faf87d0f80755912b721114fb5ab28c83606b06e4ae50bfe0e6be02bd3a20f51

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
Size

1.5MB
MD5

503a644f423ac44f03dd921a363623a0
SHA1

1e274dda1c2d5b979404f01f100e214f5315beae
SHA256

faf87d0f80755912b721114fb5ab28c83606b06e4ae50bfe0e6be02bd3a20f51
SHA512

ef95dfdd7f285559c76c2b1ceae22dfacaa38b84d6ff51fa5ab1033f2483a6b2b8c21d09b99f6d315f317f42460ac560ea92934e959832eaf7f8c3dcde9bdd7d
SSDEEP

12288:F0GwYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:O/sRjhm0Ijr/eax8JXO02q3A

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
216	alg.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
2964	fxssvc.exe
4444	elevation_service.exe
4148	elevation_service.exe
1780	maintenanceservice.exe
5000	msdtc.exe
1480	OSE.EXE
3552	PerceptionSimulationService.exe
1056	perfhost.exe
3940	locator.exe
4656	SensorDataService.exe
4452	snmptrap.exe
2368	spectrum.exe
1512	ssh-agent.exe
1044	TieringEngineService.exe
1948	AgentService.exe
2964	vds.exe
4532	vssvc.exe
3652	wbengine.exe
4460	WmiApSrv.exe
808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3992c614ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee013aa876c0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2860a876c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec598ea776c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea3cfaa976c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfd084a776c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b41f7a776c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd9bb3a876c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275248a876c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe
3264	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3076	503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2964	fxssvc.exe
Token: SeRestorePrivilege	1044	TieringEngineService.exe
Token: SeManageVolumePrivilege	1044	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1948	AgentService.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	3652	wbengine.exe
Token: SeRestorePrivilege	3652	wbengine.exe
Token: SeSecurityPrivilege	3652	wbengine.exe
Token: 33	808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	808	SearchIndexer.exe
Token: SeDebugPrivilege	216	alg.exe
Token: SeDebugPrivilege	216	alg.exe
Token: SeDebugPrivilege	216	alg.exe
Token: SeDebugPrivilege	3264	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3136	808	SearchIndexer.exe	111
PID 808 wrote to memory of 3136	808	SearchIndexer.exe	111
PID 808 wrote to memory of 4624	808	SearchIndexer.exe	112
PID 808 wrote to memory of 4624	808	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\503a644f423ac44f03dd921a363623a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3136
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5b3f9030cf9e2600e0777fe9769095e9

SHA1
34fff2c8689fb35429b2874ecab8938ee3aab6a0

SHA256
cc893ba53e7870e587c0dc0974b2226e08c0dadababb0ecffb21321f0e75f97c

SHA512
1020c262adfc69e63176c1deadbcc001063c4e31083286f47431c30506b29f150e501bfe171a7d524caebaf6ddbf3fb4857dbd687c0a9f82713fb983f6326827

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
fe99e8daef8880da30adf17ce18ed7dc

SHA1
56bd698a5d3af26b5a5cd16ae6db4e207632278c

SHA256
54d8e24d18c01c9928199219f87b91364d278ff5f6fbf75984fd75088ae0c2bd

SHA512
583ff6407314d20e75882f4a0b0aaad7afcfb20da03c6d9b97bd9b77a86281f4fd2fd71fefba08944f2ba2609806a66ab678eb227b5205aa9aac5f227891999d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0e2a4c81596d7388bcc94337b65358be

SHA1
5a01e738388eea2b4ccd5fa2e376c328bc414eb3

SHA256
e1d39f28b0258f2b912e64ffc1d6f6b711b6291fb99d0b6684f5b662592e3279

SHA512
2894d70e50b4fffbeb188169b18d9becf28a37b6a26edc3d2c4472da06d357d84bcb2cba4f8faf8c2b48a4388d4499278f876e99a7f00e605dd4bd0caf2558d8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
622d081ac1e1d3293d55a3dba2f9efc1

SHA1
35dd573e1732236e2f4892123167492eebc7f45e

SHA256
365127f3ef5ccbb08df4fc8e09e5fbd30dd1decf957144b6b8545980f3eddb4a

SHA512
1e35250f1981eb3d95dcf1453c4e9e2f17d1e1ecb64b72d3ceea8ae81405d024ac928c3691b700a7858f8df91798b5464359b1d62239d0db969c7332f93d52d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
682c4ebc0fea3b1a294d0b16a13478af

SHA1
09ebb95251e64fbf91bec225d129230cc283ad43

SHA256
e82f35adfd35cdb7616fbd52b542b508fc66b48668bc134f48911ef8fa9b0252

SHA512
49ba509728e8d5ec5117cdbb202902e5b0197756eae0adbd1e22d4e517748c85eff2103272601f950b3d105e9146ad88d01f124cd6319a4469524184656069a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
8261ae5eb8bd2eb7be125386ef00ed3b

SHA1
13fc143c45f4bada1a64f6d7298b9699dd31f989

SHA256
01c6e8b567d20ce90df03725539ef4d0c15ceb543d80127b305c277fd52483c1

SHA512
ad399b0e54253e8c38bf8e6e6410dd9269c8f22c4919cb64307e1d0a1c2a33523318ac34d5c8b9c214c8da8ff246f5a179f2650eb8532b84cee50fc0ca4a1c97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
52264381317b9f1ce1ebde208bbf68f4

SHA1
9ed9641e21757426b53fd37aba9046593db39429

SHA256
67e7364baabefaab5fb2a735ab4ac56dd823439ecce6e5f458a6b2101dcb2ef0

SHA512
f2a00983c0b47169ffb948292709ae7d89ccb76aedc4117a7c596094987378bc7fd8430e9d4b372408ca4c454d95fc8e2b400b8e4980a9d06e515d31960ebaf9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0b0d94a216d1be7410daebed232c4491

SHA1
3b3cc14216959597b8898ef34d4275365eb7ae13

SHA256
e23de23fa7e5af5079d4125093e7e86267bb7f9c61dc4886ed3bcba8a9f66241

SHA512
ad46018cce6592221151239259da1cc0114e16efdeea3c44a112bb150cbb7444ac8995cccda34b6b0ff79d901730f75454a188a96f6dbc6c963993ff2fa8a006

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b863972e04696c39b3490cf071708b1e

SHA1
bd1fdff50a04d2588ce7966c803aeec883b17469

SHA256
780d15dd7d3b31aefb31ff99c3a1290f455c5daaa40d2d3e375392d08fd4a42f

SHA512
e6c42e2c6a9c4d3678c51a345953426619387f49f4e8801a1e1c13dc3dedb0562ce3f2defc46e7dc9754b9e8d590ae168f8bda79b4518517971da0aae166f186

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2db02fe59dcc87fb50cce2992d04967c

SHA1
7dd42cb29c7681b549c5b3cb2e78f19b21c15a20

SHA256
5664183fb9177b401396d15b00231ba9cf03c713428231f6295323b4421b596e

SHA512
8145931cd9f83e24a36bb6026b20542f5630f5e5258f7f7fac416216546319b0d8679482e3ac27dc27528e97f358b3ecda1095b2bf83d115c3fbd58753262553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
20d4fa6f41a2aaf916f1234ce27e711f

SHA1
cf5eabbfa97a0b4d058aa2879306eee47b6e98f3

SHA256
c7222c5aa4bc8ed8636f78498ffbaff92bf79696f18cb988d762c59fca624fb5

SHA512
312f87ce684f6d40591ab1693dbcb7b4871b33356e5a4c986698a2e86b5b21e5fcf82475dded139d9ddaa2055a8664920e7992b4cfc64e0b674f279e451c79e1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e3550ec4839d8a790f1d85b591d07a32

SHA1
67f040dc94c5211a642e99a35218ce00575f59d3

SHA256
8be81315012365806031c9e7e95174806caa68a773e3dd8460df33181fb5ec0f

SHA512
ab2349254ed1bb06ec209d531bf0cc853302b138b880d5340eaa6197f2e303d6c24fd29f9dd40d1788a066db43945fe80c2922521f5cc18602ea2f51aaee6f3e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
759747c61aab10e6eebd7ceab5e175cb

SHA1
4cba739088213b0f636dfc2b00d8733c8872930c

SHA256
b3bb865c26c6690ccb9b375417e611097bf9011caec3795faed286a730f0b96c

SHA512
77245befe45ff2c6e8eeca566149481274c0b6a786c45010ee41adfdd567cd701ffe3c5c3386f750358b6e0ba872e2d6599c567bfca516cd4c264bab7a807c10

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1ced56399f15273f2f8a8dd609d0d99a

SHA1
27a4b1f408f71d6f7ec0907f8a1183c417662834

SHA256
5690806363aa7bb658d50deaf423a069279306703cc2cc32482edfdea290d358

SHA512
bf3793ab6f2e7aee3b052bd9110f4344d01aaa42bda5dd2e42b98df3138eb0b1087ab8c241692ff2b239dc60d7a37655ce5c922402c8b46cd471ada12da56bbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
babbba1f4e9ba35cc828c551ed8bf26d

SHA1
f5c07db085c435b69cf024a55a0be7dbba389efb

SHA256
6887398519b89400958c5e107d7ff649d6e436541b7555d85aca150fb73636e3

SHA512
052e5851cdd45a6713c774f5f182343ecd287ea2f4c26193516d50e122a3042490556c47b254c796720666e80fac895969b96d2a92bd8b8fe56c4184754bd4e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
278bddf49aee09b3fd949dc60410f416

SHA1
b7f9c4052f0088862d08f2ab93c38289d04a5edc

SHA256
e68931682c6194e78a5612b6c733b6deb8f4efb086637c3aa762642f712080e4

SHA512
2f8787dc80d748828ee2ea3124002f27c4a82d9cbee90053d2f60dc29740f3ace75f333bccd34fd90c1d448b31bffad01c888896cd862961ca38f296a04b14fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b494cde752f03311b91905b8000ac376

SHA1
e348e63a972f486945e426d1bc21cd562dff746d

SHA256
329ced2f8ca7f3453ab6ffa6972dcff8dbafcc94dbfe25234f8c1d05d915af22

SHA512
f40e3ed1e7b5e98b87642931354d26b0b2338be1f296b569e19255778e194a4f78728110b85ef725c38943d9980d4061118031d2a43321fd20e95b3ff0b8f963

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4f51898a1f606d04234ea3b1a715a6e7

SHA1
353b4d2804b639770cb79045edc1d6e02e2992b0

SHA256
c3f79930a8ccaa86b6fe9479a4e09cbdaf1a808546fa007bbffdb5a0360f87f5

SHA512
0316c8a0abc32b1073cdd4fb4ac501d787f903538f7dc0f537db31fdb6899194dd17168b1301b552080026616b0a16a3f1f9c4f18d8e34b87cd9404c4135c897

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b94a973b56f05550dd2450334a03833c

SHA1
5176cfc2cb87761c25f1966da89c1d5fc82fca94

SHA256
60651d8dd1237205a6137432b76d5232b59435a2b3f59ece2e2dd9a2113ffebc

SHA512
058e5e5b87c5bbd2795b5da2edcb5b20a07d63ba03542e6586f9055cdc7e1625ac61fe2d3bc855b27258ee326f26d15fc825ae3f74a4ed38ba2774aa0cefc558

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2f96a3f670f17441b287a376a9c351a0

SHA1
cd2f11f411b46aca5ac6216f914943d5850f12bf

SHA256
73b00a7f6088fb0f9250d663b899aa9dc1b7946d1e743d1256913d22567d6f38

SHA512
61b64b8d60de43d2ca766cb01629828bda7bcaeae37db2e522d1f173280154dd596ca8d6c988adc641d5d6a7bd4217e0ae233674f180d839e7f660cf349f5a9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e46c7128593243ca1e4d925d375e3ecd

SHA1
4109a6c8ac8b0268a0e534230a155cbb54d795d9

SHA256
0a75ec7dec92b98f0b12e63d0bcf75d9e48863213aec42e7bef727e638db0f54

SHA512
93166d9ecdf23eed141e80d669a382c4efb4b6debb5afd6b459457ae7631b2e4efa1c5420fca2d08a2425c70c89973e381de78d9edecbd7ea8c6a737111b5f60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
08aeaef4ecd2ce67408ef8ad053b15f0

SHA1
4d4ae8fe8bba7ac955fecb6413d42e7db70651b9

SHA256
6e31b36186631cbb7cfd45e87c426b1da749c96896a7a697945c7b07144dac1b

SHA512
eacbb1f31d2dcfa312073155c389b2641a1fa8f21a69861a29ea20f9379f274feb586162d678cc98bd55d3665e53c8b37747fd3df6c1b41f3def08da922e4632

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7150361cb6449f2a1e4855e5803e7ea8

SHA1
2290353b2e677bcc5acdc0e30f1ac7383d4db4f6

SHA256
58647515fbf859567d2010abf1e1af92e0d80db3f228f5255340167183ed29f3

SHA512
7739bc1177e9ccc9ec66f4cd5bd7d29c437416b2a83271def86d55fefcc0dab55651d4912c06f4b5b774f212ce38c4276fc71486c85fe789ac100dbd08c46026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
3671efbae22bc0c2834f9b52a3d0481e

SHA1
27bf81466d15b0619fbb55b02c7279eb4ef380a2

SHA256
e5d3af6281b82a8a9e1ea460ad5f5771c9e4c48eb67b8674c4c3810e3d7a9085

SHA512
e0cadb626f5d57f720c32861d225e8701fa4830b79a937e187ead782aefecbc5b99885a9af552a27c154c59790cb9672511d83e8c1e1209c8dd7d99d3cd4c6dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
d2292ead61ace661263b4a1acb84bedb

SHA1
c856dbfa4dbd1455be059af93b91e26e69528172

SHA256
916fe4a393ca79d285cfd872379321e9086144d6574feb1c4d76f26d92bb2c76

SHA512
fd288eb833e3651fbedd172e18dc0449fedc93505551832c3f5ffbbc3ec5072dbd975048e1c1749794017c2dbd0c5aec978ef5c9b247a4c3113aecec784a089a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f89e938943df3307bce85cfef4a20570

SHA1
20ee5cd8ee35e8c65002a87bad21e572fe7e3fa9

SHA256
6549be4b270802642d18490a9434a64e809bbfc554e0fb0320937a251e73c294

SHA512
20ea7f63ef6e961e291ecd83de7da0b9ee00b72bd5b369c83c3351f80472e23fc656a14feb0886206ac00da86ca47df095945db679d4b751093f6a1141215501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
abf7d0b56e477da2a114129ebd870394

SHA1
b235e0941c83f9927c46a049c3656dbd8c1ade4b

SHA256
d51153a2041a22b03d47ff4ae1b7480e1c24167bd9fc1f42f1791fd7b14a2afb

SHA512
6d9733f2ff577db85a5a8a770d4128d57781df1bfdc75dafdc82179cf83ddc40e3840a1a386300a36d912c8c2c3685e127fda0eb5382101c7933470c70ee3a16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
812ff45f44d99fdc6edd18c253914f57

SHA1
1023fc5b78019cb8f6987082646c281693a09e88

SHA256
dcc3c58b78cae2c2a280d5d03e282a657ff49fbe86c8f100854aa58d9c1883a1

SHA512
f3948f47379e5b4615b42d57dc133b62e96dbaee5feeb35e6e0e1de07e842ffba4dfc889a5a67e0b230ff019917fb80100649e1c45e92fd45a6df3dc39582524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
3a6425d97ad9dd5dfd847f2c77256ee9

SHA1
d04b9a28f3a45a22e184f081c782e2dce0b68a99

SHA256
dc0ab1c82182d64c67415c2e49b97e0be930479706740dfc41c0bbec28a044a3

SHA512
20856260e3e02608acbcf9be8d606dd6ede52d0fbcd1fd82e582e9d787313959263d8091463022e6e47a73e3a33630388a2d05b6d9152ac692578bf40e210f25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3a423b9907bc2878c9fd4a18f9ddb610

SHA1
6849342668db93b96a304af6377407b8065915fd

SHA256
a7dd5c44ba8ca6f2c05f25ff861be6b14fb9d6ef10f10929d8e057ea7b7f88e4

SHA512
716a7dfdb71742a32fe0ba9c12e4d62da12cbaa9f060cf23c0f411077e627cc34478baac2d29c4b6351b35d7e3027259007072f6e4a8e9890119cdccf5cdb52c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c9f806cfdee8d643f2db21c19cbff205

SHA1
a9806f7852fb4a5ea7b47d2a25e98cad34d865da

SHA256
8f38ea9d862d0c48160b1e36cc1410ca0db14c990c3dd9481003ec852853c85c

SHA512
91da7fe328601c817babd9d53ed3fb690a8d15aa8fee2c9e91d486e9a4ec87354912193b589190e5fd47c19ec48ec159c45f10c7e9ba2c9488f20f00aab4f1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
81936b24fe3296bea2dcca69a80f9e25

SHA1
e66f919622f3caeca7dbf66c1d1a538bcc2b6296

SHA256
244786eb9e28bb5ac71a2638315108fc7d54210c9e559eb5075c8af574919d67

SHA512
2873c69007fe72117c8e28e95be968ba77ec0c7e4d993fda69172fd0dc4e3d3b8446c084829bfb5fa0f088ecd6e726e39c7966db5c8b53486dde8b056e39df84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
b7912129986a9884262e81ee89ef8e01

SHA1
61a22d5f01c0820afb81a6f3d0875523ee268bdb

SHA256
a7d0b83a1e895c1652ced6589928cd0e9b755579b603d0d5b61e2882f59bb370

SHA512
7adab1e2cc7b61c5fdec2aa445b66036486160be6a4a73b6235264abe2d51aa742a013a114dd0034ca8bca142d03474587a3cc0b77f0da8901cf7635d10d378d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
e72204755d32dac6374cc2e848339cf6

SHA1
c235bb7f3f10134e1d26e8649aad8c1511a37b4e

SHA256
19804a492ae9199293cf776cbcf4b88b9bdd9f1b20cfe496fdbb47fe06a8c560

SHA512
c5e0c2d5b2535ac797e14dbefcbb30e2f780c573a4f0c10816a5142eab6189af2cb0752ce3703e90dc146b8dd54a65158212362f1d6e4bac4e99812d971882e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
6b5cb2841d253982ce6abbdc8180d28c

SHA1
c28d6c0742811627efcd671bddf757393a076ae4

SHA256
d88a82d37434220a2f6263d3aa2ba3a5a78ff8a3f4c6e464265a95874f0d2b98

SHA512
449f773cd7e740b56dd2f31aea3974180819b680c2ade73cf8cf6f1ecdf96b11eca9da3c2e4a88b0e85d6f08aef8bc1cfbcc71eb7a85e2f32c94766cc136a6c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5758d8ecb3919507dbf4a3e4302b0160

SHA1
a62e48e2d907b676b099346960ea02d64a7d0cb8

SHA256
7c32afc2720e7df6a8f7461f52a503cf1fa4f37b0678d3f4744ac431898bac15

SHA512
6718be0fd9423eaf232bdfe694608706978b518355fbfa88a8a466ca8828123ebe638d691c4eb6f3ecf3a99537d743ad635e29eba01e1309de3954d8d2714a7a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4de6da1cff58ae465e56d7a67af8b788

SHA1
09ec944a4ee361449b1d851b815296f46d10895b

SHA256
d124b21f93e3fde484660f76118bbcf846d9271127d2baccb8614172f5c05983

SHA512
7af566f6edffb7a0eb0f93ffac54fcff780e1a80bf25a067e833af8f96a14fb166e4838f047e4a8185d1d7897b4512db73dd04d140c86b064bdfbe4ec1b65117

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
aa6d45d8198feb5886ae9484033f39da

SHA1
6e694cf189ca86af8b895ff185692424b872a3db

SHA256
798aaf973a5d46503a9a686d1ef24feec69c23be9e2fc1f66474e6c7de62a87b

SHA512
2570d388d48af561293e9b05e978058b53f88c8fc98c3299bf8dd3735e7bd3444a9cde4807fa43d9d33fab76d5ca91b65028082d3ae8e5476dc91db33c00f5d6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
b648050402cac9503757c6d8e0750c6e

SHA1
84900d91b154f5c9021f115fc3378c648fcc02f7

SHA256
acf041620c480585182a5fc14960365aa96a2e82e53b66a504d1f8a2f09c319c

SHA512
2eb8da143dd970387b4be9bd9c658040a9e7d1a422e8cd2cc9bbd415d156d7b375e1d7fdeb51913073f4a01a6bcaa756a2fef964629019bb267ba32bb8ca5980

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
71f2aaf68bb84faa7c8357370a394d6a

SHA1
5ce1fe82b14915e5ee19941d365fc2f17270831a

SHA256
259a1a05c81231e013114f00e7f67015a1bbbab66821dfe1a7c31400dc35be7b

SHA512
6a37deb8781b53d846e18df232b702f47173cc81521c2aad614c61d64563d188de657a654393cc25480510fd8e8c5261bc65e872ac2c9a949e49a26092eb88e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
72914b9dc619f0b1b201074367ba2925

SHA1
62f53c4954b0b7e7c08fa9a390211275b31df255

SHA256
90c7047b02073e099e4cd5849e95a828af806c415ff44c7903c0594ff437057b

SHA512
c346dd5c55443ebeffd706f692f868cd48f00de87ec5221fa4ecd5d96a3515f1a763d14e900fe9ef4688bfd5e57fb3697bf4654fd6487f17c48ff51a17a0eb04

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dbda257529d613c64ff5d94be030e9ac

SHA1
c826dbf8b1e279a3756aa9826e3e94a3a746c2a8

SHA256
5dd5c5f39d450c6649f53d6c0200bcbd7e5e9f0e87698a47584e1f5e3179c594

SHA512
1414ac89fd94aee5df897c2464403f6b744ba0f0cb0c87c05b88b483d30f5788074a19f831b28598bbb87dcfddaefd9c98d1798783aa249914897bfc054efe71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7c453059e6783ae6506a5a1dc27843a7

SHA1
4d1ae8d05dc8933fc6b72b1b0e298de5753f75e9

SHA256
ba7f5b6f2d6b86b7b542b9cb6bc6050cf39f3a318d17cc94c0e99d6ca8900cc7

SHA512
57c0b0dd12e4d602fbd60b91f9202a8f1650163c03e7f26493cb6abb96fa637251164834e8c6cb4e42fd9c7b24042ffdf0a4650a9514caa8eecc36b3e6599069

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
7c65d9323c350e2fb1d381b96c02be78

SHA1
dde03968ca3d9ffad157103dd21c71315b1d0d49

SHA256
9ab75a9af2e41a6ea94357fa9955ae71da3b94ffb97a4ab17da8a6662f774c14

SHA512
fdae9dd4641ec25886fcec92de3a9a9152e13ac2caee8d0b0b6231ae3c77aee892df0e3e30dcf59dbb56b9b199db31433f184d0498709ff05a32c62bcf208036

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5da9465f1354dc2b2cf9557d90c5dc9e

SHA1
3cb291e51eaf57bf7b462dc7954ef44ec15f6be4

SHA256
22412999a0d26c0c321ccd3a0ace4cef19a735f380c60728a7760e4ab41e7b95

SHA512
3ad534a56a666044e994da156c8645c435f16c14407733be87e8db4ed6687f5daec1d75a8d3d5aa5cb4e6022a17f167513fd08f8e5c24f5b3e4b2166435dbd13

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fc56bac5aad24284b59f968f8af2f1db

SHA1
ab611ef0a2e9778d59b4cd0458ea3ce6040d2e7c

SHA256
7b528cb27121343a6dd21ea807103c1c8d9f5963cd828bb444e0bf79a4372eaf

SHA512
0cd4faf10a229f8b0f867976b07d23ed9659ac7577595de67f475d01d1638218a1235bdc28d64cde57d59f4610d8fb62d61f49760f57def54b8d9493b14f4fe0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d8fc37fa2be1f0664c731843ec897b80

SHA1
7b9ff35864a73b2b5a24e03e05df5dab7e747e3b

SHA256
0da8436e0d6e9e7f3df29dff93bcc198cd1424b9272dc7eaf4ca25699f7f0816

SHA512
e805c822a550ef8d97d5c663729b59777d8ed45798d2829d8f9a90292d5ae14c31068bd32cb8e2b3caa9fbec21d9d2ea8cbd4b7f0799b49e67fb0040d0e81d2e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4b34d499902c9cac76d4be98572bee3

SHA1
8d757a4a8027cc54783c8b4958f965671630b7a4

SHA256
980d79d68827944e0c6db01609dc8d81827c9418ba31a44256c6b6e9ee77f0c5

SHA512
256c199955a250daefd44403e64fd1f954e445dbbfc001cd99001ad41990043618122fced2502dcd8a44539489b502827b4732048ce1962ac001d3e5d8c67bb9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
54fc0710eee33d496fa3beffb8758d6c

SHA1
5971cd869d0323b302cb770420be1eb64387a61f

SHA256
80e3ef158ecece3d762ca4fc76c91ad9706dd12fa792cf1374d333a8b9cb04e1

SHA512
744549453186cb220cee7d43aea0f10c574fce31f52c6c2b0fc70f50b79ddebdf9b14c7eb2e5569df3d23e94e6c555cfda0d9bb2439b0306493ea5cc3db4a008

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cfefcbc474922b24885a07cfe84f86c3

SHA1
b9874fdcfc9ddfefcee6343e8e8796cb79f39fd1

SHA256
0078dd0b39fdd61a0424a112c2933400a7c7b483677f78d1257dd26d9f143bd8

SHA512
e13ff8f70079e4373e24c4e542801734afd3a40ddbd49c3e63494e771826f98a0a36912cc5d254b5fbb68aef0336a11d49bc3dda58425bb80aaa1e382a7d293f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
84fdbe856cc1761d12857c45c6b182c4

SHA1
b1f1176f1174e914305a3374c37068da188d4339

SHA256
33154c4c7c4239527fc9babe8f30c64de8f55222a6ff084bef2e1609982fdd4f

SHA512
30b49466eac352e91211a5d479b8ae63afd81d92de22db141cb85effe618c54b47d00b3640f78bbf7e7435ac466da7a4ee3a580ed00f39480597f168c0491a9d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
94d046b96aec2f74d06d77abb4a4400c

SHA1
ac56cd541a7bd12be067127dc76e71ea7b408fe0

SHA256
e4e6a6da7a155dd4c01ce315119ad7bcf172d5f6b3c89513b152706da1a88199

SHA512
d9d41e7757e0381c5d2b6b3e3fc7f5e682b37adeca45931eb993550f240d9777f4526d919cfe3396587007b0039dc9d7ebc94715cfef2257b0ee23d0eee1ada4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7b099fe2e303da61b80a38f5c0a40947

SHA1
aa029f4f42f10cfeddec20358ec4f488c368f971

SHA256
329a07db3f2b224429eea70054d7716f01d8c904a77511ff87589f8a37414877

SHA512
fc0d542ea8b9470b1b884cafa17e453cc5b6477dc138d1f3522b16af7415a09b3b0e6a50b2a84bdedaf509fa66bd1815557c8d42dd066489e9f46a708522daa4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
70a0da4492669085ab75106888b53285

SHA1
9e8c03dcfa9a194c562d4daf390d88502cffb3e4

SHA256
ad5e52ce34e4ba271adeca2d371c99b99a360391f5ed7fe74fc0c0cca5b63a1f

SHA512
438887193034a02220ee356b124af53889138b8fb1c1f27e3736983949f5b05d20e37494e7456f295fa87bf0e6dd1be0cc46ec2387e509b4c61695260f2e00d3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
473197a6c38c5bbf93d74ce8c78f030c

SHA1
b5650f82a7d675bc38dd1a6a1612b88f78c04106

SHA256
891b6300f9d0c7725f0db2ee9cbf5f7a4f6e05085f1fb0b11870b8fda1323785

SHA512
e15d6f565f2a582662f9af773b2382d8516b9391c4dc5579695b3d0158864a7adc370edb6072332f994e9a3cc45d63e4e1ab37a2294331dd9050ba362c218c09

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
02cef34637ac7b23592ca476a6a8de57

SHA1
ed7103e6e88d5de6ecb5b57d84114246dc934fca

SHA256
f19696473cb1e5dfd65a91133c7460ea43276eaf30c5d65028d0cf88209cafcf

SHA512
36663b8f8d90dc3dc9f2dfdddabf191421be4f1c4916ebc542aee2b860144216a55c0f7cf53cc04e5576d9279f108dfacaff9588d5bfe0dde93ac795fce75382

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6dff70a811d134021f1ae1cf84e69ed6

SHA1
b5c84a9d4bbe946319d28d5a9b0690d22a28edaa

SHA256
65eff5cb641d578a70305f738d27d86fac4fef13b9b95be69100ae8586c0db90

SHA512
db83f1b4dde4a8d62d5a3822b0d3adc2198ff3e1755758f5a07fe6f566142d41a6e0c58f19ab3c9923cc9497ce2a1a5bb16d97140da3d1d41c4d1fff0603b344

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ebb6dc371a2835e579c4485063e6de67

SHA1
322257e4e6988daedba6321a3cd82bcb4f2800cf

SHA256
34ee96c8c271807114f6fefe78c5d673bb43fccc36f728b26568ee9ce963f26d

SHA512
6837427671409b181ca31b503d4c50fbc9663c6c96ca79b1bacf3c1722f7747b445f903461cdfaef7591c7716b51dc6089480256d34d71ff0b24cabc46d3614c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
f43b4d7a72d0465954738fd2939c9dd3

SHA1
4b4dd00af42304ccb3cedccad84ada8c793a8756

SHA256
c13826faeb8fb19c27ca5d49dfd90780ee02022e33ca52cd02dd877db8ad4571

SHA512
9f8daf6185485e991b091cf7a1879193e18a0f1c0e46d6ee1bc50c298f09c5294067e06c4a78060a98089debbde19bcfa8cd57e3da53f1064e852749f92b467c

Download Submit
memory/216-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/216-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/216-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/216-91-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/808-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/808-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1044-192-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1044-575-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1056-130-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1056-275-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1480-107-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1480-227-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1512-574-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1512-190-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1780-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1780-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1780-86-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1780-82-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1780-76-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1948-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1948-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2368-573-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2964-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-39-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2964-47-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2964-592-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2964-60-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2964-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3076-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/3076-325-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/3076-8-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/3076-75-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/3076-1-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/3264-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3264-35-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3264-118-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3264-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3552-119-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3552-249-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3652-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3652-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3940-133-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3940-443-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4148-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4148-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4444-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4444-50-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4444-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4444-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4452-164-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4452-570-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4460-276-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4460-597-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4532-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4656-515-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-518-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-211-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5000-92-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5000-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download