5dd1670b79482bfd0d79e3d8eb8c813d08b7c3dbf29b0249a8636d7be35ebd2d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
Size

625KB
MD5

520e1841262cbff851ae531f4b43e600
SHA1

a9213b522273adc568f21209a888bea9b9ef36a1
SHA256

5dd1670b79482bfd0d79e3d8eb8c813d08b7c3dbf29b0249a8636d7be35ebd2d
SHA512

1659aae672c239ab8756972cd091ae51293596783be956577b5cce9f151ca34d2fd800d56c1790dc552a4624b96fb44ab675b8793db88bb077df3540ffd991ba
SSDEEP

12288:r2RUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8o:6Ratr0zAiX90z/F0jsFB3SQkD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2724	alg.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
440	fxssvc.exe
2132	elevation_service.exe
512	elevation_service.exe
1332	maintenanceservice.exe
2760	msdtc.exe
1852	OSE.EXE
4844	PerceptionSimulationService.exe
2108	perfhost.exe
4536	locator.exe
3640	SensorDataService.exe
4220	snmptrap.exe
4700	spectrum.exe
2880	ssh-agent.exe
1504	TieringEngineService.exe
3392	AgentService.exe
4904	vds.exe
2088	vssvc.exe
2180	wbengine.exe
4936	WmiApSrv.exe
3200	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7fb3b2c1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041ca113578c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036b1993578c0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008335b43278c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000855a9f3478c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e8cae3378c0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4ca6b3378c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f440623378c0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe
4848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1192	520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
Token: SeAuditPrivilege	440	fxssvc.exe
Token: SeRestorePrivilege	1504	TieringEngineService.exe
Token: SeManageVolumePrivilege	1504	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3392	AgentService.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe
Token: SeBackupPrivilege	2180	wbengine.exe
Token: SeRestorePrivilege	2180	wbengine.exe
Token: SeSecurityPrivilege	2180	wbengine.exe
Token: 33	3200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3200	SearchIndexer.exe
Token: SeDebugPrivilege	2724	alg.exe
Token: SeDebugPrivilege	2724	alg.exe
Token: SeDebugPrivilege	2724	alg.exe
Token: SeDebugPrivilege	4848	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3396	3200	SearchIndexer.exe	112
PID 3200 wrote to memory of 3396	3200	SearchIndexer.exe	112
PID 3200 wrote to memory of 3032	3200	SearchIndexer.exe	113
PID 3200 wrote to memory of 3032	3200	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\520e1841262cbff851ae531f4b43e600_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4700

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7787636bcd8c0d1740f4cccf5df48486

SHA1
faddb14682a17daf3076f02342fb9ac57270e7da

SHA256
018e707f7f81200baa60024c230acccee72adc15a82db38a20198a7c8e5ff533

SHA512
f9c6fe86740b2d6d3493c55a003155172f4419e49010ba7962a820539045ef5b99626e2711caec4a5e2a0f5b855dcaa03eaf1519e14547cfee4e32065787c615

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
28ad5432a758673b74d0b28c033ad9b7

SHA1
6e640322ecc92a75dcb45b6ec29379037724d7da

SHA256
5cab32dd761f56b07b8507aee4530961646261f2ec46f35b2ca2a0c3df9a7789

SHA512
973156544612466f25eba6e5df3d7fcf223b950457630cb32753d4374941bd5a6cd03c32f2762855225f28a9f767346b7bf69a953f1103d4f42b1189805877f7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
09c2884fccf9944e58a73ca6eaeea672

SHA1
200fcf59e0aceb3ea709c4f28e746ad29c25e34c

SHA256
bc2afdc389530f1523cef79653065bf054011560c1dca610036b3d333268dd36

SHA512
f1fc5ef8d55cdee618ce8ba94351e2af6dcf529baaefc12387742cfecefd17a3d52170fe3f41025ccd1cf118d8abd282c32cf67948888a0cab401496ea786070

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bb5e5f4f3a0e70f5b47ca52e36018a50

SHA1
92b20d8ce07425c278e3cb9ad0b3c8cddb41f624

SHA256
43401e6469d73694b0c2d279e7439822cf292c20e8aa426a7438719f698a2473

SHA512
6bb93260c953e6659061cd9e9713f1ce9c5ae9c70fc5dde011f2037de1d85772498ddbdc5bf3890ac502a2f3308e3d2558b8690470421bbb2aa5af11463b77dc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
188dc52b602e0bc3f5ac476a1f4ef10c

SHA1
79882f0ca1b94c581c7eadc30eaa619e2b460637

SHA256
479ce1dfa30c9249220dac46d73c85075c15b8a825490853777e068562b883af

SHA512
48cd3bf18bbd8c671cb89d058bfc1998f6bba0544095ba4ebd10558680df6d03e3bb2f64d6a1306ee8597dc0a77305409a51d7a8a7baf45575b8460d4a5e6291

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ae07b77b5ee6eb2984761e4c371adc5f

SHA1
6275ded7839db46a0b789055b9ed922cdec3f8bb

SHA256
38da7d8866eee0e69cdeb4831490fd9c42a91e572a403091a43e40ffa8c5879c

SHA512
09a49605e0ef9726897faffbf8cb90ca4ec62f96ff978f2713b3123b72581de31296d76bfc5f1ffba99daf49a4a8ec2e8eb7faa89e9502cd35e1b3465e2dec3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
08bb9a4672384fbbaff2fc5a658e96f1

SHA1
98fe0349601b78a31804c20ea6ac986edc2a73f8

SHA256
7e83e2a39ed3dcc7a6706f3259e27735467c87cfc2109ec76a99a3e19bd2c3dd

SHA512
5739b3abb589cbf588a1f2f74a6eb82c50bcab0830d60d11bc23f81410119a6215e475092a57cc4066cb441b503e43089ef29c45c010f9c227fd828ebaa7ec35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
006ed9fe0ffb317e94b3f27d2b4359f0

SHA1
727a0077ec17ea2f17c1e5108061cd414b7074d5

SHA256
845c41975ff76db460659a63018e85953759f1d8c9f1ab03a9b9ef3a053b2067

SHA512
29e65ada75f7aa79b15f06f99adfef0437849585a6ae5f978296c6a07bb6baf15bb902614163fbeff431c80b47f86849c8d2aa380225a74b4e8d86c7d11793c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
34aaea67ce7b5e2fee1ddf45fa100c4a

SHA1
ac92dc720e2f3dc31fdde63092705a6f9458edb9

SHA256
722e934daaa616e24fcceb3dc3a7a6578f5152677abe80cead4764a2df88dd30

SHA512
a9e1a559ca5187d07b732105a08ad758c63bc44b624a65ff732c8a5d8d88bc04f469512060de265ce8a6b31ffb16a7bdfeba0a22fbf711e772d95d24b2a5a50b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
36e648bffdbcb931af6f4d2e6902106c

SHA1
d66b1e94e06a426936fa580cb6b320498ab2b322

SHA256
ec5089b23012d675b28be93c39d414590aae128d2434a760703fcde5d1e9a0ce

SHA512
04592982fa81b50aecb45c4b837247ffcf3de05b0eb82ee4549da452b2f2141b3e695ff39409ba00ddf68a7ed4a9e0346f7d1f10f9e499b1002a9f1b3f9905ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dd2f7991fee43d4d9d888ddd01afccd8

SHA1
b2fbe7baa4e856f032a2855f5213c717b85ce13a

SHA256
d20622817e56f2f03380d4e79a1ede68e2d329629c3315f4ef579c212f886edc

SHA512
0f51840793084ac23aefa1de2cc63c62a8fae19644ab02feb7d0e9cb16febe382f2ee83fbae1b94981e6fb626f3c76a8b133572f6b67110e8ae5b4d0892f82f6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0500c506ef99cfbdc86354a299cb5b69

SHA1
864ba6b88dd3c5c141ff60b9af3a1e632462b12a

SHA256
0901c8caf7fe0824cf93d8ef46797a5bbafb374154af62ed606f767e5370d53a

SHA512
a11b376bc1ccd6d7148c5a79ee42a8f0c032221c9e27cfcd39004b45a53ee1773f15ff6cecfd175b8e1cac67b0d455f43097bff988920f88bc8acea303edbd42

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
eaeaaaaf6645285a6ff6b696746ea5ca

SHA1
20dcf099e5a065a918321c467afca3ba1287ca1f

SHA256
e28ef27b24aaaf252eb13fc6766f5571125966aaf48dd4b0a7eb4ce27741d130

SHA512
fe12bd854e1366cf61e59ff013b1fbebc589348ce7af6d87ea7729310df907badcb67b31bdad40ebf4027d41b0ec8eab4ad22b74ac15471f0c5b53d3d3e357f5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
aa50ce20e997d8df793b71ea601c05e2

SHA1
d458a6a843e933607d0f556638a6c8c1a268cede

SHA256
b5f75277b6ea4dc7b18447ef39f3d8c442c469b551769ac6651235a447d8dba7

SHA512
c6f46d1b9de69d20102142bc1aa270db798bc2788b3713be59670db4a31997136c20709ea30193e1b967ebf8eb3678e070aca36f6e3b73908c604b5a6574b157

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
62b9bba5a27f55b7d648d47868588c8b

SHA1
417048fcebbb121dd2d24248dc252011d5763bfc

SHA256
c87f1bf38ac4cf2e87f91093475807bec74a47e5491d01c9f928a23200138894

SHA512
e8b129dae4f4bddc7416ed9f01fcf2a21718da10812d373c599deb70a256677d97d01169e546d9401684d1930c81be7f822ff72a971a398183399f62a37a0475

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4098ae089b9f72a0137ce8ddc741cd8a

SHA1
0d2d65f081bcbf03952239f7913461847ece4cb9

SHA256
58091497406e0ba8b01eea04d4b896dfdb9cb5b69140728f7a93bba62a3f14e1

SHA512
b5d85bc97b8dc82a9f78ff58ed499c11916a6c9e21f01f88fab46e6706503ecfd052c09ea5f942418a2b93171a92d0b68323896253d0a49d779db3247377371b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4c279ad9954a7dc2b1b4a80393d6dab1

SHA1
8507d868b03b39f759e95e25101b3f01394a4e21

SHA256
3537623059bce3411fc944a3f1de052f484349de03d4f57741a4edc54470935d

SHA512
332bc93e857cf0d292658d01a30621063e53e45c84c0c1da9f1d943cf1b1bb7b0d86bfcb06b6ffad54db85dd72dbbe48fac45e06b061e2c05c6f7dd8556c6e16

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
286f1ee37e1a2258b5b7165c9830e6bb

SHA1
d200bc2f5b74ccae9fe8200ea0c418a1fe4461bd

SHA256
6c58047c8dc5af9b46549b321b87e889c98b50d508442419281c72e9588412d0

SHA512
56b82abf22547f78edb67db05a8c0c93d8c3576e554260edc38c918c3633aaf0a1293fb9edbcad804fcb10bf8bda9581840e7655b9092a7dd0fa23e4c730b5c1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
de6722d544330beece209ddedc918bc5

SHA1
49a4061549097ca331a6288c3096aba14f6df9b0

SHA256
85dc21918a432269c46eb308b9bc11255b0fd3d2ff3cc418ec8e888b9604b66a

SHA512
e99b07970fae3fcfd4a948b8ba0bd7375d391b7b34e407a21778375c6ea4a16198767424a8a6fe8b63ec594050ffbd50819d09231e54f32d093cd9d570811982

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1f5a2264be91966375e3adf31754e173

SHA1
e0604098c9c726294527ced031282832fc4df4a8

SHA256
0ccc065da4107bcda3eeb3a6ad8ed409b0263ecc5a4b5dc9ff415910f7bc61e0

SHA512
adca72e6f0c793003f206ea32499d3b1ef04536a56efff10c18136cd60e4fedc04509f001a28490196f83cc7a8978175f6d57f0fa801553e87540adbab7e2406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8a788b6cb70091792c321d1950b63c12

SHA1
5e239b4fd20f41197c8ebe501a8a5c6def4c45bb

SHA256
eec9a84dca4d8406593ed95e3e9db69942090a9dcabdd789a9c5b771c16f5c90

SHA512
003f628b07cdf3293c2aadd82629b79aa18ddadb92b67d93e410d0e296e0e7436e75f305ce9d5e92ef961e15eabc72b86a3499a17e326733a93b5e1646873b68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
afb5da53760740648ae9ff4c82b6365a

SHA1
724bfec2b73b7769a7b9bc90c198a18d66b764a7

SHA256
1aa7a06bd0f5933ffca5d4f145b7b6b7f5e34ea54f265a585b5e0a4b1fadf932

SHA512
82c71f10e1bb97908bcecef993707fb50b65e8122948d96e100a24285f214ec9ebc091868c894cb394777bc8f3395f3da68eb397b65dba91715f6f4f799f3bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9b89086b45cdd10fd5065220ab250957

SHA1
669164bc5f81ba176a3f20f31b4ff648c6aac47f

SHA256
c66aa98d733f4db2e78608205b379e4462e18f202db789cd5f230bb06d22e739

SHA512
ae42e1bfece8305f29d5719920bd02aa0950cfb57b33940224ca23b9fabf864c540ca6e190d5888fc25dfff1eb2cf55f99bee95e8ec414b38e291310837e0ce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
cf4b81b3a2778eb997e528e0fdeccbe8

SHA1
2f6e373f5ede92a6a97677a10e44b0fd0bf60041

SHA256
e58ab1886722c59662a194c768312313b80d91bc50668e4087a178fd650d4fbd

SHA512
a48f8f8dd445a06efa103d1f7fb03ec3099e5ca5d0ba549ad35fe4bf0ec9b2bccb33869516dd36566c3e6e9e6837f2adf0ee3cd13a5e28ddb0f05353545812d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a7d98afb2a37537c17b60a257c77f3ff

SHA1
8dc64e652f82ed2661eca261e76e27045f12c909

SHA256
bc2c10fcbf79d74061d90a1a6af91fa8445e76280947ba0923a5ded279810185

SHA512
e802d23acd7aebd7b352f60ca880d994e735a7238e1f59ecd04f286d93341eca4e8973a886250f215aa012a209a6529520172b61e59a80a7fb61d2c3efa56413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c87b386bb5316b0011814b42a0e7814e

SHA1
7f51794f3d37859f1aee43749828a0d785168198

SHA256
ac87d1ddc0eea5d9646267d387fd0e08ad0a164a3965e82d714adeb0e24e9b9c

SHA512
dc4ee099f79b03b587c344ed86b5925ab758ed3b4d4a64fcd4eb39ee45beca98da03f204253f3626cc70bf7f17e4ac7f2205bf8b5ef2e907a3e78e47649c0c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
21a222a06c1561359f8de77eebfb761f

SHA1
7c532ac1baeaf9310e692a4d1d70f78d29ff1f4d

SHA256
f553ea7a17758494442e2ad5e65777d4af38674e510fa7fb4004e089daf92c18

SHA512
481561b770566c41bd871e54a257f3b1174f55bcffeb8b0c6b59622940295eb08b90b6796eeec2b312347cbb2a7548998650ff42a4d13e2ff400dc04c26b09bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bd9df3b5717fbc74a25ffcf299e9a3c3

SHA1
923cbd47f482d93b0f2624b171732acf17242c3c

SHA256
94040f24fed895b30c0e0966c7dbbd0aa87abc4445b717a452d1733eb38b58b1

SHA512
8cb0f9da37b9f11b7e2f3c94bc1ce2cb71c3964fe9565b91100b061d8ffe9adb0e3ba994270a7ea7b319933281b3d54aa89bec1b3cda753491a36f5d2292d76d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4c147e1524d930255b5fe482558450fb

SHA1
908f5b60ce880b7b8439866a89322ad7f2427c58

SHA256
05e438d538cfdbe96ba992843314e8dec5ec16bcc19fa95e3c7849c9c877672e

SHA512
88a3de2c299a55a3ef47df5368d858b4eb1a5c962ed4239a06d31acf409c6b4312a85e2fe9d067b7cc9f7e930d2d3e0b40d50ae1148fa36139c531ca62536d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
35176cbc52e025fa56b1c8acd7754f95

SHA1
6d7c7e7470c5ffa0f1edc5788f9c4ee8422dbe9d

SHA256
1ad00fc2ed04e081e033125117809e86363d7fbc2d5da0ff2d61136a3e33b851

SHA512
413fe063a30095ac147ee2d17a6d16a5edaf68cf30667fae3ac70b44f4ee53fc6069fdedb95730c3b1fe336ed2d1fccb5d69f07f15a47b2c2cd515ae7484c1f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
dc8359445885f550eb814d1615cfe579

SHA1
d8786d97ea7687f295e3d14d782c634600edffcc

SHA256
02fd0cd83131d13f0438083e33b616f9b7b1a33c7cfa4ec084443ffef8050869

SHA512
490b23b546ca394eae2653f66a08f9e2398a222fcf199845493d519e76347a3fa529003a6e55c65857ef800a650ce5c0cf44107c2551d5404fa69a928fb7bcdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8b377cdf5ff4f63a69cc4dbf44aa42f1

SHA1
086beb050e21daae62d55d428258afe3891dbcaa

SHA256
5797cf3791a46bc3ae32fe49c1954fc1a29bbcbc0954734e1c9d35f1d47be097

SHA512
67ef10dcb70a150fa1dd83163859330588dd3bef3d20af088dffc503cbe966c24895b14fefd813b792f6bd812f7dac7ac7eb40fa5c3c6ad872ff47f8d66a0fec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ffc4bf487ff702d89cb53a52e07810be

SHA1
87702d1a7ec7ea5e4b90706d918f29c2c6d236ee

SHA256
754ac0e8769578adc25688e1adb0f40e9af42d11706ed99511806370ca3b9d8e

SHA512
eb4ee2def6264f1c640355bfcaef624bb8b32ccec89c6b85ad49b25e23655ed26b0787741b1916e4db0ac658fc8d0fee35ec07df047389c59d54342532753120

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d6e265bb5891945c06b745c8a0919388

SHA1
bec9eb44d34be394b2b32568c728f98ef1e2ef16

SHA256
61a17d1082f1bbc228e60892113ba008e2cfaafdb42c34b7733a76050581f649

SHA512
567e135e0e2f27f18cd5ff826ff7020319142d5fb209618142826a59da046a7cc52fd5293dac03f7b06dc1634c8b16411e547053d9a9155a6c66d9b02483b062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0c355287e62c92591c06a9254ec01a80

SHA1
ef1a18f090caa50c50d0fb88fd680c894e8ec59f

SHA256
794610a7b59b3e330639b57456a4a58457336a0ac000b044de4e07951becbd39

SHA512
fdf8902b63607002f6fc05059a0bb61433aa8942d03869b8c9a19d165124f344e3cc8e2d7e273af168ad5f2fbc52b138927ffa9b84bc0aee8f8d84f87a37dca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8a67a2161cebca0518f0f5b0a79cc1c1

SHA1
9cf28350877a3a5924437656513ac418dc7d8ffa

SHA256
6b99514e53c9ad04a187f99a466414081fd1fe6b11defd2b7f1ed01f66737268

SHA512
e364c610b7a3c7308d5451c44a6dab5f5c18776b98c3347920074aeafdaa43f26845652e41811aeae4bfaca5f78840b6cfbf71d84f8060fc98d7daed8b2fb678

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3c7d82d9f633fdb2d050e0c915888edd

SHA1
eb809fa08d1ecf1291b6499893cd5a9379901207

SHA256
a27a7c6f3458a83abdff0812e34597bfc6bde89e4a5df15cdef11d46eb0bf6fb

SHA512
d4f3aa7c1d04dd5cd3e26481100d4a683b51623a9f0b6e551e580542069f4d301a766eb2e9291b256d26a9cce2a24f99d703c3ce683d7751159a8bf57458412b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8ed0391e43334e84db91f515f9b1b4a7

SHA1
790f7738722d72759c75a26e3f88a60ca361eea1

SHA256
1cfbc27d1e1c8578b3ea48d7ee09b40c993e62e1dc08d5eaa1d5cb9648126610

SHA512
52de55cb8a09254992d3fd1e4ac617a6e152f7052e70834d82e4e6d093cb78a3e68956bad4ade28aca8ab83f8ee7e4d08db2d769db2608c7ce634d4c617c0f29

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d713f40291d2240f1dd1c36292b682bf

SHA1
5ea0bd7c7c61f7c6d9947bb4db27530907362f69

SHA256
1d5cc768595ff3bd81dc0d792661fdf578abcd6af15e1f296ed1ffa2bca92794

SHA512
6d8c4176397858448689ed14c0ff245f55e50090eb16cc99a8f6c1cf723b5b74fccb44c86c344adbf3dfa29dea56c67f7daf6e1cd5a8b0d1a35d709e5593df70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
59e5269b1e54acfde77494872a9abb9a

SHA1
a18bb5d16c1074e4fad3a49781bbcd1ea762fd3b

SHA256
ea89dbedf7475e7493a5bd13d2ad2fbf41ba7899a58b5b26ea7d919b45ac91f2

SHA512
4cb212eb94021c6081491ac457013346b496bba95f48b94ba4321cc9dfe436b2cff0a52de6fbe885053fcf5510f41067604f61531d5e2b9ebe2a95372b9df660

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
20ac383ce8924335ed077f2bda6baacd

SHA1
4bd40d3dcb7d3a9fd4776864b1ea6cdf488f9a04

SHA256
048f6a812af2ff38faaeb573acd7dafaa9a03c981168b9b9e761e099e2ccf096

SHA512
2b4f6b0d0b522649b20bdde8673e76bb5fcef0f02d303f6388f737bbcc380cf7c58d87ab350357769bef2fbe8d5d5a989513c3437c132974dfe33113d5480f20

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
84cd7128df6e17ed81e32130147a8a19

SHA1
6514facbbe3438f3a04f13fc1df97240545bef35

SHA256
f47ad3798143a439e4191bbebd0ebf05d06ac5d28830e7d73c5dbe2b9553fe6a

SHA512
62864ee37778007b655b3685a242ced8617a134656f01cf0fab36107f9dc91620a4fa177ab4f8da919dc3a5e1a44f5fc6e99c11afeb394b595cb41ea74b6edca

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
03f7962835eaf77839513fb978493ca5

SHA1
83bf61e494aeb65af828c748f67e800a601b3ebc

SHA256
96e6ce0cc4760257a732f979d189298951a6f2bf799b6d069e3433b2386a6e46

SHA512
87d94ea2d139b91f28324e095b6db4cc30acca1ce44652b89c7e393bb19f758c3dd677d320bd2d7227c6f61a605f20248f5bcba53d3410923b1e886cbbf811c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d1c99fd319c0144d53fb193be2016d29

SHA1
4703ec27b56ff7eda1893cd5c1eb9932acf04f04

SHA256
ad2793d41db6aed6c2b32f080918bb5501187fe5d91578e55b8db7e75e06d0c1

SHA512
9824ec74c56931e8fccf235e80f998a1a66159e2cac36603b713637e6f40ddd4ee92dad1de3e19ce82a3ed262a121e56908483c8b47af7bde59888b787097722

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1872c139b04046b6063afcd8206596cc

SHA1
bf19f676b2b461b8e2195dd5b05082a351f2afb0

SHA256
963a7de2a9ffff9214b95611da1ea897c525a797ebd035eec197d301bc6ea99d

SHA512
964d951782853a82a1ae8e22b83c09b694dc3d52406b53ee71153cf619a943c5ee5cf132c1cc7bf380f328d3c58476e8e616b461ee794ef0a519b72847e35b02

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0ead7a9960ae912102fff316bc870384

SHA1
0943547f285a5d7fd31c50628c053fb779d47020

SHA256
470aa55747c61d98e4becb06e7cb3b677bb85fa2a0821841b0280a21b74f63cb

SHA512
355e0010d783d7ff90e4d7a6b5c638e68e328d55045dc821adaca554f9baf640f9f2ed773bf4e97eb983119dfe9eab9ee49b44c591535dc2ccfc6c6c9e7604e8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1b471a589039d36e14f3f9e1456827a0

SHA1
d15f0d9fa8b92fdf8cf765ae2d19157f96243178

SHA256
622bd54b97f561bd33692abea1a27467ef4ede974f8d2017b6df8190e435789c

SHA512
3838459d322d25b6f617dd5ba0d0bcecf2ddfc49c7802e5600a4823eacf737c2cd5a60ea16251269f2e3fc0ec4311d793caa25c1841141c754c154715487e22b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9daf4049d021367c202b762e8eea1a05

SHA1
98421a08e13d3f236af10fcffb39b4af5d60df6d

SHA256
8481dd930fa08bc650cb918a2f691327ca0ca8c3263dee3348ba182fc092e154

SHA512
bc8699fdd201557aa5c21f7953d066b29118f7a0e3141d595f9a024b96ab49b144a1d56761cb693d942fd91dc9858c9c9613ad3b4a7f4929c4970f6b68b1cbaa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ef21716cf2110d640dd6bb77508b0324

SHA1
d37fd8d067b496d6dea1059892a2aceb72c97e37

SHA256
7c6d4a3357e98bc5015a624805a9329c8b67ce75512bbd8eddaf382d58baadc3

SHA512
b1436aa4a3a801c312d5a3273a8d7ba408cc4ccf9f08a0988dfe615241cdaae9065a419cc3eb8952fadcd4187eab2c97adf5927f842192062c2d85eb4efa2261

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c03daf504969e6008190552f8f5cd04a

SHA1
e856de95acce78a682adfbaeb314517d2da904c7

SHA256
3d2371fd58964ec30abf20e0c29081ccf9c2d1ff082a834fbd82465437a7dd82

SHA512
d773188391a47ee1ab1da9415e9ca2f661404225617fd1dbe7d9f05bbdffc8311ed181f53570a4725c79f5cb93ce0d4b5d222de438f67b1567b4db1eb3516933

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
26e0175df755012966fe5be8c2fc4f58

SHA1
1328d46ee1e1d9cd06e4c14015821e4fcf072767

SHA256
7021a64e0f2ed947e1e2c4f4c868e7b2ef5f4241d9c13b60ab6a46b08b11692c

SHA512
0d9598b5294a5ea69e8ab6a676781562be72b42bd97006a9f9df970136f0ad2035d6caefcd5507af110804f97c9f6490080021e7c660c21740d1353887135303

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cf2589b06d773794e4590115d29f5ecd

SHA1
1f0a38e569cbc8415d6ba3dfd9b31e22c4f58c67

SHA256
15e44b586d39d2b612f5ca65e6fd6e5476ce9e4e91d3574546e914fc41d0fe39

SHA512
d17ba580a55785bb2f2936e19d7e722494a80063d6cb5a7153694eed6a91dd4a8deee6cde8f5e9b29df7ad70060e53c0a0d6e02f2624797ab096e67b0568e448

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fc43ca54e658d1e258bf5d444f89c417

SHA1
94f78aee5e5447167033485f9e1ed67ddd49f133

SHA256
5db6c402832d8a519cd739f581ea6a11cb6d206ec41672a82302bae51380f34c

SHA512
f37bcde65e8da6612ce9ac9be8a56b2e972a297b7322fcaafa1bd9f4c56eb049541a35d82550808883411cfa1fca3a2d078c2a691c2bdedb94bcf2fff037776c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
941474d80a618c47279957633d0c829e

SHA1
4840c371672d81b55d814452286d80a46f762ade

SHA256
8a551fa7c08733d29573a96dad49b302fd237880ffa9dd648e534d147019cec8

SHA512
5beb94e709d5e44cca084f64c8259fdeb7108f981b7831c722af324a4ccfec480ec74e73c885f3d9dd248c0f46d9c2992c097ef4cc81d0a4ca7ded70ac99506f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
76bee92bd1ed9c036e935e7de7b642e9

SHA1
d09560a36cb0655683b7817c9b704b78b78e69e6

SHA256
abdcd9a93308192ecb3bbf28fa0c92e39ef435221c3f914ebbcf876466da68d9

SHA512
dae5dee22583ea71cadb3b668f5f4c1dec0fcd306558e12f04f20d5cec23860aa139470082462af9ecf8e8677d76962c960140dbf24d1a882513c1cd7f115da6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a896ba768be4025cb921446f1a74851f

SHA1
2b5d12e36b6f8046b300f12aff95343628c89cab

SHA256
f120c2d0267703e8ccfefb54c4d9fb096262792cad46ef03c2689157f479b14b

SHA512
849d6f3a2e0296307d8601492bfc2ab163618781d0b3af2a9aa3421e32378bb4618e423c5aad02515efaa895f21b2fdb0545bdb499a384c40d601eb23e08cc30

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f3666021e05c6a8b0b472e6b2705a03

SHA1
939a281fe026d0cd078c73bb1aa59b6caa2af4ae

SHA256
c6f5ca69cef904294659e24a49002390455e2569b697578fcf5cf99e684cdee5

SHA512
61ad02018080789864de81e148a7ff10a21ed9e569644efc15ca634ddd21440329e6fee1cda5ff1a3403d927a6f5932c86b6e30f197f2e306931b3c9637acbaf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
24cbe946995d79b01e37a929cbe9aa91

SHA1
fc229450427a7c743da316c0960b1a78f11ae3fa

SHA256
113af0aca0a5c9b54db2b2268dd7243e5ea65de40dac56bec34a78aa0af2a7fb

SHA512
848709cf714deaa736a8453d40c93f55ca1bb2764b78641107650061cfdd86b799bd3c602fe1c0ddf12c8b4c11b9126c3ae0a91a94670dd241514aba4fc1d194

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3bdd3d676fb28fb9938f17c3a6f80181

SHA1
4a2708dacb4793835d6a3c6ce49a4b9a21977b11

SHA256
843143dd0ffe0b79020f3b31bf8aa8fc8cf11e5bc121e2fc428afb44b80b7f48

SHA512
0cb66c2cced751bcdfc6d106d7a520b8651bc00b251e670f907ee63467efb84506529cce5353fcd82485e7f73c579c7c2455b4eeef309600037f8bffb5b933d7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
92634d369e425a662e65cd72b53ea2d5

SHA1
5dea6741afd26626429030404bdabf4f71746e37

SHA256
c944d498f2fed8de9864808b3c230736eb811915b76fd69a5826ccd71bace47b

SHA512
cfcb8c7f237f7ba6f55665e3ebfb88f76c9b5cb3bc4bc334cdafe8dd10c779fa6948966eecd38279615df9be40bd49ee25669aaaa000764951f92af5b5255c34

Download Submit
memory/440-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/440-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/440-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/440-49-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/440-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/512-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/512-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/512-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1192-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1192-485-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1192-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1192-7-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/1192-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/1332-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1332-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1332-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1332-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1332-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1504-585-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1504-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1852-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1852-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2088-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2088-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2108-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2108-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2132-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2132-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2132-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2132-168-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2180-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2180-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2724-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2724-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2724-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2724-89-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2760-91-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2760-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2760-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2880-584-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2880-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3200-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3200-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3392-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3392-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3640-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4220-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4220-445-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4536-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4536-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4700-564-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4700-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4844-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4844-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4848-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4848-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4848-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4848-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4904-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4904-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4936-591-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download