25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 01:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
Size

648KB
MD5

0f4f5a1762c7d6c23e875a5af6088980
SHA1

140a87b24d84c5e148917adb973fe9f16ee144d0
SHA256

25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376
SHA512

4eba03513496376f47f526fff2563449c4b020f818d2bef811bd10f18734a4d550754f1d328e73a8866d967a37088d0c146d358da967a9c13d5ac6e5464ee9ec
SSDEEP

12288:fqz2DWUBF9yrc2CTPL5gpQhOKHbHedZxkryD+cZQ/njhmEiOhS0s0Blx:Sz2DWUDscnTL5g4rTeP0j/Viwlx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1688	alg.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
4820	fxssvc.exe
4296	elevation_service.exe
3272	elevation_service.exe
3008	maintenanceservice.exe
1292	msdtc.exe
4492	OSE.EXE
1444	PerceptionSimulationService.exe
224	perfhost.exe
3192	locator.exe
1580	SensorDataService.exe
3024	snmptrap.exe
1548	spectrum.exe
3292	ssh-agent.exe
3740	TieringEngineService.exe
984	AgentService.exe
1404	vds.exe
1556	vssvc.exe
2076	wbengine.exe
2396	WmiApSrv.exe
3212	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e95ec446c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2ef073eb4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013457b3db4c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fa4bb3db4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d06c633db4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a596f3db4c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075e2783db4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000791bb23db4c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe
4296	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2632	25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
Token: SeAuditPrivilege	4820	fxssvc.exe
Token: SeRestorePrivilege	3740	TieringEngineService.exe
Token: SeManageVolumePrivilege	3740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	984	AgentService.exe
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe
Token: SeBackupPrivilege	2076	wbengine.exe
Token: SeRestorePrivilege	2076	wbengine.exe
Token: SeSecurityPrivilege	2076	wbengine.exe
Token: SeDebugPrivilege	3296	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4296	elevation_service.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25977d5ce854955afffaaa10203226c83e4ebfd13b068258dbae2a6125355376_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3272

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4808

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3212
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:552
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
036436f9f2bc2d0ae9bc9f4e9743669c

SHA1
754ed22e836c36c929d152265c532547f9647472

SHA256
e7c8264f125ac2008494629a486fdf6d8dd2f8b22a7556c7b7cea5fd3de78e3c

SHA512
982c3a49bf51ffa27d59f0b50d2027acd2f11f53e3ad5c008e2d7fa4f11f3e3eaf103b64578d07afd09ae9bc8e658e5654b3dedc0bf4feb6333ecc0f9468ccb0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3418350a94ce17ced7b23ac8bd334054

SHA1
692f170b7d596aa0471e95b37b1759d338eafbf8

SHA256
13e2a652139b604a8091d039b2926081eff465e983c56323bedf2c22902a421c

SHA512
71bfb6659f6f85a1bb8e9f14de6f81e191e99e63f2e48ed97f3a6017449c8c5c1e1530324f5a7e87568d625f39efef9508c5f585eb6a99201205967b9a5a580e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
084600923e70d3d2ad2352bd2a195419

SHA1
9bce204d0e9f5bb627e3f83cda9af5f593744518

SHA256
b9fb190d4085cf2446f4503d35259ef4a90988013de0a07b0910408ac7686b24

SHA512
d62572b66d6522cdd429f18a21dbaefd0a54f7cc5a087c0c248faaf23fc7f2e505ea72b52ea08d40bff62cd11922e01e6de412a79fe422c624d4514fdeb57882

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
586433fe804dbf2b2bb2bfb0dc43dde7

SHA1
e79ac88b6004c15e8826ab908016b8e54d66713b

SHA256
b06ed3b9e1e02feb996583443d2cd58ca8419dbe65ae7cb930cc06b01cc705ee

SHA512
eca64afdd56b3b940453df311c4909165400a2f6df7ea76ff19e83c56b7a8354260ff6135b39ef3f1b6397a16e28d4235a4a6aff50e793331e246de65ed32300

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
61001ced4e58b8cc0b4c2e006ab6ae8f

SHA1
35ba20285720466e135e3e93ff4b851150ce4251

SHA256
c88cb7356465c44de3f7aa9dd7a43cbc3308261dc9195635216c28441ed3433f

SHA512
ce1060263722029c0032faeb16cf0737a08a027c4f6b5e04acdb808c84dd48ed5301e62d8c5f202b0482e431caa6ff79a2987b4ed85ba5b0ce7decaeab922f4f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c348314254f46e699f1b1d4edb8a0ccf

SHA1
91b96f3aeeca2744c8683250f6787455e3741626

SHA256
e9ba2a1ad925db7583fe57dd99f7e0fa50bdd897567f59c6e5608feb30ca0a7e

SHA512
07b5a56090e00736a3aae3f63476fa911c575fba681539cf30f4fd5db7ea2028ba48f099ba34d1fcb4a0e66cf8f4eda4df590b74570fc4c77651bfb5608387f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
407d166375310d22106e4bfd9286fb2c

SHA1
b4eea5561d93d254e18e6c92167dbea4863cc8e4

SHA256
ee719572ad1104063a89e58d509895f25010eb4324c80fd339deba238db76ac9

SHA512
ca64f27212e9dc48102516b4f9f1f61f1910d485ebcb47525dbe79c6d2f7ddca0403e9d65904afeb919209131b46af732e2ae5cc6090fd41fed19de3b67f0b57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5d2ba96740801af41353417d80845527

SHA1
f988b8b9543fa0332c01cbdc2a971c497782df2c

SHA256
bd67576c68eae1ee1df79b6ebebfcfdb25a1d91cbe3b2bb01c7ed32b44b2e456

SHA512
9b98864685bf51a0f61a419b4834c1e9a6b5edeae320872dbf7aa73458cf366205b5ed135f48e35eb3e8a872b9f9fda58b35280fdc43fc0592839781fdc31beb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2473d0588e9df7058f33997781bb5dba

SHA1
ed8f4392f58f7d36aafc37e83246a874ca6cd438

SHA256
987f65b19267325b75c8e6dd4c552d373971dff1ee7939a3e016b526585896f7

SHA512
f54c37ef9108d82bd3c97e2e33557a2d607a8fbbe2140af4f22f6edefe89cd15b670a3f87d169e312a9892683d82333b8323c61ff64b277624590f7c92bd263c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e085694e9f2b51771c8f9a98a1fd3c63

SHA1
6c1aabd5b37646d2747b4433b375c7180a5ef4c9

SHA256
7c54a8260ae94a91c1d56e734efcf58d12e3b9d69438bce71cbeb66a7cd7c08a

SHA512
e95b01df88464214bcce52dbec0848cedfd10bcda9ba54f86424cef7bf090c66e4a6417ad4ce70ec7ffd106b4ebcd10b3f2a2fc1427da0baaf21798552f63dd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8132ccfc36b88aeedfa9cbcae782f69e

SHA1
910c2420d9dd9b37d3a40ffcfbe5a645605f1f37

SHA256
c53325ff5d8766c20db3efc7e749c32072423d9e1dc37e1151d0fd8e3ec41c41

SHA512
fef69c499d082076dbdf891b4bc9bf29463917865e186c853e049f052655d931cd1c06c5335a40bb94cd535464f643f5858b03401c65e09df90b7a3370fd1f24

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e8e9f112735489368bf9537a47d74833

SHA1
377cfb705e1c7083092dc53b83ba55e2cff1b7d8

SHA256
320a7aee08174ac1a56a076a0dccba11c060f07aea5f1fbf14881459bf461be2

SHA512
dd02d41b5d4d3d552903c300a299ecc00685509a2d8cb7877a488b8af9e05c4ff7a0c9650a7158289cf6a263c1a6137e3b0e16dcc243e43e03764c9263a0a3ec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
30a0e9f83568e3a6e0bb167997727c20

SHA1
f4c212475a0e97b979bf5abe82cd6349058f64c6

SHA256
3b8609ea49f924fb8915ebaee38bdaff94301c4e44ed67ff4a1f1e5fe5e1793d

SHA512
27fbcccfd4e79ce3c88af07943dbc9312623b885b0aa7074f8b7307ed5c8703b645728a92494d1166367f58b226d5bcebc6c11a1d483d09d9aba3c9a21a3b38a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
90be80e79a384cda40e867bf2e1d0a4a

SHA1
d00c9e2f58ddfe042eac5beaecd2d4a88560f088

SHA256
9ccc418b9a2988ad9c4717c2a1f14d79e88199aeb972d162294e7934faa8ebf4

SHA512
7704aa2876727e94b38684a60037fde7bda34a5ebdd6275e3b224d8746cb1d7ddd25fd245c328e0a312f298324292f44af5f5d46ebf35198a16d88bae153a986

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
018d201ff0eeabaf68650ed67e79790f

SHA1
e10fe1ccdccce5682c69041773beef1e70b21b7c

SHA256
5d3d6b2e96816db873cad5674c989c4dda20dd876da792a7ec59c6ed0be049da

SHA512
5f38ac95e99f03d439e8d03659e3c5c516a007f68e3193646429a58d8d7b2f425dc6111dd64c345290b9a1b722fffbd99e6b221cbcaf3718dd2a38b59e55c0e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2b64fabfa51f1dae4905ec88ad2386e8

SHA1
e2203962337ebc8b91efbb4453cf2f06138407bd

SHA256
72bc37ad90a6723898fc2e6736c5d1eca3b2e84e1ef7cbb8cd81d65505f30f26

SHA512
fad774680ea4bbf2283310193f1f622b462b5ce2139a0ff50ce3f1dd20931df440398ff0ed322dc67d238e09047300c79ebe7b9f609f653ce42be35374356c66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9bf04d79e4e339b8df52bcbb9d027202

SHA1
60c25db6a1fb740c2929952ad19d947721b0dbad

SHA256
77439b8a984d5803f141e827c228b8cd51d715f230fc77bd00e45c047485a225

SHA512
a324f97c5de1f281632d8ed85533fed9b7894aa9cd21426544da2b144664bf60b59823c70b20a89a6f53fdb418313ce54a5a235a63cf732c86391d182c565352

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a54f58ba79686f32401d4c61e8d341f3

SHA1
bd785410297338e05701a61389e71a5da210ffe5

SHA256
9db98e83f1a751351790362289e482b8aa2a56205e7e46e51dff8e26801b4063

SHA512
a25788608e5c2e03d197eda82712b6e1e3c4a05cd295ba68041b404b7895bfd3b1be443eec25fce780f4543cd73ac530f7ed258b8ff308eecee05bf6144aa337

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
70680d84a159df339b6a26558cc6bb0b

SHA1
4a0c51adfcada15d2296a9500aab79bcf31c6afe

SHA256
fab51eb1c4d5f77ee415f189f79a5bd217f3a23cccc7431f51f8d67f452e3f5c

SHA512
f3e3918beb1c1bdd2c36497ee52c4c973540670c43ce3f44088bdf1cfe427d486a934aa6b72bd1753f702630f8874d31218e90f7cea4cd4a60c48bde63da9a57

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
18a39b803ced4d929a022d3df7d116a9

SHA1
2a4905643c0152630d633d165ba01b75318c5cc6

SHA256
bbb2e9663d52f7da34563e4ef2816479b2b22359ebcdfa895947c5a81261918e

SHA512
ebf24adcd15cbba6cf6f152c5ec08d26043490830f6839431618a2de8b2db50aadeb53819e412705a6ed902f3cb78605359ecb82413c3c2d5b9ef54c08b23929

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9481e1144f35f006952ea76899ebf38b

SHA1
4c50b56e87fa073f8ac216ac0bbdd4e37a3fe844

SHA256
f6c328e67907fc777ecd6394b3135dc7efa8a19d9a90e68a375f4e47dc33ef40

SHA512
5caa376049ba376a42313be0e5939c433b448893c7d44e4a288d4e81b0f446b0644b066cad6c8a44a1481591b1ed13ad40e428a9596c247a2be7693a53e68f0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ea0153c3002d8dc5f05745b62f8aed3b

SHA1
43e5d4278b6244ac7db469ed50750973eebed550

SHA256
768bf029f487d2b56c78bb2aa0f5252917a3b0b10c815bd54e85fd2fdd9e5d42

SHA512
d158d0a5111923355f14d8611655bcd305a670580193c6b307aac0f16c5fbf2dda6baeec02fdf57869beb72e68ec45bb482ace036dbe86144afa7bcb7ef7952e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b4ccf2ea10a2e4d5fded0c2de39735c1

SHA1
2f65bbd8ac7987ae0374d89429acf6823128217e

SHA256
b878be8927957c924025d2441f370500bf8782b4bcfe81f5f6e521a554448c12

SHA512
ab14ac92a29f11eb5a2a49faef947a572958ae9b201692efb579c270d34d2c55748f366152e683a37c207b72257ce1ed67f963754c4364f5c5dbfe50f1079c29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
17261dbd7710c56f5246de87883364db

SHA1
34eacbe4630d06bf523dfb6a3e03339caf0a9bc4

SHA256
47a2a0c1b0efcc86e7b18ff92c0fe2d8a882f3711d51bda368a4ce7dd56a4244

SHA512
deba04365c5613c65fab1bc292a8bc8fe278ab7e9dd5d6cec340d411ef0bf06459a36fc1896792488879519e4c1f67ad9e7d2a952fd4a6cbc78674b1e4871bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ddcb80af5b23d98ea210f9bf99f76098

SHA1
4a986bdef2311a9e53f0d8ee9c6161b504854673

SHA256
9cf596beb2d2450f876b0cc98c2f93d794b1b0c233c1fc352464961ebb93cd0c

SHA512
dda7e3678352df1cdefef06f4a1c6ca1219d45289f249e1739716b59d6eec0a0d380b4d669bd20e1a5ad025b99bc4c645c7e8d5f3a5f9b50f8f912e65a534bbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd46abe641ba79b83b4dcb1fdd01ab24

SHA1
9de8abb83a306e7f684bf8a98bfb08b682021925

SHA256
b3a1e0f31a5a275d56b26d4bc546dbf3133550d5c2511a2abfef1c798442a11a

SHA512
401e3472f4ee1e406aaf9c58b784bdd9493617c91ef366a0f1cc8da462ff863c431501764fccb162f46516d8815162b26ba54189dedc4d17ae04e103be16a1bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0a393e723b6114d766c8fffaba1cb7ff

SHA1
317b4af147cf6d77b32aec6288dc8e295f9c4475

SHA256
ee8c4c20da3a7c34acb1702adccc4d7386942ee95488eab664d3b1b15ffc1055

SHA512
736aaaceea78dacb9d4d4b2983ceb1ba5e993d34ef0431ae5fc8d78518a565d33a8cfa7da9fcf49bc2a06112c9bccbedf2a5ccc394cd1ee2ae8abcce9b83f93b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8ea2f1c43afa1ec0eac39f4589e9a01e

SHA1
c1c806ebcf84eedfe2ff59ae367af5b8281c75cb

SHA256
9d05b6577d8820758d82f58776e3e4809820c78b6c521c05c8ae482538c404e7

SHA512
3c58ba35c81d2440e3d5557c867869d8f1259e732222a6ebc1f70ff84904795eef9b3291a16554c0dcb0f31333a91c3a28bd1a377f6edb97b3f27c66d4d26ed3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c340a0e9213feebf3a2773b9268b05ce

SHA1
6d53f2e5dcea328ea6ad3a649b17f8ee57526c19

SHA256
73b0ecc139e601c2509456603f9d4452bf4e1659061c5ba25b3f2d9f2eef7e06

SHA512
1a31a0fd3e6ff63f30fafc3a9d3a736f502d3811b213388dc74beea40494de6a13968619ea928d2117e7a8e9a33bea3839d499297b263b0c8e051242e6eb9591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9210801abb1735b0f4c17da154da8e63

SHA1
71c035875bae9224ee294deb659d58b0dd926d11

SHA256
c100dc636a474806864aaaaab9d961b9df5d915c7a9c8b8ef699800d0c5564f6

SHA512
deee65074b60ee06bc2c36285b0f885b327c237c6d9c5025da0fdfeff04b83e31e3c6b09ed69a1041439c699a3ba6e4fb93e50dfab0e8c79b70bf1eca29ef2f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f5da1801d0189911a581610496046c86

SHA1
e2cbee7d31852ccd5b29e0ba213b1b52f824405c

SHA256
564bb9b78038dc37eb225b5ad0b1e95455391e15b6613b3aa9c759682009d3a3

SHA512
82afac13a5e551b135d5c3f6da74dfe53e4e5c0d8ba27e55dcf5e8298d9b5be31bfd82e8d7eefbc1eb1ed36041b8c2d85ce03afa323fb6abeca2325163c7921b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
512222e615509dd3b4757b281519137e

SHA1
9ecf54d9e42261f84e3e03721425064c06a23894

SHA256
8dd3d9118ad17742ca6adde6351f8856466c33de1840ebe8b573d52339bd03ba

SHA512
0f7ad5daf38bf96f563dd1ab214f0826be3da80ca076b4b012a27008c752f918fd51ba195a58001a9ea3ef4be1ad3a9c3f64aa4e4ab118064e0f54369fd7cf11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ab2ef3fedd88de7735e0b6b8bfe3d15f

SHA1
3325faf1d3dd9a638e584eb685bf40497d984f6c

SHA256
167d73404fc877306aaf64dcccd5551cd4a987be638e13582a423c42bf618853

SHA512
91c875b7e07fb97382bf995ab060e2375904cde7b304b1e9b4ad51ed3f2820fc87f006b2eea6bc8974d8c914f67ab2e7f0994167cdadce22764f3dcc3b9d26ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bd78103ffa486cdcd16cbea59bed7003

SHA1
c9aa403fabce5397b5ca9d25c87990ffceb4e9dc

SHA256
eb6c4df5f7ccd84a8f0defcce904e85b4258b4c115ec7bac6d5ae00878b85ef7

SHA512
01fb4957fb7234d2ee18b151adfd3e720840e47cdd258f4ff3659b343fa1120e1b11976981e86b2bed4cf0dd3b8b3374eb4e1de7b84ddf25fdacd410db0d919e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9eb7f0a5ae0164d14c8566671c39b1f7

SHA1
b8a09c1defc281ad3b565c083fdf1426cdf9be24

SHA256
ac710c45567050ffc2195eeba369b3404cc8894da8b2f10e9fe9de46f853afad

SHA512
47d98a702a233107b60abbc3cbc27214e6f12091ee71b5b19c326c25396af95750b45fc5a8808cb2c5be88015bca65c9312580ab159f7483615aaeb669cbf8df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
46b678b0e227fe7257e5ca16d0f94ada

SHA1
252f23ab347fbda49ee4152663be76c21591c236

SHA256
d97e3e4f5251ec3a8de23a5fd72dee4a6dfa48ba7591c7a9e2751be882558d9e

SHA512
ab684f9a12244ba3323f2f0ded23c094fb54fafc26ce55837a02a2896a8518c4ab3c10d4648ba5d5f004b70efeaaf611e1a0aafd9dd6229fcbb1c4f10ec73668

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
837544db0830cc282a9def4bde40a689

SHA1
68498fec20cea4685b51a99ee21c511f9cbe745b

SHA256
41edcf5c3e35c9ba02c00dc1a03acc211a6c42fa0c8ad93edbd75667caf32848

SHA512
999569979f1ff2195ce14e098e5f2ae241dd1e56a3a3c3bbfde1645fc8f508c49cadc1661443fdf7f8755ab73f06571066032424c66279149c42b9299bf2faf1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dfe5f74fc0380a698e49cf989c84a729

SHA1
170870db936f849202fb0e1755a155419a8e9747

SHA256
6a86e9746203f3b33b29a35a667d932a5cab643d8275beeac380724b6f0cce1a

SHA512
9a41b17af61cf8ea70426504fa5cca25f741d1262702461127ef29ca511b6795ed097c3523a6a30804b7e6377a226d1f3c286bb10877adf23ecdda8d2ae216d0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
eb6c26e0de938fbda027be7ded0fd184

SHA1
eee0fb9b7309ef64e1eceb60de321388f6deea13

SHA256
3c7c157e3f5a3992dab6ae246678d89f83dbf08f891f4628021c80791228f31f

SHA512
247ed174e4d40fb6e790b225a0f8397880060d2ec161684ff2645b37eb591f5e735ca465d4fdda06c40f272511241ce31c280039cf0add9df194bc845037d5ce

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b353cef791acbe20eda597293589386d

SHA1
abd34ec2144d31ffb3dd880824df1e0fb9faafbc

SHA256
98e80523795ae713856b86aa3b2c72f4c13c03e83e6ca03ba5a9b3bc1785a344

SHA512
e72ee4b1dda0bbfbba289e744edaeea122e5ab85796e1b4946fe8a242f48a2188c247ba68ea2361f3787653af6e3a400f013d230f906e52f57d6ac3ebd21d832

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c4764e3bab9b0962fa8a0d58ae6a1bba

SHA1
980176a3cf69fc17e18b8a25c980cd83b9154356

SHA256
bfa2b5aac99bf913c202936d8ba31760e4921f15319461c6b2c579f393188cff

SHA512
16983a773bec234e7274e3adb4e7c39d808cf6fe0f40a5072c04e8bf39e2656ae572859fcbc7b74e563fc92cc6875f338f6b01344aaf41bf004e4e2d24d04789

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
862d5d4ceb18443ed3428e039ab7ff54

SHA1
638a25660b67406ff17f5bfd1bb501ae0b3a64d0

SHA256
304db84f8d17d92792337f91e5f1e555dc193c63e224c8644e379f07112a1c46

SHA512
d1a281d1fdc2bda50f638a7d4959212acdd0ceaacc31dba355544c392eacf8af1ebd6135e3904d337dd25ef3347bdb1e2ef1dbab2f664374cd18b99a6bd1ed69

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eae1ee388ccce262626c65c805c2e056

SHA1
f06cf982b1c2387961a5a985c3d0500607c247ce

SHA256
9c51c150e1bf417b7edd712f26415ada7d8e8326175a31f991fa0ca0ca61fcaf

SHA512
51ad1fcd3f2c172e6139b369ba4bdc45d0846163b117565b9158954e397d148de26103ef5cae6a91a779728b1a6343cb334e3a8b391f83078e1e58dd8a27a0ac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a647407b63469a7c3681be6df2cb175a

SHA1
14c9e9547cda1725f7cbccc2f9275d054abcf463

SHA256
1b8297d4bbffd7207b25f799be5a21f2053e7182340b6cc512022c9b041e0be3

SHA512
e2728b5022a03399c9855d085c74031ee6358d7da33e38a0484f1fa56ceb4e253911ca6af703586c03a01d00dba59ba6a57ebba98c2caff39ada4ac6535a27e6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
483c0269b827e186760297a3ba37912d

SHA1
95b4e68c2df79cdb73a7a2add932061f67003145

SHA256
b700d421f614a2d2aecdf900e05ce74e98462d0a1d2b878c91b4b7d6111a3ecc

SHA512
36fe2a1c785f113e2e4f50fbf160805153e2672172535e11d0df29b101be3bafe77c11280adc3f3911e5cf7211b040ccfa9b148a672f6c931fcc5fd7bb51a651

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4abf55bdfffcbfed0c422d5d264f99eb

SHA1
4d92d6ce48abe5765c6f155ebeacb394216a21fd

SHA256
b83624ed1254d8b4d18471b2d7d88040d43e739e327da0a8a338c5492a142631

SHA512
c5f3dec2787bcbd39bd2633633b9963f1598350ebca50e6c2648bbe62a06efcf9ccea1e8ad6c8a9ff1c75b2810e2fff13cf7acc4860f84a4a2ef4061023c1f9a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3a5486f2e7c0434f3b34abcebd9f76a2

SHA1
df6ac96e9ec6b1a254efa3fad1698403bb8dfc38

SHA256
69c1f7707d64869844fb88f839a26993e05229ca34eca285c13a4cb1cad211ba

SHA512
37396543d0d1f8e3d0b1e3beb2bce4348aec12326136c8e7e4844f7fb7377a3ca4fb7b455c1849e7537638982bd1854a4020ddf08b8701726929cf5850a5f33b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d55ffb94314d3906842a3ade037206e

SHA1
fc82e535d7a9899a92ed568b47b388fff9e65efc

SHA256
25fd285515ef96a446cafa0c35609524669484c61039f14fa4c6b3e0f2e5a91f

SHA512
c3018510cf2dffbb9a5fd5376b282c6d3b9bd65d0cbe4138282a43fd0d2af909f9dba7d9a4a36ed4d26fe55aedd3d67b7e5f666ab7f1394160506416ea9efb2f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7db588f9ce65ba07277167df8fd0f8d0

SHA1
d11e9db39553e9f362dfda6478668e5f351b0884

SHA256
8eb90cebaca0242c824bf961bee70b3244c04069226224986eda29fa4aa2c679

SHA512
81701722d803ff1e8dfe572bc141827cdbe891b901e79c188c537c04b426832c445894aac9336fa4e16e4676b8be9ef86813a3293cb3568dfbe70a8f8b0c8047

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
42667e5fcf34e8783a870234fbb2d4d0

SHA1
eb4b0b76a994df55cea27131410f36eb780f67ee

SHA256
e689478eb742853e539e54f8dd0602fac9a4f31106a84b9f2fbde02f6a192d7b

SHA512
a95a81d93823bf2deea998bcfee5d8614a682c39065a3270b78a5187c2d94600f27b332770c00d60595ad385f16cd14a5a7597522a7dbdcfe23bd898c80ac977

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7293ac805295f28c206a082663dd420a

SHA1
3702b32effef76cdf9920c49dc12bddf5f7d1233

SHA256
cb2b4916b8e693e77d2976fc4f1930fd6de54f5af4b759c05fe7e3fea6933396

SHA512
d585745eb29a6cdbda48fae6160c903d6c16c9f25231a1b9d520a7b01b158471f5f3c0de676c4b712b93493a97637b34acfbd1da2b8315e88d4cfdfb6e4a8fc6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
87fb8c8a475aea5a50fd3aca2ca0e99b

SHA1
ac587e4dfb5c8f78d74d376fee48abfd2d73a026

SHA256
4fbd0d2f3c0723d2654a618d55d8eaa7ac3827a1f5a7752b577a28c1772c1196

SHA512
74e7e4312746c5a14606485bf10adca1c73150a159ed622a9e846783205bdeea249ad9a00a7170733030d45d831c51c5f1dda8f9ba112dec6f1760d9c12e0ded

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
69d632e078aa31cb635e80d4de3df20a

SHA1
9c3e1cf14ac4f1834834fe0afd616e890503db84

SHA256
830ad3f150a9b4447db929bdc81e8859b296e33f81a7361c1616656db4138812

SHA512
fffad95cc0af73bcaac1903152d5959044ed67190b0ad1d3b3fa0a483b5385ea2f5522ad02017c5b582f2266fee8598d4f9b0102078e6d9fbd2df42203434e05

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
998e19669abc98056b0e7c2859e1210c

SHA1
b623fe089c07b33a4931139eb6ca726cc7d7e142

SHA256
0f5a9d25a5f56634ca497d758bc6b7feff7ee56880daec3e3f395992864d8515

SHA512
e6c1afa50cec4902a83b8117624395de78c497727bca2bdee3ad6a033fba019293a084cc3896693aa0c71c86f20a4ce7aebfe66c5d63eaa99ff9501e8003caf3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef8620578cdee0feb5814dafd2b0b04d

SHA1
0b1588e25f656cd50d0768528c861298b858972b

SHA256
30d78aed4d7505b23b083da3d1d77e8051026eeab699ba14e49e4414e4338a32

SHA512
0586671bcc55d08fb08250f1665906683272f6bf3deada7a9f03f1195e6a27b503937fc3b360fe1971e15136d841e1dd556e167e336b286856c5186c909ec249

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
531d1407c99f71b270226c6009feb103

SHA1
8dcbc246163aa1d08d34fe6827d795c2b657f512

SHA256
704248d01c738e0d8334201c0156039e2249ac3919783b761ec9cb3cf7158d8f

SHA512
7c84689941e097dfba17587c4c92f580c10dc0ca5a4cef52e17d30b15d5bc41ba257daac33f61ab50aa79135219655a9bc9a2640dfe8656501f2c3612ca4093a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
07308ead9e45579952cf196fe29563f8

SHA1
2cedf87abc7d7cc603c51e0681e3e20731db7243

SHA256
11fdd6c56f4006838b8ae56349307db7dbec8d8d96159c0b1718ae08d835372c

SHA512
5289dd0b6d531f898cd0c827967d9cb11443d78b7ad8c0937fd74ace914a670599cad58d7adf69b5cf1716402a1d491c606ca5d2381e6d941b1d84c5de659837

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e1e5fbe4e116955ad9eefe0df2b10588

SHA1
4a21c2f5204b265a45a4199557ce681fc50fdf8d

SHA256
f14526fbf4e6a700dc6d20673c5f241bc7c46f27e27bd80ad2e44ae69889fb96

SHA512
201257bf0fc6b2b08c99950c0483c6f6c41d792c3e47210c110d613a2fbf081b19e6bfe39bc2099b33a827b409a01984ca853a8ac0dd58f326103351ad163b79

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b8093e482d918c9e7d9a07be7c94b8a3

SHA1
36a8b8fabf67d2835814d8006c851ede29bc8cc0

SHA256
2665a5678f70ed34348cc1aefc5d46fff116733f6fe2e0675a6534f1c85fda9e

SHA512
dc0396011a18b1e77cd380ecb58d252e2bbeb51ea6da71c9eb277b12f04dfc51ce908490bb36f476f97ae34c0341a1c2e311eb495a504490b9491187cc39f63d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
caed7c7db89723bc2595232a0ef4724a

SHA1
9207d8a16010f94dae48fdd3e5640b784ca68ecc

SHA256
3423a822816775b440c3522a787f34ec7d4fd716918a07832ea0e2f1ac33d646

SHA512
ae667201223087298df6c654aecff3464b4856be581ed41c49fe1c0a80cb20b52d285c927953f21676cafaf20dd6925f23f41508c81903172629635eb3aae80b

Download Submit
memory/224-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/224-515-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/224-101-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/224-106-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/984-162-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/984-520-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1292-66-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1292-318-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1404-170-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1444-96-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1444-94-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1444-88-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/1548-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1556-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1580-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1580-127-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1688-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1688-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2076-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2076-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2396-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2396-523-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2632-376-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2632-82-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2632-378-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/2632-7-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/2632-1-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/2632-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3008-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3008-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3008-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3008-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3008-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3024-140-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3192-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3212-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3212-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3272-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3272-148-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3272-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3272-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3292-144-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3296-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3296-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3296-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3296-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3740-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3740-519-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4296-31-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4296-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4296-37-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4296-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4492-79-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4492-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4820-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4820-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download