b8de64b1c387b05c2e596ecc8506bfdbc5f6c0c797e901f240634feec542a9d5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
Size

1.1MB
MD5

95c3b17cc28c365a5ef075a9e84527e0
SHA1

67cf4fd9f89d90270a401cbe739ac968ef6d2d83
SHA256

b8de64b1c387b05c2e596ecc8506bfdbc5f6c0c797e901f240634feec542a9d5
SHA512

e69dfdd761a5de8891db2f5e3ab424bf4975074f77d7b73a44426d3593bebcea696a090f9cede4528ea9ce0940f68b28700428bb6196cd4f4da09d4d1d5c76f9
SSDEEP

12288:2hSb56Ep/Z/wuJ95ZB2JmKQlF23WQaGpPZJ3FMM/1EkCJ8JXD:Bb56wBouJ93vrIdpRxmm1EH2JXD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2360	alg.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
3972	fxssvc.exe
4512	elevation_service.exe
1964	elevation_service.exe
3492	maintenanceservice.exe
3468	msdtc.exe
5052	OSE.EXE
3912	PerceptionSimulationService.exe
4576	perfhost.exe
1080	locator.exe
4032	SensorDataService.exe
1284	snmptrap.exe
1568	spectrum.exe
2056	ssh-agent.exe
2488	TieringEngineService.exe
3780	AgentService.exe
1308	vds.exe
5072	vssvc.exe
4916	wbengine.exe
3236	WmiApSrv.exe
4376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fa622d978beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000370889729ea1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000093252729ea1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040b4f6729ea1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001042a3729ea1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbcf4f729ea1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fc185739ea1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007422a7739ea1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc1256739ea1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
1320	DiagnosticsHub.StandardCollector.Service.exe
4512	elevation_service.exe
4512	elevation_service.exe
4512	elevation_service.exe
4512	elevation_service.exe
4512	elevation_service.exe
4512	elevation_service.exe
4512	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4172	95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
Token: SeAuditPrivilege	3972	fxssvc.exe
Token: SeRestorePrivilege	2488	TieringEngineService.exe
Token: SeManageVolumePrivilege	2488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3780	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	4916	wbengine.exe
Token: SeRestorePrivilege	4916	wbengine.exe
Token: SeSecurityPrivilege	4916	wbengine.exe
Token: 33	4376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeDebugPrivilege	1320	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4512	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4872	4376	SearchIndexer.exe	111
PID 4376 wrote to memory of 4872	4376	SearchIndexer.exe	111
PID 4376 wrote to memory of 3948	4376	SearchIndexer.exe	112
PID 4376 wrote to memory of 3948	4376	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\95c3b17cc28c365a5ef075a9e84527e0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e092f5341749c57e5154ec75161309bb

SHA1
fb46b3da3b1dd18fef7b686339f8a7a1684472d6

SHA256
83c7d822e497a0f562e94f1f808eb25c3e6a61fdbbf9dcb111077717b69daf38

SHA512
3036f00536e1d61e624ffb943210a32569bdeef9d6e93fc5ecc0152458f01a9ac2f1caaaa2e609b9c6e9415c19c277669b41561212a3cc601bd7077009fa8d77

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
1276127221093603e2d5dbfcd2b881e7

SHA1
9711330bf73ff211184ec4b5fcd76c758042d696

SHA256
bdb37c26cdeb4dd2cfd2a91415f0dcf1f0538e8042066eefa27e0fdf8a518194

SHA512
ed03d2da28a4e44287e4be1d297d10c33fca5d7ea9744bcb0ebf6ccbb66e95d43cccb117ae1db18a58587e8cf599b26b4ef5dfab4b5cfdfdb8f4850aeff3c732

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.2MB

MD5
9fc7a923efe1609974e7204ef6a3b7ca

SHA1
2c4038d500df091949109e5f434c7e46141e606e

SHA256
a353944fb45468c22c15ceadff4656fd3bd0664c375d3fe7d652fbcbac150feb

SHA512
0d90223628f211bee2f4ab722a6d3c216cc0e7e4c188c3c8fb95fbc3a9530e04830c5e7c333f242fa34a088760b1477f1231ef6e19798637d689eef5dc515484

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dee968f764766bf5a64cc5f8993db53b

SHA1
2a10ea88ec24599880a5817845d451f7872786dc

SHA256
0631dae999a3ee04d08f27ce7078c0b0e7fea4f3bf0a3e85e1d4ef5822c9fa2d

SHA512
7338cec9bbfa17338149941864c43f34ee50c707df8b20174316839e375bb4a41c20facf1035c25f3b8f95e265c866507c37d4cc09c9d92a332a334ba4f691c5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
38c5fff226abf2ca08e0eb09a9069bbb

SHA1
07fe8e90c558e9d4e5c23c264a71b25ad919a7de

SHA256
ba4e5d1d96dab318c94e117fdae2adb9dcc85746446c5890008c7b41c39bea2e

SHA512
e915078f6d83ad01f20e0d630cd525ef06fe9a167ae9546cb16f3530cf451a92f91f4cde7fa3b5526cbf20b0b27d070f51fb554933ce407d88f758192a9d7c35

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
62bd38ad1368b4c29d9efe804676cbb5

SHA1
738059392e25ec2f35fa2b0178cc827d30a1a263

SHA256
faefdbd0668c57b16cc5185ddcf6b3e1e0d127e752598518f64d91e532c4fc8e

SHA512
756973418e7035d667f60b075e43cf805a584483b0e21752cdb1ce9a8b43884230d62da8bc8bac59eeb4aef4fa210b62c0bce62e00523650b9860bbaac2f58f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
81fdc1c9c3fb88595453823dd233cd55

SHA1
ff1bb216e64d278ed4656050804adad26a795591

SHA256
d0e275031f2026f27109b768bf8b4c1bd5c2d5316bedcfc3f118472d418fa974

SHA512
5454dc546df2db7809f928fe76dbef945e7cdfc2ad86e36a5f183c65784d6ce93f539821ad15fe104fda755d368cea36ac3dbc0e23352f586bf29c5381a8c5e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.7MB

MD5
bff031674a3c36e7919e3f864b259da0

SHA1
3f026c95946b7e6dd8c9d4a5677db629ae54c084

SHA256
3993bfdcd6fd4b7c2c2fdd8e4d6424d7017cf95471bfad370dd36a2f417d073b

SHA512
5ce931a377c58a54b04bbe77263400a6469a93dd89124b927c87e693548e2fcf5695f5066de5a428e8331d9da27d64d3a6365f7f1247b594d167109fa22310b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2accb833ae4aefea6e00a2c5d822d965

SHA1
d39ec69196fe714802a3036960d090f52579c62f

SHA256
bef0e523831b1f4de0e14138bef15d0259b905ee73dfdbe29846267c16c56bb5

SHA512
083042d97ebcd34bb44b73c7493fd3335174d89a72c9986548d5205de8f8d86652ffe8b64ef08d8796e85586d91edb8e14e7481f2155272bbdcd4a64c71fdb1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
2.1MB

MD5
1eceb914132af4c9866261f471b2fc04

SHA1
47b11ddd3def7f34501e74590fe29bd48452f190

SHA256
6ec6d292ff85f4000953eb62588dee69bc598b084b2b8e2950b51d15d370f11c

SHA512
25bcc90da969e0d38d119dab18ebf985ebbbcede8ddb1ee0110d5c7758d79030dd9cdeefd9479cfcc84d3c57ec7d5a5c7aa2cdd92f4daa0cea83397a91bbfcda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6b1ce588b2aaee55059d9893c291a2b3

SHA1
16460db674cc9891c35f806e259d2a8cc25cb51f

SHA256
dec278d69eac5c3bd2dd7741a131bf80e5d2d3c73ffb24c8c62ed25b8375e8a7

SHA512
8fb347a7dec98c3a4ff65bd480554e4fdaa82aadf9553089dbc7cbd092fdcc191a0acfa8263ff208d2d581b7b8044887c0171af85bc9f14c99920fab22ba177a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2dca0f1c46bc32474fd193987251c697

SHA1
7df87149300f72372237ff74ea7692cb9c4ef3bb

SHA256
32e4abc54f0c47979d514cc06ee6083fa964c71525f9de6663e99253d032c6c6

SHA512
a4b5921a81571dd0a542d6939a05458c44f565a1f477a693209002c191a2a45c10eb754e767c08b10dc1db224add8002c82096368d8b7b87936a6385cda6ea00

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bd1f46e5ec3f04dbed9e61e4f92f1e8d

SHA1
83a507070e27473a82de53a087778781754b57fa

SHA256
76913196b9cbe00904acfdd8b792fef927aed75fb855864b411ab01d86fab409

SHA512
672dd0511d60e57e1d82ca52784f2ae500b17b79382e8d2ded4be750f59461ce79c091670304789572943eaeab1954b58eab5945d47f2802d0b01af70ac1bbd0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
52ad4af52bb1e10390224b85953da9f9

SHA1
85522cd6ed3b7e8c1bf9e5f63f1658509048feeb

SHA256
b171bdb8bad6408439de6f989b813cfee20844ff6b222a3eb76826fc0cee3285

SHA512
a780ba0f2dec7f09e986ad01144467537574156c07bb408002d503d6d05ed1c2aa895253b5ab6420a04ea533cf56e382f9cc85f7a24581344b42c3328da29168

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
1.2MB

MD5
46dc87086b948ea26837e85075bb5e33

SHA1
5305da67bb830deb3064eb2845e9a4a98af16fa3

SHA256
a537a09b4342685774bfcd63219a61dd2ab705fbff13dc347ced888d81b4dbf2

SHA512
07e542c2a925c165051ddd93b3eba063349274043181fbc724680039c4f17ff7c67677a00d50e0d3b9c289627624d8fa630669aedf1d82ef1dea74108d784dcd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
1.9MB

MD5
295db7c6205189a8766741f02704a3f4

SHA1
8b3c7677c025f7b53a9bd3aecd7fe8cd6b2fdff4

SHA256
43af08c8d2581f3a876e81546e3e62b2b6e8f98ad4bfa941c402c94f8128ba5e

SHA512
027787276655ce96d939d12af1aa2dd5e2301113ffc4745da97b6a0d9e90754716a555ebbe2d51ed979b56eb221475221e1caf41507bcc06abe0214e05e74a33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
1.2MB

MD5
49bdcad340ad4eb3f09702e4e343d3dd

SHA1
437cd95979b9a665d220264fad8c21828990bab5

SHA256
553b74569a6de70df4baaa2a40003cf82f491864be0f19dcfc6f856ac8765883

SHA512
5eb4b897230c5dbf84ce89f8471a5cf6560906de93a443e9ed55a4ef285d6a2f54aa802d57eaaf2b785d83da8d5b566256b7e6adeb0d48603513226514c89a2b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a1908d5ff597b6275082e2b4862eb906

SHA1
9e6422c53583a08752c2c077f34f0007c32df9e8

SHA256
d26278a372488fb3cb652923c810e596a325e6bd24a4e295191925879a58f7fe

SHA512
f9d856b37dbdc529b035acd863345b48ad951d417d7616f4cdc660778d9a2e1040b4816835aa27c323d8bfae696d49484f0d995aa4124a75e70326590b5e5a08

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.2MB

MD5
8e86ccb38fcc8205f16e01976d9c654e

SHA1
41b8d6182dc36df7ecf8e659e2477ff386132519

SHA256
569ce4ae7d47e55f98411b6a906412620c701a76d63ae870b1068de631ab03e8

SHA512
b5dfd75cd46976ff6362afc48cca570a3af161445936a1f3c356799a826c6693639cd02253d4a4211bbebe71499a125b9e65811fb7052935ffc8db0773dd4b91

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
57cbae28b4f146aba3007145115cb05c

SHA1
626dcd651ddc314ce09a03716d192482b6d55b27

SHA256
a92558ffe475cfa0e9fb1d05c25e59b49fe95b3e3c66894bb3c42d344a3f5863

SHA512
4a9e8ae0074fc9a5342d92c1c5de31b1f020ef03cec7e3644dd6578a9a753c6ac4491d9e85a587b5dbd78972cd373eb871d55d00e50ba947b5ae9802629fb66c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
cae68038e2e9d8d6d9579ec7a1256535

SHA1
d3dd35c3ee52d5d2e3c4b6c9d8bd9093edc9a61d

SHA256
86005e437419c335d3eb64c5625cdc777be87031ab6f5cadc4c8a2df466887e1

SHA512
9f392eb673302249d622987535f714a87d4993ea66273db570b1e0393698b868d704ba8873395eb972141a7f860a2949da391b216382c2f69bde7e3e73878c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
9c258cb33476f0fe83b343de0f063018

SHA1
8d1b87d232d9ef0aa9771942744ee8f5639f6e3c

SHA256
43e48a83224e6e2f7fcae200082b4a7809236424061abc38f90577840cfee6ff

SHA512
d042f057d75ab962999545720889728cd0febcc71a85603993460744d222067090d9784775d76b9b1c77cfc34fdd6bf9feca2138462599696dfdf859e776c10c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
1d3518eb9d55ab6ae07d6b185b16093e

SHA1
2d6e8806416b226100ea1840ad948551e890f355

SHA256
c42612af1c6ea4a20e0303a6583000798e887b42305decc1b4ca92ecb7db8808

SHA512
09f5b5ac3b4cce93683f789bc8177b70ebbc61e544a745e494d28c60f8824d6c62adee33336dca1055f724ce77a35d1e8c0f7c674e3fa51fd06e0346540feb52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4c57edd743cb9f6066e5eda3eabc3ffd

SHA1
95cf41c3f7f0db256a527698885534ccbc6e389f

SHA256
0ca4d7fa281557286e9556a712f7e19a68f515bfa6cf16faa5f62c1a3b8e124f

SHA512
3c5dd79efb1c1051e9c62b7cc895dbdfb0ffb85f234ff800e8fcd4f72d26a508ff751b9f6c24b7dc49eccec43145bef18e00903ab90d1d9498c00b53251c3f43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
5afdb93d77c60367c2e98bdc8186696b

SHA1
2f2bd90b705ab2fe8b9f264474af6d090cd4ccdd

SHA256
437ba88335db11a89b90ab3eba681871115ab20e3437e3ee31ce197dcb67499a

SHA512
d42460b9d97935705bd44fae54183d8862d8179baeac2d2b0e0fca54d82564392ac5025de98a6e48b8e9d5af6fad42293b8d0c2129795bbdfabead78a6ee3abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
1b8b98fc7bb71a99646f1858e8ff5ed9

SHA1
a6b67d5d7296a4d3ba4b21a0d15f89a599a9b68e

SHA256
869c0de1713a67872030c44aa15cc0a9b82ab132b36453390aeca4d7fe908bc4

SHA512
37c6fb60c5ea498f70c37f69a8a9069bcbaff7ed6c3a635a4963237e48bf0d92fb5518583d9eefc0be779a1197b843e9b133ac4b383a31fea4578eaa217c7c3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
cbceecb25f247694582d31faccce36b0

SHA1
7c406693ac584ea4520f7e80792e323c9b77f3fc

SHA256
89f6137a92310e5479aeeaea098be2572bde820a69ca9eef197f1a59f36a4d5b

SHA512
446343fd9e66b1392842e5f48bd950646cd22aff4f4c3b0fc4f3e3f118ebab6e1881f55fef754ae9e2392e2a61d71ab8df8f72b165b10cbc2f674f887e65d98a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
fdbe53fafe6b4b9af5c147c5584b0c0b

SHA1
4be4ba0fde522ed2d49ccb0859a75629092a2116

SHA256
27cd0171a4903b037fc7176156e8535075d470f4d72fb9bb0866bb5de14be957

SHA512
eeb554d55afb4dc48f5ff9000999ac86054287448f52364ac1952bc964a04c4fac9362770701b98b4ea552e41d4b322c65be6cbc0d42b2b62adb65ce886a1b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
57d697db78a713e70b16384dc7485c2c

SHA1
052f2f8ca9baf866661d06066b0bd72ff56c23fa

SHA256
46e4191ddf2cb67b61ac2edef767da036435194576679c9b454795c0bd99c345

SHA512
9baf43a126fa5a7d59debd2db5a133847a01c2a7a036055f52ccef33ef193a5ad358d0eb72d67a57d531cfbd61a89ac3151cdf683906bfd01a4658c90e0af675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
a1c213cc8eaa44d12862bf11b450cf62

SHA1
0535452088b40bae1e7ba53a496c78ba3aa8ac9d

SHA256
1d1f09b786e5ddcad25019ba922a9ce32052fc3b71de785b17ab68afef1c8fbb

SHA512
3079ae22c4628494592c0f0ca423da21ed18c12fd2f799ea359c829feef703e26d15b25bd9d6d8dc1677e3344973a5b100ed4b1f951ae1b82ff120c7d868df36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f78baa128b9b04c7e5682cf4d586bb77

SHA1
1d9987808b91e3450312a56d6536f72dfbf3c645

SHA256
8ca881c2264cca9be4a454f47b9ba8c1589221a0581c541b841ad6df1ad2234d

SHA512
2e49e5f99f159f8d07683d589a593ec6ed74dbd1c0c362936b56b310020c7a09e5a44bafc0f7d21749ceacbcc18e021fa0c8386740e3b62cac8621faaee6e276

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
65633ccf30e1736a9a2100979a6607d1

SHA1
e624a4b5fc0ae2b9b0b9a4708d15ce8b9a80ddcc

SHA256
194e08009bb8eb33ad06d20738dea3720f3a6754f85801194e3f3d67cb9e41f9

SHA512
14eb7371c0a892014d12f913eff9e6273cc888705d9e5f5b3809c9e59eda474acdf8d69917debf303f8c00035537c1dd558286b62e45a30ce79276b73c870606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
1d35a801472c1716982fb37b88f14fc4

SHA1
2f1a1282b03bd5341bebb3739ce1278c6d4fb057

SHA256
ba7248345593b9648a0ae94fa2ca62d9d0a515af47d02fd6fb636c12b7351353

SHA512
8d8d77ef38a2c352fa1b994090c2375d38618ae4c0a4cc8572b5cacb79592f64b587915859108cc89b6967687b7b2b04ad1019509eb2c3cdb84b0704a63fec8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
435b00fa446ccda3bc9dfb5cfbad4b50

SHA1
33e8280f2cbf4cbe33e93621c24829769b286dc6

SHA256
c428b664505ba986551363c6cae0c09a4f69d6c64e7550001fa3ec83849ad2c6

SHA512
8c8ae1a1327988b73401c078fea1a8649976b17dbfdca6bbe442eb4318d2d02414581d796e988a6aafafaeaab7781e2aa3cfb39a54fbfdcab32f60157bdecd18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
e716b690be6f5eda61f28a1cf30f9e16

SHA1
7970945cfb96b5b7bbbb4b2e3c877c340d86a986

SHA256
9ef73e0a55b79465f220af5752357ef874a544fac6a9e276ee4781e50b6e2cf9

SHA512
7bb3b69124b226a95b5af8a106a468099466ff9faeb4abde785268c2423a126bcd8e0ed791afc617e3750cf4196d61caa9a0d78e83ac6f1ed676d3199b724e04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1c14afb747c72ec0ce9030fb6a1ac8a8

SHA1
68b0e50578213943ce19d5001a769997e1112317

SHA256
0d8aad32dd160e97f2fcd42b38ecf0e8d60a72507736a0b335242841f06ce63d

SHA512
60bf546fc6bcfa4eb0a62e90dc587c77517270c7796a13452d2093bd7aae4d3ed6594994d19ee33c4f0d2e399ae9031b41fdd3bede1c785cb4f140da6e3cec74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
0f52d746464fe4a84abb7c195ba67576

SHA1
ba47096eb1be563f4439525770ca58f13c5a79dd

SHA256
e8070d3bc9e2fa027d357f111f89ad1e9428302190fd890b38fb678608e02bb2

SHA512
c6f4dfbe32ff1c6b373938cda2b7ee23b7419911f2683edfd445e1b943a076a02306aa62c8140a62dab9adfa315474cfa2b9ae274855fa6fd6b8d3c3ad035030

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
61e4965e44ae95592b8cfbf51335786f

SHA1
8a9e22759ca8739449392069e8add7c92f6b7b7f

SHA256
1b507df0113a5e97fc14c31417cb839b3812bc0e7a4c76cf4dc278ab3cf4e207

SHA512
48b9fc669a3714ece6a7dce044cdf06b201ec6b1a5997e7d81bf57f58ee1839368a8f12de6d6a46608ef1162bd99fc316632876b050289cca6db3dbf1522e1d6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9ccacd30a772716a44dd33a41503be0c

SHA1
eaa57f46f40ae6cdf8d152e7c9dc7d06dfe19cda

SHA256
32b5307ea64ae170e9ea624b2c24a4b553e1230cfea3cbb1aae90dd8cec3c5cd

SHA512
c3a094fe83862b83f140f197787aaf5cd6e6c00881cd67ac3c6f542ccbdca4eaff350440fda9787ef7b7d97e01347d5c72113cd79e01c50b706eb5e30d1a91a2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
f2b68aa488d042a47618afc5527e134f

SHA1
5829f2fd8590f4724c0b3c92cc370f21cd8cdf6f

SHA256
c20f491e5a69c84d4189e229e7a6118abd71e464aca42c0bbb1643f2e9c61770

SHA512
b8400e6c02aff7e3150d09b9e622c99877796a35ca14666ffcc0347e72fcc6f13b2cadca2a23eb8ffb3edcaed30229392a1044f978bc01985ad4856c0cd4de30

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9b291faef96be95ee16c6b035c68b272

SHA1
b5c2abccb21128eaf94ad60939c50bce50f2518c

SHA256
8d57b8282e3f17670d6ba50b83e2fcf89e6b048147c1eab3e5ba42a1a3fd010f

SHA512
548717ba282135594277ffe90a10ee239046406b02d5ef2ef03aae3484a25d395ddd0d8531efc7a052bf0cd2c60611892ff18da9686a243467ba0b08f54a10c0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
38ec0e5907acdc2dd474be8640c683ff

SHA1
582329d2de55ad2f8f1d09bd351fafc5e62de1fd

SHA256
265e2a93aa3cbaaf17bdcec6d4240da32753b1e8e3f09165e5200af08633ec44

SHA512
a923072430168296115bda128923c113315a2af20091dacf512d3f5e4da3697fdf54bc5f3e4b08c3f3c1b53f747ecde0157572e57e3838e2abbc6b07ef9f3a1a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
357a68c985bab33ec1290ddf49adfb20

SHA1
36974ecaa7c1902f4f1da6fb15895fa7360c58e9

SHA256
f2f69d7fbe9058757427c3cfc0bfa9ff8f849a6bf834db667fe6693c35ad3210

SHA512
f627e668a6f64b2830dc31178e580dc8f13b734961206e649044ab5d0dcc2d3e278b927338e451061b5a288ee7ae8f843c1524714fb59236da859903c3121357

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
04983f8f238e837bbf6b73a7aa8a3f51

SHA1
fa9cebe9a65f556a1d8e7adb6ea129b626b5fb98

SHA256
b2a7cc55a5abc968981f3a33fad0ad9ce6e1612fac9340f224668647db280a4f

SHA512
faeea357cb95410d240c5767bcd8233d7221d08b191f35249dd4bf7d5830a7d4b4e9a84dbc110ff3433f8da8b83b5dd14c4bcdb8b81d6a26101c9573029ac497

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1e2808de522f73ed1f13246ae9176b1a

SHA1
ddb39c4a7f9c3496b59dce6f6a0c36c2eb36d8c8

SHA256
31546a2e5e9b31717cafd87d32b58c2df6ec60c2ebcc443d4a62e227dac22935

SHA512
d8f4ade0cae8ef49b1d7149185dd1031317c83a79b8418a2494a6627b8a9abf6c71c2f10ebde4e48053e7ca03e969ac9591a13b974eeca6c22de6b5953340dca

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
71f20ec6bbcb99122e36e4758a6b28f2

SHA1
779906a9cb0297d01d6945603664a8547052876e

SHA256
6c872e2dd60696d4b801b08dff6725cfc89be79c3e0d7815ec159098986d7f6b

SHA512
949c05be35d0e9d632296fe97d94248e712e95d77c1d9d404670f6a5dcdd6d8fb45c01bbe126fda3b6ed63f0f94471723402ddbe1dc4358a1d52a639ecaa7b31

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ff24bbaa56a869e44c4b920bd39ddddc

SHA1
3ad19935bbcccb70d4dfcddba22b791a47bf8a8f

SHA256
93b80b1ad6050d028417cfd561a0274bdfc9fd6f29a45ef637361c8ec5609eba

SHA512
8552c61eeb771883881960fae40210f6a27320f4c1edd4066999e4d0ba9145136cc528c50278403781e686e4ca6826376175ccc4a39239f6cdd8eb347624c437

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
42d9192eec3ef5c6d2faa8d3f5b71bfb

SHA1
9f5b24771cf7f25e2a15e824aecbd8547c1cb71f

SHA256
c4730d9e92d11b358b5ffe32aba95e556f5a1a83c68dc7c16d3fc4ddfd738dab

SHA512
4a69273605d10e01cde3d07ec5cef7be61dae1e08282f78ed6e0856cf13014d03a95006b48a257c26c2bfe1b110be9138e25955bf20f4081de7a5f7bb4617e16

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a4c210990f9b8c9ac749db323c0396d3

SHA1
c2f847f4b9d5e90f43172b74d6fa968e53d3f838

SHA256
787216ef27fcf117ef904da7668a7ca548432e7a3cc50ad73efb1c5d02dfcf95

SHA512
4aabd8c47a107c2466c4f072cd2af94c1a4f28231399c6fc636c2403fb5991b7d80f3119c14e6283879fda3a4cc1cad2becf5ccbe1a713be60ed13e8f90cdaf4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
635f9a5bf9a3fb88ca3762aced265bdc

SHA1
b54607d770190e77fe06e98040efea13c31f48cf

SHA256
5a5f12304e1ee2fb01aa50d01546e81b94bec38a6387bef79d1263d68e7c6dea

SHA512
7cde148426ef88504b17c9778d9af55b6f86137cbaa670f7cea25ce93a1275515084fa074c4928cd2610e9f65b5c49cbe4e79c502a0a951773191c099c97ddec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
829e1e09e8c4faaca23a3c0cab806772

SHA1
666415ee51725f858629b7cf2cd93dc8d6931233

SHA256
434f94b57086e8336392bb9119bfd6ade93ca418e9598267e3eaff69cc6e43b0

SHA512
2192fd607146e5d3aeacf6c9b638b3a057c592e06edc3ec228570f5740e4adca4484482f29adefa8e90c4fc7d6149d3cf01d4eb4a60ba061159f9c69bfd77101

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3c670131b22da89e92fe1015e3130c91

SHA1
cb6b44dd985d28723ddc53bcc9f5dc6a249f4c53

SHA256
9de68f4ba287b49054acd0a5026e89da5da096ae97eaaaa1c8b5fad62ef8bcc6

SHA512
bd43312bbc81d47d89e409c3c3238758cfde9cea1a04c6c45a732027382bfe37e08dde5930c0f84b232925b2e988b8568a0d8327dc8204567d63eedcd44b791d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f4576b612fb6d2d27ad01b9c541d7d33

SHA1
46abd1853d8c1c0ffe66c2776158812cdebd1043

SHA256
3d884c45de8c0aa83da142c2e1a30c56285e1aef374d795ff536a595fbf50327

SHA512
f8aebad7b8223745059442f03d2c96fa181ec9c31026695e018ba6c9d2d9579b3c1ef63a2592fe9bfdd320ef31d674c815ce72c70409a0db8c9f289d23f94841

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
1069ba4aa274e702eb9d27c7a421a9b6

SHA1
1010169a1b96aa0e7d95635c53d72dc6cd37b7ee

SHA256
73fa5e896b3d853a15df74143aaf470419e1278d65bff5dd1038e3de7d599347

SHA512
dd5c197747fefa652660a7e130b3e67d25c83427cfcdc9f635f1b9dccc9b59059ec9cc7b37208fdf45db464682ffdac966e4e91bfa0b685cbf66c15ca7924d4d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6928b658a56f3cf0b49b8e0d1aacb6a0

SHA1
46f702d208bd6eefb988ec0458008428a25cc769

SHA256
5eb015d56d042c7d778bcd61a7b7000136026f73bb4f68881a064d69988d849c

SHA512
e5fb95d6158f15e79e697804da887356f148f2e4637ae89e41131c729d8ec5874671a17cc852402ae7549afd804a93fe7083afa20c30a3b1a2aea0d0f44a5d95

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d8f85ef617e81444102ef5a75111e860

SHA1
0e57106b223cbb9926a07176c49db10ac747ed0f

SHA256
05a36873b819ac63ee5d615c3bfe70cbabf580c38a9892eb82cdd0d9d78921ea

SHA512
90b66ec50ec7a77ddd5ec18cfb3dd6af66478c0f5aba35a9f85a41dbf6ddd91424b8e8f894b15b4e716a1101dc33ab0ec9344d60e1a843716528394d9e70428e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9de2509d695e036daa3c0b6b15dfa313

SHA1
a265fe26432b2d3528e696dc3a870b80bbd142f2

SHA256
3766247be1bc27c9ed59a01d29f4bf084bfe4955af933143b504e906ad221101

SHA512
c86d82b9ca8ff2348198d4d3c92fab3c2ad0e2926fb5cb6fd3c1a30b18191811751176be08fb0726101de2322517a1ed1c6ef50f1e008f2e1356d44ef3719c6f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
54861f23368a596721db846f2d98dcc1

SHA1
76fd157bfb1ef62ab7121c0315fa31aaa18d1dd4

SHA256
42898b212a9dfad4f6b6c4491a9c07b44dd7f0714ac01398ff16bad07b94e6b8

SHA512
3d328d444db27e6737c7637dd297690b5cf50274643b2049f0215bf7bb7faec77ceb8cf428ce93860ed3c4d971b51db4bdd7da4aa8286472c12caaabf8728a99

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.2MB

MD5
d1eb6cf371dbcdc735d0b7e088fc7aba

SHA1
ddb930920da06dc8a9c782798867e081cac4a672

SHA256
dd78879d84ec0fb351bf34033ee9b53b4963e8ea1820efa1e9af3d13e12e2f99

SHA512
e5d9f6f7c1eb81ec5b281be94fec0b03d077817f75c3801eeb46086f16a3c2c7395ae49d4957cd37f3001b3668e351e5cd5ed51936d1f87773e3f1f6dbe27454

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
adee960195b19f7a59fbde1408699b29

SHA1
6cc66c91b0afb47db4fa454d8dc8f1fe79f290fb

SHA256
26c80a7f9469dffb9a0e424b40e9cd4737813765c32c9b81eab85ecf1c554a01

SHA512
239e181d4132f395f5c578d79c79a4f7286876c305f9e29f7e811403a9925c1bb28d35f210e1bb0e1b3affe0a07de33ffd2afb2348f760843cde078d10479da9

Download Submit
memory/1080-112-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/1284-518-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/1284-118-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/1308-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1308-527-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1320-15-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1320-99-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1320-23-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1320-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1568-521-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1568-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1964-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1964-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1964-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1964-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-142-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2056-523-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/2360-98-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2360-11-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2488-526-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2488-146-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3236-534-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3236-168-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3468-148-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3468-68-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3492-53-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3492-59-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3492-61-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/3492-63-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3492-65-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/3780-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3780-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3912-96-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3912-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3912-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3912-157-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3972-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3972-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4032-403-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-75-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4172-6-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/4172-1-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/4172-0-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4376-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4376-535-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-31-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4512-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4512-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4512-37-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4576-106-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4576-101-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4576-100-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4576-161-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4916-533-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4916-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5052-82-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/5052-83-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5052-153-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/5072-530-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download