5a0350b5fafb41054e92b05fbcdccdd13986d817a0db1d457ac2ebe2a00ccdd5

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
Size

1.5MB
MD5

2365f75819d10d068a60fb05ba0284f0
SHA1

14483144a15c88c7c04dd9c2517cce424f600ed3
SHA256

5a0350b5fafb41054e92b05fbcdccdd13986d817a0db1d457ac2ebe2a00ccdd5
SHA512

0ba72306ba601355278b917f0f9bbf2d27fbc67763f2559c89e11d337dc04d3d8f781b1a2d821670f2ee9d7b4be0634d158d169a10d2550a949c423b8ca90bb3
SSDEEP

12288:+0E00UzP17kFQwzY3aRRJ9cpYEGxH+UegDKuhNpRO:peyd8QwzY6RHlxpDl/pRO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3736	alg.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
1204	fxssvc.exe
1392	elevation_service.exe
2068	elevation_service.exe
2480	maintenanceservice.exe
2400	msdtc.exe
3852	OSE.EXE
312	PerceptionSimulationService.exe
2968	perfhost.exe
1044	locator.exe
3788	SensorDataService.exe
452	snmptrap.exe
4724	spectrum.exe
4920	ssh-agent.exe
3824	TieringEngineService.exe
460	AgentService.exe
4956	vds.exe
1572	vssvc.exe
2908	wbengine.exe
2200	WmiApSrv.exe
3700	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8ca62ff8aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d6580a91fa1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de1591a91fa1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5b59aa1fa1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a07ba91fa1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039526da91fa1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aad8b4a91fa1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008250e6a71fa1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
3484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1404	2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
Token: SeAuditPrivilege	1204	fxssvc.exe
Token: SeRestorePrivilege	3824	TieringEngineService.exe
Token: SeManageVolumePrivilege	3824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	460	AgentService.exe
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeBackupPrivilege	2908	wbengine.exe
Token: SeRestorePrivilege	2908	wbengine.exe
Token: SeSecurityPrivilege	2908	wbengine.exe
Token: 33	3700	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3700	SearchIndexer.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1976	3700	SearchIndexer.exe	113
PID 3700 wrote to memory of 1976	3700	SearchIndexer.exe	113
PID 3700 wrote to memory of 3100	3700	SearchIndexer.exe	114
PID 3700 wrote to memory of 3100	3700	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2365f75819d10d068a60fb05ba0284f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2365f75819d10d068a60fb05ba0284f0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3788

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
038b65acac57effced9147208d660f52

SHA1
b5d06072ee985a0b637032ddc59681346df26cbe

SHA256
4e6b9844f8b5d356462acbda9bfa8944a5c8d2b1607b3d1502545cd69eaf799d

SHA512
92e9242a3e163d677cb559211f5a65b506bdf1265e52bd4876f5854d88d00297ae75aad70f8eff4da5af8f4f73c5a68c0ef60767bcf39aeecf32a690d22310f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
67500f2039b10f473e031c7e1f0ac093

SHA1
b146dd826d576cc9a36205945dfb90cdfd9983ef

SHA256
16b2846728453cce95ce69afb1e87625f67537b24056b1ba1ae70259fcf0e02a

SHA512
12c4750984dbf169560e9ef37a7a2046ba8d3ef029a112f4ba7c2bc89953bce83f9210124e47ff784671451e15fd0d2bdc28530555bda90a1b9cf76acce4ff4e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cd9ce8849e945c6d9af361b822083e61

SHA1
a08a990c10b814dd2ac2919a9369bc4fbaf8fac5

SHA256
16ec873184861961d06c7b3a1690c9dc58e857ec447ee9845346b9e1283d70c3

SHA512
7951b7b8c9d6ab0d86ba70085bff2c54bfaf03519c6908d27d490cc0a83ad8507ac41748d9b3b533b0f56ac8f81d789b9e1dac00c5442061250ff2864533d4c0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ca2990d627ca7ab3bfb387a134e6056b

SHA1
69af393dd46f1d245f938e0a63c27412f080627b

SHA256
0619e753360b6fe5f5e3ae2f7a316fc656cfb7db82e615dbd88cd362dc595c46

SHA512
87b0d4999a3b677fcd255826aa9bbd8bce213750f4e1a66c9fb8076d31a145443cff07e3abeb9e356faa78746e966dbab0c3a30c73db22e49beb8a62dee93cca

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
117e16a88a5379766a670f9a2a6ef1e7

SHA1
d26f257cf9cbea859b9722e2d85a611be457fc0b

SHA256
8e10b983da2d3faf3f8924d53437b97aea0b421124bc1dae67387cc7204567bc

SHA512
b14a829ae40d7fc47939c8c30e609d9db95dbff089cace844ea4d499804d9a322770df874ef5855dc797940190e3dae827b59c260f0800e8d894c2c64d9a5453

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
14b94061938b4233fb4f7c52ea96001f

SHA1
992d2b0bea8d44eff5cd249596fc801cdedce87e

SHA256
eba748daba9c61b457dad09fa3c9342473c6bf0e8cda55c9723e66b7bf78fdf8

SHA512
9ef3b294f84bcd54e577aed3db76c8822a6a3768eb11f98f18ba982f2631c808b76714d42301573836697ce17652d78d888d5abbdb5abe1ba20acc744bdda661

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7ec7f4bd26f31cfe22227a360d3a4cf9

SHA1
b3f1ef45c9923c1bdb734e8d3e1f1787f4c64536

SHA256
03cb5522e2d79fa5895c033c4657c929e6471fada07766d1d8abbc65d65a33ce

SHA512
3372803931532f31d0fbf881e1ec10708a4f6e48e54ba30390a27182941c9652ae7e76aec99c36030a64bb93c7cb53100ea6c8b9f1064f6f12fa5eb183cb02e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a66e8c724854a49c3573fcde0ef7d86

SHA1
e0e0c1c6e5083316b81fa5d404d841c32eab980b

SHA256
6f629df9aebf8316b2a0b99787ccf9d6b9f5d919e12d1061026ceedfeec88377

SHA512
4196b382e963c3e1ddf9c44fca359d9d67031abd1eab06b6b332947f496f0f1703e884146016c4f4facce249f0372e571ebe515ae1a4f2e8ef28cccba03b96fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
56394f397de47a70100bbb97a8e25bb3

SHA1
965c15678a5a2921e377a817c71011bf4a890bec

SHA256
c80d4150441a6020cba9e8917e2a469467b16082e0b1e7d5bbe4ce6aac90aed8

SHA512
f7798815289aab3250a17c203fe2ae42d4dbbccb94f32c5e38bbcf9369e6402c8f4205945c53509852dc617afa6bec8c15ddd82e55c79d5d60059c1e02461525

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1a6f776ed8633459a26271e0a797fe2

SHA1
9a21225e5bc97a0a8a7fa65e75a7634b645d2d62

SHA256
6eea10080d37f0e8e281f3c4537b195bdae32d3db4d4d09d0f9eef45fb9a0904

SHA512
877e21a742ed0b20d62df3c4f4a4adbaba0ba0e21477528a247e1c6d11dbff8ad68c1a715a16a19347373dc41a44848dfe1eb5fd537ee8b0575291f0a2353d91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
823a09f25f6d14bb2c89fac76ba592ad

SHA1
7fe11fe0a05b76729a5b5e0fc6f3741dfbb33216

SHA256
ac58d48b4d1d78ba2766950673d6df94d423b13dbd43fe5290a9bf10e7605891

SHA512
ec40192522b8d35fceb7065f80460825e882db15972e21884d29a2fe83e153423642f5224fe4a48987e708cb9e3169b0143f039f0d01d6900a38795ed608cb55

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dd217480248f8149173a62a23ff891a4

SHA1
daa50b76021655b1ffa462debcaf5ef69b051dcb

SHA256
0ef3b88f7e8dd84c889643a8b7a603ee4a9d08bafbd98939a54d728af1d8c15f

SHA512
f0c3b8f282485603c01025d93aa54b977479671a002bb73a83a12994556a697678d9477851407c9a20659b24c5ad6990eb6b7cdea918f397b7d1c2b27e37ffc5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ba85244e843bd9dd0161b5932ed0c9e5

SHA1
baf75a6a521b025a54eacb46a400567e4f1d7a04

SHA256
da755eee1ad2d54f35da2060e65bd07cbc3d04ddbd8310eb7d439f453fbb6be2

SHA512
1c1ac2d5008b894e57a0592fbf98d1aa8be3cba9f028bbc5b027403159e03ce736538e9be5c77238bd2d09ed12f67a51d0aab2ac2b9c4ffa580979d1d891e315

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
134333a0b08bf2f57189d814f76d1843

SHA1
66af13154d2e3f9ef6e4f9e3b971e536f19ab362

SHA256
298d113f198a0cccd438948e23dc87bb9bc850d6c42d1969fed7f50cea2f0450

SHA512
a0722968a8edd2098af1ed0b0f65741bfc6c257ae0f2b9a9f897a717b0a7e6a2ed040f0153fe9406ea073f306165cb141b08ec8453120169197f8314c6123d6d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
be4b92fdc2a1b6ad35af5c5c3802ae2f

SHA1
a49d85d3d63ba08fbf8c18a365d8896cabfe91a8

SHA256
664a7bdd1bf9fb3e6793ad475e61c8dc4ee7c3115173f5917e427fca77ae2df3

SHA512
9a46842c5404644f915b7a41de2e3ff60931d9a4c693dedf59e84815bb1518215dc2b31838bea10d3184ba6ad186c9f61a42a55887f5c0d9db17ee227c4e5f0f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
8328f51e8de29aaaac65e1df5e44d83a

SHA1
2d8a8cd73469e66c855f2c16c8ca5a2060b64df1

SHA256
81f353e9f7acb58b4c2020621102345faca034d73c636045622ee781eae9d66b

SHA512
68ecbac399b8dbc4c0fcb9c7728ce7e68c430e773d0d51b03853f2868b351e49f7219434f35e0669e98e04683ba33e6ef14a29bacd8eecbcf9b1c7c7d5c43749

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1c19324c4eace9f0b76b96dea7a7b73d

SHA1
45d3e4b6b0514d148fed344afe8ef3bf8a42d771

SHA256
3f5e11c3d2c928e2c104efeeafd5999028bbef5f97b0a35d69bb2cabaec5de42

SHA512
dae19936546e8b16773545f3fdc4f95a0b9abbf2be0b605cbfdc1f1c08072bb9d6978d8db38e44f3cc8545d669292d0669399d698b2eabeb22ff22dc686296c4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ddcee0e6c82262acc2845885bb54e04d

SHA1
9fd6b941072e0b2a73f51765fcff9815be694cc8

SHA256
17f65f84929fa6d279f6e475d6e35c2597cf122eb229b970ed5f4a68d3a99e17

SHA512
04395801cb63543b852953a50d1fbdcb0c3518db422ac1e14f5c6b71c81115a5ce7ffdd70e42c512901699e1f6b908bc2730af0057a0c3fe0788cded7ad5ea57

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
7802a647a330d2e2267c6c4ff446e7a4

SHA1
2dd345d24fc339065fc2912db55fef58663891b8

SHA256
5e07b9660a9f18991fbba6b899c2a811d7c2a2a10e53b8f72a43842ed255fe27

SHA512
cb5315aa4edf79d3b52eda57bc5847ccf1988f1ce0e6a3aa6b177091f9687e5d852a518cad9b062ab40b8b8b412cc953e6ee4fff5adb971e0721707c31c5a71a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9f0ed2e59fe3011bbf157093cbdd077d

SHA1
18cd8e987ee488b044426ae26ec6c91f6486f4aa

SHA256
b82890fc3d73773b2b784ffbb4fab7ac42e95071eb5986eefb0cf187c39e9f81

SHA512
95f52b8a47ce600107a93bab3d534d72b6747ec2b6a7f26f839617d312db9abff6514101931c27a6f29a237649ab621893d6d5462c91fae114b6eeae90c7ddf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e9ef0b915a72b8fb6b468c6a62a3cddb

SHA1
8217bdfb121ddb030ab35e33a3fbb733acc721b5

SHA256
f13c9409df51f3895885997d220b345d741efbbecc077d50178638da0b914c33

SHA512
e67295f52da8ae754cc1c44d7f8af7e54394b3b69ae3e735e7ceef8f27244ae605b54dc78973e3f2732d42e698cf83bc8534804476c47609f900329a3f862ac7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a68ca5440977e37cc85d7e0381a32d26

SHA1
6bfce2e67c028b8c9873901bd25f492d2bef26ac

SHA256
4c7301680cb4ec36fc9149d62cbf82e30065bebc45cc627abc674b5fd0d92deb

SHA512
54b0284398ed1d436b5e9d25f89e1c1c0dd740d1f75c1ea488bf389af86e8e7cac77998496c29bfe690d74aa294c2b6dec601455c719ee6156d1498ad4416cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b8223584683a054e046b397cf24db70e

SHA1
c4d976df992e9374138f07afdc1d9fda00af5f85

SHA256
a112a79c8e750ef2758c04176145ee9e6b26d6a242964cb002e6e76871ef2c5d

SHA512
3b2fc32b5df989cc821a74bdeabf97ef71d7da54b2adafa7d91c32606476aa7c3cef4b8564d8f2a1caf5f10845025eb60323052fe7dff9e26d270148d898e517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d7991eec1b6d62620276bd23dfb5c556

SHA1
900d17cb40c99df76ff8c8d7f9f8bb6541fc4b7b

SHA256
fe1f031fd0fc38b3835e4100ea53c4bc5be6942577c9dc7f72ceb2dfd8bfc5fc

SHA512
391863711787ab666cbf425e92c33925ca8f7d5c286fb9cb9321cb35f9a9dd024103d11c418f702922876391a20482b1f1758ccb2a56e52c0568481d7dfc7649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
1566355833f893e43990f25c914929e7

SHA1
96ed636bdc92ae01faf917466794f52c721a3f80

SHA256
ffb329355be76f35d88d7eb54f1d0015e5bbd5fac7cf1550d758d874ae233f57

SHA512
3d69be82d004873345468484f867e1659f143a3d313e405aec4e2cab6085480daa9be108c0697851dd7d6e728e8bd537819ffe90842b2940f30dd6db5dc918c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7061eb9e702d2445476d87017dcc497d

SHA1
7b91e31187d7b4392c24896a55c89823617d1c11

SHA256
13a8af7b8de4d6a05e647bee089e52387be55565de0ac322225804178563a566

SHA512
2d2176aab60b2f7c93710157d07ace7d070e76cd4ec9a430033e9429639ddf4b114ac63dcd8c212641d2a90785dda89f4b6a491c240a20fef0874f776c7432a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
31acce029b3d5cfd6d715b93410a1c86

SHA1
b0cd314034c5cf5fa54a2ecc9aeecac7c301ea50

SHA256
9ed3fc0ff27eda0435c1035b5b688275d51d2e9b59ad4e4137a695512b3cc362

SHA512
ba340c319cf045eb7277e5de4a01d772b857f9cfd92c10f453759eebcc702dfab5e1f255eb5c3d4b404c7121305b3080aeddc44c3f444d0e3dd42b62561f32a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
67579f99a328695c85cf221c2d8fc9d2

SHA1
1b1cdb1b66a8c692f9c2c9e53857f476769470d7

SHA256
21262e0820b27d59d1429eb2b3262bb69510dced118609113521dba6da83b658

SHA512
b429ddf2e6ccaaac8cfe1a0b1e19a395b032c7146e1ec1819b2d168b40423b0c5c286ba48eeefdfb6c4a7c502b359e9fb9db0f358ecaa9ca753f2e5f44e31296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
f0787b26e127631028ba5a706df5dedb

SHA1
bd0e1964dbcce21203c153c5b37e0f45e32b40de

SHA256
1a0e8169ece30ad915f26077cfc0b57df57710315c15206071c46c3d6ff0e53b

SHA512
096847b8809b50aba4af21d771a03b8e91c72686fbf3da670b65d17e4da57fdd4e7418b78497247dbb4bd60ae104ce6c1da2c2f24d5149f23c40cb6b99abab7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
6ef5346d6465a7eb982c364f64ccbb4a

SHA1
dcd4f794294f81d271ebb8968a422ee9e0f3f3fe

SHA256
0991624007299a15edc85c75c1ed14102a225737367f9f24c525f032ef8108ef

SHA512
a84766c8687a55b532099ac53ef0238369789c02d4f8121b537ee202141fe0ab10261c63e55a54e9c32cb5c0f1c44a647fdace42a28342961a4cf22ba3eb2bc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
b6249815fd7798481dd627b719c35c56

SHA1
b6b0612ccb426b91988548ca0014e983b090b829

SHA256
b1ad6df79c219125471a588e28992063829a95800c33300edc3b780c420b5ffa

SHA512
63c7bee1d2e60baf398d90c14f8df90631e32e2868b80001572085e090bfa4d0dacaf72af2536bce6c717f0c186ec262968347892194cf6366311db80c479da8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f72b553ef732918e12a2f1a92db9c462

SHA1
009ff26c7f101590cc45fa12dffc92b9c95a4152

SHA256
47a6c95bbd0da175013b2be99703e6199e01ce3c219af0ebdadc13c97dc0aea5

SHA512
2cc6081cd1211e0694b13ca77326dc36bc7dff52a889a7d8c71b26edeeea2bf34ef4abe98300430c2e17a1031cfe249ea87c323e20d0fc933b0539a9d7c0bb87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ef5f55d783884559492561c6e1562ae3

SHA1
e4101e9f41a25019b4e3fe661feee543da705e40

SHA256
1edfc1c0cc25ea14ab2f84d0b96ad8c8098f35a32e7381b5fadeacc5e4550d68

SHA512
5af1a7f05efceb388cc46bc9f716d7d9b8a68cbca47d2f6baa524d683559622a14f9d6c2868e849abe6dd8d58acb8a3fe235e9955b3d37e2fb2ca4a35ee41dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
68fed220a796522bc05cb2e0d36037b9

SHA1
2f838c474c71f956acb694973dd0c145a794802b

SHA256
649e853cd842dc60751e0e9a8fb63c3c2d1c0e94962d1832a71e10269ce7c9e3

SHA512
3e0a381a8b34680e6da69fdc35e893710c23c7542dc53108e57913ec26fb9008f0d0ff6c5d5520befbe2d2a249ec44404709574ed70d2eaaafe134e16135caaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
3533e71fca71ae78d98333ccb80d3fc7

SHA1
9c344a1696f0fd1f97793bae03166b82ce5a46e0

SHA256
75b210beef04cbf1565ca2f36f9387c846515b9e66469ef01543cc82cdff2bc2

SHA512
7bd36c73b94f63ff9c21aba6a16370efdcdf5c084649a50f3c73e3bec71b990061840ddd541db052deab76d7fbdc3cc17b4d7bb3eb4e75a7963f9f13965e387b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
3ff2042044e522b5cac9ca5f4c6387b6

SHA1
266522b938cbfd32bc43ac4c08f8f323ccfad2b7

SHA256
7df474595ddd7ed2b807826821aa6edb4102abb07fcaf0fbb1c7025129a809e2

SHA512
ab4237647dfd07d869a3b520d53c5a29b92fe0647de172223ad6426e4b218b4f17772f83cb7139c7319dca226108f34ae08d08560460b899e31c07934a223a1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
b1cb320b31069ec39f0f580400124a27

SHA1
0a9fbbe3a98805db331f68d888e2587fe4eb4807

SHA256
64c53844685ee721f5f07bdfbbb4e7fe23aed1c41f30031094b2f0d4bbc7f9cd

SHA512
5820aad73ca260dc9da50cfb94e028456050263dfe3cd059874333db20b4729279d52b8418136a221fe111b1c696c7804022be72c61a11d5f7c7e62f29f8dd31

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f0f1e3db75fac8dd73fb5538557c89d5

SHA1
3a7d44d17059596ce5b76c352b4a85725e6cc743

SHA256
e399a8e20ffbe16f774fda2cb23d28877d4d761f6497c132bade96df8bf70fde

SHA512
dab049162a4e996dd198b88adf390c99ac4c70f1da4c377d44b2aecb7e7a38dfe95b2899fab2185ebc9cb8224842fd22a5a60f3b8497a039afaa96443577ca5c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ca85be054c779e675469383774132795

SHA1
5e14082008a262c6d486fe5a44dffc9d7d4afb03

SHA256
2844e1f9e7341483d285542c531bfa354308822cc698764666c4e0d54fa762b1

SHA512
8e71eeba72a9d8e29fc895ab60374cc8fa3e749e7e4d63ff74e9233e0c96c8078d167a0af2d607a24995f0a5fbeb65c327a80381ee51626ca5af763705369b65

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
d53e93457047ec9fa5cdfeee8a3663a1

SHA1
5db79caaa3239b216bce55fbc805eec3d98d16e0

SHA256
19419cea865b4ed1bb4aff4f6301bd9b7f03cdf490946aa03b8c88b9036af4b8

SHA512
7fe580cd91ca2c074280baa9b63088c8de80983d83b43dfe80d1241ca6fbed7bad005ee65533fd4cbda183cbdfc371164f2ba26edc33fa06c9e3f2c2d33b4161

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ad7d448cf015d563423baf278deac857

SHA1
ac43d502bebb587a560150e16470000a6d7cd2e8

SHA256
d84174d1a162d8d3a652e5c49a9fff307baf24f73386565249e2e3c46e852040

SHA512
490542814879927e212d49d1c8b45e61c3f24801b2bfdcece5a135a0dbc3e8be04b30f6fb977891ee2fd77d5867d96df18b1382919f92e24eb9fb7960aaaa0b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
26dfbe92ff7349e5cef98dd91c504751

SHA1
f7811efc9448d6a156991ce6a056b7addf88f770

SHA256
3b404008ad5ba0cc51ad0912be9b43e03aa2ad8969780728ab0c50d3c5a51a21

SHA512
27994f038872d8ddca2ebeccfa16a22aa1c2a7a2e80220d82279491a44f6b927ac17b7ba5b78cd0225e6782291ea2d308584563d9ada8d1b2976fa322d5c988f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d75fbe79fe3d20ec897a158b3c0d0d55

SHA1
f926f53ced462efcff3149dc971a1ba6283fff9d

SHA256
0cf7b4e21d25ae732d070859cf06db6adc9dd388cac677bb234cd218604ebaab

SHA512
a6d081fb6fa0815747f4a536cd05b738c0d56bddc4313b5617988111b975832aa56c7fefc0491c28ef000e3a5ce9bd413dd1dff457b3616ef0edb65100f23e23

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
663624751174623e9e33fb1da6dd89a8

SHA1
f4e492356fac8e4ced31e20ee68de0b262ee6065

SHA256
e01510ef34c681d1c4e6a34c1dbc949d6c9d433b724e2c73a19da69308775c92

SHA512
b558bae7db75c16b95df1c053916d26def8cca4375d66563c638929bdb516bc54f3fa9a530b7833e96485b35f0740dffe93ccb43e77a229855cba0838f940bb8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
fa8d9d87086fc264f23265459c4e89f7

SHA1
269563b28f9a658d2934a271b5d4b1cba64d7c3f

SHA256
c1531376ff07dcf6fe13d751151fafd55ec9172480e4f483302c29ccd5699efb

SHA512
994f9fe41275203060d16e95e31a5c207644d2f1683781037e4efab8c7779ec492deb19b1488e369b77e2731dc021f98be1db9644b7d7dd891d8599041448331

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3d4a2fc9fd74e1b2925fca178ee7c687

SHA1
8a612dff6d50f794ce96e2f6d408121c44aee69e

SHA256
7d4bb6023a36fa4ca096ef296b8ca8628da2a0a3c17f307e8d55530063b07915

SHA512
302364651426492b63fe2af08248402e74a301b2025b97cb225e7af7602bbf30e051466888085ec6892ea1cf536cd258f86b5fd85b33e78761d377857639b725

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
19af67a42e230e730bd8703d00a119ce

SHA1
06bc231e81c5e3aa8ec7c9f743bfb1c0bd891867

SHA256
fc44dfe215da96b62c717ac58c66d56297fc2e6fdc93425cbf30a76aff0dc59f

SHA512
f5cc1d8f7453ffefb24f416fd4f551b769a419e6bea521b5455b3de4769626d836580058c4680a8b0b768caed54c27cab7d38bfafd4019408c4aa7e7443911bc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1004547d6d1b3e51aca8158c00bc6ea6

SHA1
194866fd3af5cc6d411b825ab32af49240d691e0

SHA256
59ed15e4f011c299edc12184202166d89c5f44437ca2b5e9ead4098d873be485

SHA512
d7586bdf41e0f13766e85806e102cf12de114ab99305cb4dc65986a58146e4b8d28078ee59793696dd32d81e22c8c4ee1ac32d1b5ed92c3151f8627f5cd9d68b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c6b0df3f3dd19900c84ba2413d0cdbe3

SHA1
51ecb1b784c9414058cca3acebdede8d1d56e53e

SHA256
80c9842cd00f281a180483c852f5bbf31da63d088236b16e24a22d5567479bd0

SHA512
966586dcd0292bb5cab0f6bd4344071c9ac00fa640904249c37c0cc6274ae39c43719246edf0351cf8d5337f637c5012fa73d38c5ec5bfa71593656aa246069e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
26aedf1200eee5f9ee35e5b5c63a030f

SHA1
d2ba3e45a9a1131e3074184190c21aab479d5928

SHA256
8f4dc21eb51e3c5e0ed78932c4d3ed297ce0d761826b5f4d859d41e7de0b9044

SHA512
972fd231099706d76934c50d6e4b353b1b913d7b30caf212240c38acad2578bb23df62401eeaa2ca77d6f693aa1c3f2e9f1f2a036438f16d6ad5af7d3074dc8d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
41601c4a69bcd357f4a5c2c0a8f3af72

SHA1
0545ee44d6f11d241646f117018fa0a76e1e86f4

SHA256
14372cf4d3ce7b88f468693f847e740bb7fe48f366de8aedee067446cf797c79

SHA512
0bae2a0f33b9ae5a841fdc25566285078e280625695061d4077f34ee560ca539a78d1e1b2fbd18d4e12c94e2a2d455c12aefccfb235585fee6395f8381e3488d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
68df370b5f97016510414ae6798cda4c

SHA1
90325346260c63c281de972fe28ada9d71660df1

SHA256
e6d4649ef34d9ae4434adc25aa175d7a739e1e7b2b3a0ac468f9fa898c11bcfc

SHA512
5af6fb9578c3bd601238318f2921b2a18ffc38efa2d7b8b7bed5b09d6e6ca3eab76588f38cc2c1c7e35c57aee681b48bfde2e9b37cf2a3609d39ae7e599aa63a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
3db33a2280745fde714fa6ae9a73f03f

SHA1
8ba697ff9c4770c1583d866439057c900bdecd4c

SHA256
5bb1abd64240ed099d8141cf9f021f1fc2ddb08088498ac2587996ec16b9591c

SHA512
67cf01901d66875ecc4ba594dd03a5ced88b23a0882a0f52d93c9def03b1dfcb71c03d19565abeb500d0f1f33985bbe196b88375c6f3ccce6e366ded803904fa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d0558d0e68d8f64d1c0c750acf903297

SHA1
a24ba81c032a344d9b6ca37cfac1ac8d07d11be0

SHA256
bac77d1d3fdd183ab8dca37029b03b2a07aaa005d0a17de06578c8a051e146ed

SHA512
7febb010ea72925b31b67514b239467949b3e110ca78d73eb8efc8bf16dbe0c1ba474d5a50385c1809b903e93ed73610bfef76b3ca0dc7176067065533091b79

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b9160d63a709c66b9ec9aef30d513e24

SHA1
b3097a498552e210d172199f42575cdd4b697451

SHA256
228331079ec8dbc06ec561d7e6eb194ffe3a961e2e6836c69e2a8e660228700c

SHA512
a108ac5a93a175ffb1fd0bc22938ed9770e09b8fc3d304240904391a88af455a952a65eab5f5eb11989b78e0db40997fe727eda6382705a21b0c42917e28ac92

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4ecf7e07865843ddfeb9e9bcd7b9d3cc

SHA1
5ff38b20fc1543e2bdfc561b0b4defc4c3d3974f

SHA256
77260242d1edc2825a4e7e75acbe1fdad4b036919b13bfda65c759b03afa1920

SHA512
7a493475138bab8a833f3c7d1d2eb7492f0fe0988eff2594f363a155dec74ef8013095bd34e31741fc30496d8b9341385253f3e3fa58729db46b5ca452e33cbf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9d4dd3e6730c1cfa70a9e597f55d08eb

SHA1
0efa24841ec946410b4cde3d650b0d34917bc191

SHA256
25900717ea5704649c2686463e755ec79188efe776939fb4c0b17624d6c4fd60

SHA512
ffaf81e9cfdf32c0d3d535fc6b27d293c3d45cd49bf1677de960f265fae71d186b40cb48ed639e3feb6fb730642f4b0dfd85c12a3017ab588e8b6a0175bf6cf8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
134b644051ddf69dd69ff25660e1a285

SHA1
94cec2be5c925d896f1e70f35a93853adcce2ce3

SHA256
80c5913d663b06b3314ca69aacd9b1caf50d20707f6c61e6b18bea102932fc63

SHA512
79e0de6451afb0233d6e03259a6e175c2af1d6c3cd699f52a07b94cfb3463229750a9a18d5bbc72c4c662e966731e560388c910f8682ecb82415238eb4801c27

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
2ea613af280e493f8dfe6f42df231c56

SHA1
1a9ba5a1ca2e08e1caaecd241d969abbd61271b9

SHA256
b5f29dcced01917e8982de6d4f3531863255344dec12318bfd89a024ad3a9bb3

SHA512
4d5ca30c07516f752834ede02c5992c0f08e212036fbbfca5e0086b7c79ef2e85a8831bd97097bb2b48cce11588de9f96334bc17a15572938148384e80f21f6a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
1a19a77ed61cb89ab7b9195131d51044

SHA1
035e2dacb6aab03e90ef70917fd4e5ea5204b596

SHA256
5abac21693955f79c8dd75cadf5d137007fda26f7301cbc9f6737dd842c9ed81

SHA512
a890f46be7f98b45f9f141a3b8ffc4cec21b69b019905f350bf9f441ee6706049169390cd14f370d33b7b90e9604d1486fb3377e1c2c01c08817eeae93c2f29b

Download Submit
memory/312-121-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/312-227-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/452-153-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/452-513-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/460-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/460-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1044-130-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1044-251-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1204-43-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1204-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1204-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1204-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1204-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1392-164-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1392-50-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1392-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1392-56-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1404-6-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/1404-72-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1404-353-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1404-1-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/1404-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1572-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1572-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2068-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2068-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2068-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2068-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2200-260-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2200-621-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2400-89-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2400-200-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2480-83-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2480-73-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2480-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2480-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2480-74-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2908-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2908-620-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2968-239-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2968-127-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3484-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3484-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3484-25-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3484-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3700-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3700-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3736-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3736-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3736-88-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3736-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3788-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3788-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3788-555-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3824-614-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3824-189-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3852-110-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3852-221-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4724-611-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4724-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4920-613-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4920-186-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4956-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download