810444f61a3258a933d742e40f0d846685127971878d45c73b90d82c601f1fe5b0157631fac214d300615d3e9f4ca065fd74e2148b59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
51b7046e9aeecdb4700559b14d8e6784

SHA1
ab860332601ef5494590398724c5d34964c7e72f

SHA256
913726ea0d07cfc02e992b384bf40a1e2460b4d56a7d5145e102df80d06b5b7a

SHA512
a9436393ab4be37e2a94be416f1863f22fc1bf3fb32e3617fa5ddb3c3a483eb32a1865f6267a6b5726f930f86579efd0023ad7c8bf3c4f94b4de686431420138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
422c7ad9fd0d613752d5d71cf63a0606

SHA1
af939f48cb16602d7d5164b1f19bf4c643c174da

SHA256
a7c36a03fe6e4924b02c755ae27e4c079de11efa959df035a3103e6dbf05da6b

SHA512
d002bd3b012ed30a4d8063c451183af396b8d6340d3b537712a006792545ddfa28802624d635b8373c9130f5e93dd400a9d5382b8bf595f81cea48fe8806f135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
91406021fe28df1183832c78032dacd2

SHA1
8819df92b2d1768d67da5d92fe8a31da984cf3a9

SHA256
9417dfd1695617c76b98188e4db3563e1d9ed6c2566dd3b84cc473c1a477df30

SHA512
a1f9e5d1ba7127651a10988d94551ef1954087d66d46ea38f4186ba777059cb955e88528806ffc7b488dff8773e2759eb3413355c554774ddb56eb7372a9e01b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
735fb724967cc2d570863c6ca4119932

SHA1
f04de194082c55f837cd2010f8101e3ddb98873f

SHA256
efec27c6918704eb6f93c472eb33b1c68bf071e0a4644ad297bf4979c21a1883

SHA512
c9dc612740c87032ce5954795123e2846fb02dc9d8233a2e92a79256726d92406456325a0b600ac6c84cfa1a082b49ead25cdaabb3ea1213908c79f42a5c985d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
72d838a05151b8740b5f46c7898f3bff

SHA1
d1217a2d9b7a3c6fcbc180e940c1b7cc571eabfb

SHA256
f9815bbd3da2ec91b209509712d22050fafce704930b403008a953cfdd86d594

SHA512
fc6afd7d011d9102ad7ebcd9b9847f47f20c5ddbb8d0b4becf99e7d9c71fd4c9e51e243d3c01b27c253c004457d8b349bab5ff8f52e3b543a449270b4a209723

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ff920dec987f738b5f06c997aacd36f5

SHA1
a11a40743bee6db4d9290208bdc7d43154f4c489

SHA256
1ae87532bb02036af9f60fdd4213c4eef3ee59a85a94e1156533c60d293198e8

SHA512
0b1fed6f0a67f0b764fa5e629d1efab00294bba4dc1b52013e5d6314d8ab61f546ee4c350d5832b189bbf3230ea81970c03ba0a1318d2f97fa6645028c274193

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4475d7b4910c97415668e49f226de34b

SHA1
f1db562daf218ae20d722a9d0b8e7e50cbd8d708

SHA256
89f0f1edcb468171c7ecaee11bdc57218d9c47955fd034aec8752be19f2ab281

SHA512
2532a5670b0912e872e3709a3e47985751a77f7f59b06f189efad9bfbbe55fd07f19dd65d33ada895c5c2c41bc6242ca01b7c1940ce13e39765c89b0893cfebc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9351882b98e7c4035b39c470db77e7bf

SHA1
0ec50b8cc55929ab415e88b2a15ac2bc08158bd7

SHA256
ba13ee09aa67f84468adc2fd0360e7fe85e730468751f0779f9ad662c9be4664

SHA512
cabfbb63d2aa87ac4c8bc1c999ba31880a131371f40425ee2781dabd6a461c9b0f109b344d3ac816fa482914bc1ecf8307f3c1fea95b8ba17f5d138b97396ae8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d45b3ecbaebba1487dfe59b86f7c1cb2

SHA1
ea36c57be996a3879b82ea77cc026d2c39b7ad28

SHA256
9d4702aa5e9d4b856a276c0ec14a5b1230460dc33a78d71c1e09d52b43893cd1

SHA512
8de29c28d543ea0c9fd3941cc854e0474d6ede6a39a9f3398f25f4a636ab3d88b2c68d2406623c750a5bb6cebf009e41edbf5ad612ccba2591382b47595fb893

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ee2da0f934976f9c7c8e5c73e3fead9a

SHA1
27ec3e8e6e24dff92eeb321a606037f72d2c17cf

SHA256
f835472c06219660e6cb08a0bc5274fa40c95ffcdfaedd95cccdb519a3612305

SHA512
58a108a2444d7e3158b9b4c6cbc0816a8280f9883feb68ee34c4798f98be31a8f92946beeffb0340e40983cf0137adab9272d844353b48ba8f752a12ef61ed1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
016f1f695379871d8f80601e1e42990c

SHA1
8e3281ade60fefae4415c6b2afa76ecb9fa59db3

SHA256
7a0ef4369e92f0dea79e277b1adee49b0db21cdb45baf1fe407d09b075f5128f

SHA512
e7747ffc6af29e764d5bd948fd7dd090aff629d80d596798ad5ffea4b0dbc96e7f829e1e0e31acc852af44b20663496db8e2dcf763db9fc4261a30c7a63646ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3fec4f790b9c28ee3a88e66da71098e3

SHA1
c38c523af74f24a6808c59c4183b3171882b8f52

SHA256
288e68f1646a84d910e0ed898e94bce3ba503e49ecd7b3df1774c89e9e280f7b

SHA512
afda6996aaf276a9628d132ed5adf7c26510151b6695e6355c1b17b701297cf54e687b1a104907eb75e07f2e95d2c12d7ae6080da2055c1ccaabb532d9f24069

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3983c0af8cffdbedbc25442b8a54d6af

SHA1
cac84cca4290c9f580e0e3faf3826f08b1c88e96

SHA256
a4ff50c38778a881c7bba303abf62fbca04019f8425f9656e9bdc60783120d24

SHA512
f3c422160051f1871e1719c49eac358640296665468a5c94d69792efd19c4d3c2c4cd92f45cca0ed35619bfac3a3170e171cb8462ea5eef64e2abdc38e361753

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fdaed62e6d4ef5922ef2a9f652213c9a

SHA1
a004b09559d1f93dbb0f23547b296f7f2edd4b32

SHA256
49ade17211f0a7a25ed447d7a834f69491388509c248c243fa37bcea44bbdb47

SHA512
955ce615d9da7d001ef4d4e17e7b2fa25d88dbd3ebda61231d1573586aa215e6e1edfb9adedddf2c1f4a284bfd2c3503a545aad370b14507b16b7963acacf8b2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
52c584d8b18644eb0105b235670c6fe3

SHA1
ff4244005ce0087421b0b6bd0610f5ac6989b154

SHA256
7ea8c80ba7d32e10808dd5ee6a6b5dd8742c6b54c7af5dc7fd10c5e4144a04c5

SHA512
2190e22dcb6871268768d450b6fefe10fd16a2d2256f016c0e896f16b0f7283eb458f4bf6ec171c625743b254907549e696629d33599244d697b10211ce8b95a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50726a41d495fb1273e5dec5221e92e3

SHA1
ab49cfdfab143edb80ff60a02f2a80f5f24ae609

SHA256
511f9bc871eb4d3715a252bbb2770e565bec45865523bb40ce5706c2be39c89d

SHA512
10fee3af61fba0460213c863a54bdfcd10564153a6fbb67f629927f426b52c8fdc3a346c6004603822489eacce17f0ac1e2db775fcfb564e30a8673a18f6e5c8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d8f8c9bfa7dbb003ca19fec1546e0ba2

SHA1
4498885831a6b15115037c37669caa3352f029a0

SHA256
4da38663cacaf95d6ad31407a2e2a4bc546f94f403b41828fc9d1bde1de3f6b3

SHA512
02a0653d0281ac24e535068885c3d25b15d3bd35413a2d0bd8c962c59722c70b44d279fc269672380cd823046e5af30b0cec3fab5ee777ee733ee79d362b8dc7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9aad53c945fbb82ecc3f9c6eed02aa35

SHA1
c487ad24a92b4857183006b90b5cf4a02ea7ef13

SHA256
e0e79d692b128634cfeffba38415ed784ea3406b84953970958aafb8ac008049

SHA512
4f7c8a3adeeb9cf22e3057028d60cb1ee2ec072d46d674373aced65e4f72afff8c6874b36b6c478291a763d90d5bfa1204f55c670244e70b42d19d61246dfa3f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
859479afe4d0d4309568e29c28174980

SHA1
00f5894e8ae737137b56cd08647022c579d225b7

SHA256
2e000fc6a18eec66999b6d5ca4abf8d05d097ec3f0b4b9c63e539753e1514d35

SHA512
a6c67e1f7e36d632c6526c2696640f7feb2c832e7267f12739d83e78605f5d8754a6c8a47c6897173f6b58613d7f498a2dd5cb1c20712d3e4a163b22437e82dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7d80ba271604170156ba1fa4914450db

SHA1
f371f7131a1ece91cee6ade2a3c9f129caaf007a

SHA256
8d6883e7a54fd88b97950824f8027587b33abf3ec1d7d023358a02bbcb300e00

SHA512
353ae884b0592f8ea561d73ab9af77d6f2b2ca56965b970383cbe896bcfe0cd37c887d84ad57b677b021365006c78137cab150234877d1d5fdbe1f71ece5bcf1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
39d8ae90287c679bbf3a3da57a15012f

SHA1
15acf010263b42a778b7bb10294ad6750ae7a671

SHA256
efed3f6201ee3b0cfe76b03eba81c3789e987d5c29589777c40aa149b735c982

SHA512
ec5bccf5538936c96bbf7fac085955d76df238d3591954549d391a8fbc96f81cb245e81cab511414a338a25932a0c961a88ff98cb0dfe3d2e99257e8f28150c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4c2e7f23e829821ffdbc087d32b61e2b

SHA1
679c5565327faa29f2642366f2008fb426eed78c

SHA256
eb2b68282e241dc1d5416510f73b590f9f74a73fb4345302dda32145e47678cc

SHA512
94117348be7105cc6f4abd2a93da835d8a1250c413a4f29e63d4818c7739ab5f556d86bf562c553a8ee900946bc5f1bc7b969198870eee4854e4760246ffe190

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
04df18d147a61b86af70b32f01231bcc

SHA1
8c831413cd75b1da80d0fce8d1b171661b34419c

SHA256
f6bc164fc8d69f4f90713f9bd260b93fe3242334af38ce4ffd4d44eeb9e1ca8a

SHA512
53220ab72156de92eceff4f777d88ad7435c7e1dbef0580efc4d90a4534c1d1c9893bfd65381fbfae58d98e5ba3255c294c4e9131fee5efefd4b1a461e072d2c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3ac8fdc545205e2b84717ed2d1a2d4cf

SHA1
ae21cea20e2ac5be773e7a0cb712d2e0eb7ca81a

SHA256
692d0f0a18430a09a77006d104444b4a08b1c98ee8a44c8660a9688d7f3a23d9

SHA512
5a1f2add2e5b2b46e5328fd070126ca5d9547f9b00427c882e7c7d80d56807e998ab4fdf95feac10b7794f94e2cba3744ff568932ef2eb775bbd077ce9b12799

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8180a089fd64dc4b96cc4902b94547f4

SHA1
bd678b1bcbc68bf3a196cb3b5ed60c4f3051e83f

SHA256
a6b48301f61bfa4172552ddac320295a9d7bbfceb0104db34c3045f203be805c

SHA512
13e74570fe0adf161567b8e35b309624294abd5ca67b68d66e4bd2c2e86e53b6c1044aca3ede79e76188eb790063eab1c2abba3a31592ba9d2275c142922fa36

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
a65f4cf8777e1408f1c140a2122e47c4

SHA1
a75ff46c5267a50f227dfcf6c75dbdd439f6eded

SHA256
c3c4b0f6739636f68be9836c83f8111660c1595a242ba2e0b21e253ea4bd0082

SHA512
5337e5af2d24c4bc1b9bebcecea8c660fa3abcf4425225ce121b0de217030b21e06b1b52c64dd3fc2759b1517e44000309c580b4c7deb74e82b4ae1d34e35410

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bd0452a8f176e41284df1d66836965df

SHA1
f3b8cda2c1ddec195417ec1f90f3e84e92c52375

SHA256
d8dfe586c308ab36e6077f1f5dc84e43a8f96f4c3cb43ca422eef9f8de7d8b37

SHA512
b935a62b0e52050cdd39e6c9da2e7a74370c33fce340d02ba9b4d6be36f18d3eaab69b34ad9da104553d5efe19952a40545d3d2837d62ba051f12b4810f3976e

Download Submit
memory/100-124-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/100-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/100-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/100-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/228-140-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/228-252-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/464-8-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/464-427-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/464-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/464-98-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/464-1-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/532-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/532-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1368-419-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1368-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2292-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2292-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2304-607-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2304-197-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2496-61-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2496-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2496-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2496-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2524-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2524-600-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2604-89-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2604-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3156-240-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3156-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3220-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3220-228-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3416-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3440-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3440-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3440-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3440-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3444-216-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3444-110-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3604-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3604-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3604-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3604-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3604-80-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4224-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4224-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4280-613-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4280-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4356-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4356-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4356-128-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4356-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4416-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4584-606-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4892-48-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4892-54-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4892-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4892-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5104-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5104-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download