988dbef9d775d8471d2b01b7dbfdb9c7621723bd9bc652e2b7b885a3ed18d524

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d9e2a18762478df882f8487d367f770_NEIKI.exe
Size

625KB
MD5

5d9e2a18762478df882f8487d367f770
SHA1

856c39c76cf7a3fd29208017f992502a6df2f606
SHA256

988dbef9d775d8471d2b01b7dbfdb9c7621723bd9bc652e2b7b885a3ed18d524
SHA512

0ad314e9020c793028762c1a3ef06cd7a423f7bb4225020968e53cd4d4ddf48ebe43c1c3821e26f95ea33e95615541b1378a33ad8fc27673a1ccef186465bea6
SSDEEP

12288:T2vFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+yQRi/o:ioSRQ5UOOU62FBnO+E222YJbNEUQKGOb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2936	alg.exe
116	DiagnosticsHub.StandardCollector.Service.exe
3324	fxssvc.exe
1052	elevation_service.exe
2332	elevation_service.exe
780	maintenanceservice.exe
3496	msdtc.exe
4252	OSE.EXE
1908	PerceptionSimulationService.exe
2532	perfhost.exe
516	locator.exe
4760	SensorDataService.exe
1980	snmptrap.exe
4812	spectrum.exe
4624	ssh-agent.exe
1084	TieringEngineService.exe
4608	AgentService.exe
4304	vds.exe
4360	vssvc.exe
1916	wbengine.exe
1608	WmiApSrv.exe
2348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\79ed7597489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5d9e2a18762478df882f8487d367f770_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e57b76ac30a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cb409ab30a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000290842ac30a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9c6c2ac30a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051cd46ac30a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe
116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2324	5d9e2a18762478df882f8487d367f770_NEIKI.exe
Token: SeAuditPrivilege	3324	fxssvc.exe
Token: SeRestorePrivilege	1084	TieringEngineService.exe
Token: SeManageVolumePrivilege	1084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	4360	vssvc.exe
Token: SeRestorePrivilege	4360	vssvc.exe
Token: SeAuditPrivilege	4360	vssvc.exe
Token: SeBackupPrivilege	1916	wbengine.exe
Token: SeRestorePrivilege	1916	wbengine.exe
Token: SeSecurityPrivilege	1916	wbengine.exe
Token: 33	2348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2348	SearchIndexer.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2948	2348	SearchIndexer.exe	109
PID 2348 wrote to memory of 2948	2348	SearchIndexer.exe	109
PID 2348 wrote to memory of 2140	2348	SearchIndexer.exe	110
PID 2348 wrote to memory of 2140	2348	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d9e2a18762478df882f8487d367f770_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5d9e2a18762478df882f8487d367f770_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4812

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fbe5ad5b4fa3ba79a9b309f40c312c5f

SHA1
b8c68febc566721025cd91fb14875c19d005babb

SHA256
0234726b0b4626a1238fabd64ca87138e2f326fb997cd784d855d9136d3f2532

SHA512
d1982db096396f4d8eeb0ee97a294ebf4b229c5369ab6288bef8dfa9f8a556ca64efd0000d87bee0e470161e044ac85920c468a83d7c5d0df578561e2f8dc6eb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
9fbc4bf25869c7adc026e31d3e140329

SHA1
e145c7fd7992e02d7cca589d51f09296acd96e28

SHA256
b9534b69adbcac0ebdd87db3d19cfff2fbea2db95c74e07064704d17f677268d

SHA512
d704c3191c6f6b99449ad6ffe303c04a0812f85d8366a7a3480d5c94538950dfb50f3f5a3741519b953381d45b84d42ac18b6a4f96435d72f4f25a224b0022ac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8e9bdcba7433e84ec196ec1ab160f52d

SHA1
c3b562d0d4716240de88a6fbed16b67bfcd07f43

SHA256
8bb746bea757282f8c39bbf366c84799e5e3c2ffb74e9e5f38a462e4c76ad3a2

SHA512
4792add339833a4f171b47d1db7b5c442552d121ee44dd5bb9c631b5f800205601070e2506cbc37f810e875e82af263b8724e2f3ad8e8fe60a9ca47a063b86ab

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
75649eaa43b074c0862de35ee4cf957f

SHA1
4a4561610a18745ccab24ea0a83bdf1b7df830bc

SHA256
4019c6082089958fe08ca89a842a05d8a54f03bf14e86e358af67de9bfa51204

SHA512
7a0b28ccffff91681d14cceef7b9eeb33e64db1163d1b39da8bfa6b5585b56fe90c5af5e6237ba049e87c99f80172f48026e20a79004c4695605358276b434d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8bdf7e80efe4b6ac092c90e2f5d1f6be

SHA1
de78ff18a9107c39571696c245499b60215d37ac

SHA256
7b2046c04a6a863d6fddc7362c776eeb728d960a75135eeeb6787e01e664217a

SHA512
79089171480add5cca90ebef9b888d2aef3f3956b8c93a0d3f8dc8b343b78fd6e94ea52a4e2d559b6c27b3c4209207445b47b12a86c31988b3d58e0f504e3beb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
123402a9893c0c745088ed6118986cb3

SHA1
45b85baf0c26766af03145c61d72f437297bd49d

SHA256
344111dc52f6584c785e9733ce32337601cd6365c1c8138d0c963ae003b57485

SHA512
51265685c8545f1d16b4c4c72679823d186f144cfbdc71043fe5aa2c611411808f08ca1ab8b9c4e2290c541b0ffd7a7bd0a32813c312edcf708efe56048e6b88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3cd3dbbb3fc1ae6fc7df19e31fa6dfc4

SHA1
f639c48e862d9678bf49f7c8acb670b21dd2b629

SHA256
2196ae51a480664fec7a05c0fcafabba4eb97b8f46502fa5b1f5093319eb43a0

SHA512
63e42178a66bf2223411c2137f8365769f2b8ae21c7d91203e7b3281a544a5eafccc194430c65d8fc6b2d0f6884cfef9713fd7751fe8cc54e87f8a6d8c16b827

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f92ef2ffc46847e294b966091eca3ace

SHA1
b1cc8e23583a43489540875b3ac1183a50351d4e

SHA256
d0f4e6fb53c29327082c4b8d744454904ca99c662db8da68a2d48cb402538c27

SHA512
847b60509cbb0153c17b416cbfc37886f4cfe00f9f097e40338329c6b932fac3a79cfa62f80d96807fbed847096dfe4af6c4ed74452c388df2fa03f8844cab28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
742980411cce6ef5db35127c140d87fd

SHA1
285fc977964cb77f61844860eaf4f784ba44cdc8

SHA256
92b0274f0a7f942fe7fcc450caf90bcecd500a827855a67ef1768876c364e614

SHA512
dfe358682ec0617ba09dbda54b2280c258c5d2a704fb9a808f689f35834b354b7eb68c460c2c4fe57c20d599a27d2c48aad3c59ee0e8da4aa0dc60f8217a7ab1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1de8a972af0de16a182e36fbd4c2a749

SHA1
b26bc88d1706b334da9fd83269ccbeb075968554

SHA256
666ffe3d481923fa583538b11d16e18c6fb8ada9ac8176c447929f295935d87a

SHA512
7ca3b81983526ef88133c90fb5404720e8c9133b77983c48735b002f05e191739412f43f7027f49f543576a4746f1cdaa413ee7da9f8a88c84a67f2bb46a6e6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
403fbb625eca300e19c949b618e2e3c5

SHA1
040f2c4bc39373882778867cf54bd2e57a4f58c7

SHA256
fc19302a687174c19d63b3f90a7464891cc350d29849756e709cdb103fe2de76

SHA512
b231ceeeab5b6f381dbd8990f9194ba7f3e9d4e6236eba28b169984b04192a27039ff5b58246a211eaba9b0a63ebe117e52471d7d6797b882fc6f5866e5e0534

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
24b5acd399d861f43638bc839b2833d6

SHA1
ee7705970513946c11f735dc26d4976b6c9d4585

SHA256
0957a40f47c249de7801da3b3e90c7a00cf03e727290295f8e1978b6a8cc9635

SHA512
b9d01d62770b59bc09c71d5b93b1b3b3d83b61ca88e63dff334b5250f64e1187bf5ef22d8c3f58ef4f65bcb5f9f0de6cb50d0c06156ee839f72b3c5eb7f208fe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2521a1db61c09614016aa4f540cc1b7a

SHA1
ebc4eaa514cd0a12f4eb0370a8491de9739ba4ea

SHA256
611e991cd8321c65daaf7dbbda60339e15b661fb23f0637fa6df39453b98110c

SHA512
5ff98ef9801d8b092534c3d1bc935faa6083bfc9217abf63b16418c9273105793bbf766a18f6aee73e79be683324ef04da6e4889aedc3bbe1a8c74472301cc1a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
98f2b3a08d6384331990d7ecf83be945

SHA1
bf25c4ef5f8cb5301d5e29b99bd747f7d7a1d0ce

SHA256
69d1fe02cf52b1016cc8e7755c39264bb1436db99f6f2fa683c22a63bb5db943

SHA512
592a7329f8964307e78c87ec9d680257aab85da54f34ea23492b860f9215e79020b8d22b6e4b43abecdfd3407e9c6d6313c6d2668e922ad9fc29de364532d304

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7b529f92df4dbed1d4bf3ffe1948dff4

SHA1
5b93512c8ff45cfa9a2da2198cfc095d4b766147

SHA256
2a265ab9c5b51461c243d58f46cc576fb134af70c0a6fd274fb56f097d55f125

SHA512
59c4cf514c686a5ac502fb9e5f1e6a2749d5a684375d3da76e6e7d960b6dad8fcd02b2b70ae1814021487ab7e63c9fb5eeedc9bbdb59aa4c5eaac41e1c5b8101

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
3903f262988c52b7c3111141a2cefefd

SHA1
f3ec9a8e178f46d5ecc74550472bd50061f7b41c

SHA256
c758cd533511a2597649b8d09ef2fe6602e20d8842dcffefee7d571b09008883

SHA512
cf244d05d007bf25cf2a60255e7f75bf545de4f212253c6b67ad9c4418b4da5c42bb1d134c37e9a0918c6b3f658cb788a7aa49a707d7531c74d7db3baac521a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5f5f9696c1e55d229fc24eb9410f9bfc

SHA1
559db9aed703f7a524d27595cbd6ba753b981bb9

SHA256
f7cf055a97368cdf8408ce4f57e0aa77c4c99c2cb5aecfc4a950ed184ffd717b

SHA512
1f7ebe1709f4a2661114855f677d0b7c7118d4e4bbf4bbe13357a316f0f1421224d3bc83fe97310e83c2d0303fea5007eb547d6213ad931a4eca53eca6318a81

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
55ddfc23bebde6aaf1ea1fb270e83781

SHA1
dc121d6b8c3f02efb34cf0359df19bdc49ce30cb

SHA256
990d51cc3eb5e35c6c251fcb0cd4c3800ceb258d748156f3661b4cc9f6cba177

SHA512
74be7ad266a80f71c130e2fa1779aa8082acc798f0a9948d028e1a321e74be6e511615102293c3aa42bee8e7d724d869e85eed60172169dbbaacd75cbf2bf689

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3bfa905c81b0d1a46bdede71dfa4cc0

SHA1
b2a2f5a164ae834ae4ef5809938186d344fe5e99

SHA256
10c4165172c68161ed95dcd9b7a0362214f114157d859a67546296480be5223b

SHA512
500b045e3285a243858b2c17752be675c8645700bb29e4431220e27b26c1cff3baf77940ab2da5982204b83388602e636d12b8e925bf90def0e1661d01874327

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ecde9e7d3255379cbb2a4cd992d2abcb

SHA1
e1dbef818db622ee6e6e51d303452f7aea656b1c

SHA256
eab08ba100d60b77c45d37c62e16e45dd9269273dfab6c7f535ff5a2b449bca3

SHA512
1cc282bddc5036654dc14a6e5f6d1d862a41ff843ef95d70ca070c162ae75d50e21e1e28bc3fa7fb7029b53074ebbf334148964f2b050c9ecc09b5281592602b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
092a5e164e4fa73d4985821c32c2dc15

SHA1
9ed247e218c2391b77b7e3e7dd6513466ae19fa1

SHA256
54e4a15b2e9154c09de46ff0f40c129cf3b89c36ec8f5b02a866af4cd9c55c1a

SHA512
b7045d7bfe170798aa4caa631f4681bd53846efd0ecb2a2f98e39c917b111f595495ac51ca767a029c2539df13ec6ca8897e07fbcba3557f7b250f45566da0a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8e8cdb43acbb2b625db05ccc58d33854

SHA1
8bf8739a3b343227713e216207b98e708d16f943

SHA256
28fa32eebc7932eebd39ca3c041f0619fc873b3183f8a3e25412122e493960b9

SHA512
97c27ea737861e7caa209543ae50ecd0331052526e031601145237f3c573b945870030a3136c18a820a1ff0db5b9828fc8a9085f52c22f694fe6425d32160901

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a4cb6a0aa57467c145ffb7358253dc94

SHA1
ab5dd4f6cbcab89e949ce6d7d991d29bf8957c11

SHA256
731e3a42bb100415710f6a4cac350bf11ab809fdbce7c6ff09a9b3dbbb641169

SHA512
176773361a7ec3d1872b9a0a836489266f0e975f9b953d2882d43af94a7feac18ab883a6c1b2fc566a5d7f3172ee2e3c1b1bf92df51858799b71478f59f9ac30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b08dbd078c7fee16d46be67409bcefd8

SHA1
2bfbf68c11a933491cc162ef71337f2ba061e9f6

SHA256
6b442083d9be9badad586d543917edb04a158ceb2caf312a16bd7b18606f2e5b

SHA512
febd99545eba322861769b9b978911e6291f6c9be939468aa1de976250ddd1a6a54918d7559210cd04fc3d2ac5b44cddadd21dafd7d1807ca1f89148f23c40f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ab29e75fc8ecb2d75ef452e27a55e5e6

SHA1
17add6291a6fbca5db0dc363bbff57694a8cbcaa

SHA256
bc497d751a2104c7bfc7f674f279c7a870b00cf53e0c26b5809e6df7beed1426

SHA512
5c87ebbab0ff1e3f91e07df394f77b6637ce4ce4914b8b611ebb8b0db8575838ca4f8242224354e0244a1b1422278b3aa1120bcae4539d681c8c3c5b5fa1bbf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3d7c41d57338e062339c7c6548fbe276

SHA1
9a9bc4a7a7952ade8a6b44e01608c7dffd8a20d4

SHA256
2189a6d25df2a5f5c74215f616269032ca3f2033af4f958bb5702aa7063dfe74

SHA512
501392e965a837a3e314cbc6d4ae45559ad2d9a2008a3b6f0ec90d991e2ffd03d3e108bca791a25e66d820b0e27586e61bf98e0ef4874e732b5be686814ba7e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
676d55572f6e57fae114426d4b571cf9

SHA1
c80f81c95611b27357fcde5b3fcdf1dccce084b2

SHA256
4a5922f2d80065096b4ce045a3ff7886a804c4e207b66ebcc775073f1523ca8b

SHA512
2a39f75ee16b5895a2fe23a232fb73cac712fe856bd06de4399c3f73f723867e4bc874f476ed49de4e1bbae184de6a4a4b31d11d19853820ec8edcef87731591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f578d37e7f96eb43492a3f2de1dd0dc6

SHA1
97bdff738baa1352ed6dc348eb60fca835e6c507

SHA256
fb96eb818137114e11a79b626d0658b60de7ea3b8d073a49f2b68c23c17557ce

SHA512
b57bcaee8c1dbb42cf97d4bda124006ff83aae1bc37c5b37e644f22dc7864ef1b5c906dde0473f16d7fa09cf6963b211a8ce6a6c0e6afc5ee110b35329d69280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f29bfddab331182310bba9b97ead8443

SHA1
0284f7d7931346a7411d0d99227ef443bd380ab2

SHA256
76e9ef633fb0a18383c4af3ac5fe9126bb4d7f0fc8329020ccfaeadb47d26572

SHA512
d5f626aa24e11c348b737d4dc18baf71ac1cfeec064ec5b8e476e38b96f626187aec6f86d412a3434d174dc16ca4f4bc82266bd8859381c49b3a28f4d66ba956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bb195bbf8701bf800c74dcbc792549b0

SHA1
357a7c53886d6fff9675c510b89939be1d817edc

SHA256
d3091727657c430d868fe3ec524074cfd4a28694dfb366164e139bafac06ea3a

SHA512
5e4eaddb8d66c110232414b88b47d1e7991a558eff30b2ba0e3702a9e8681aa5d46573783ae4db41bfbbdb9e37412ac49f0537a2f6908ff1ddf14453c0d4ec7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
35c50073da3b21f4fa18df989f8c05d1

SHA1
6d29cdcac1b86fe9023d97dc4b73c221f5b49a31

SHA256
918267f83d42c63f0808f435b86c0e685d13330ece759de6440050b67d6164eb

SHA512
923b38c7e45e999469a0ad6592794c679ede3fb1da2c6c23e552ca431ae0c3ab4a48ef1943f965f3e36ff08d527d52cf5bd122d2a31882633c32951f5ec201f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1a97c7975c247c8c933f5320b205e7ca

SHA1
d568d7fbee2244ba6e73970d893decc368e3064e

SHA256
a29900bb070ea56d477e2ffb5deeac02e40d4e159f6593ce08f2e960ba7d910e

SHA512
58b395bb1e5a836a500a541c1bd171232ce667532824a390377583f324f3159f0c1ba684fbb956cbd3a6560a26e12f12135aa3f1fa004b48d98351a734f465b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
373f8329f7f7d5c1662874fc514c0843

SHA1
e6ca1fd9a76b588554fc7d128bab3f1c7db88b32

SHA256
497bf61e400d5c245f1b755b91576d30c1ad4bdb33f72d09c51e4db423ed7db3

SHA512
8ae75ec566103665124c292734bcf4718899b183c70d322250f052163700c883dc5e57174633bdf78aa6e7faeb9b98e48f4d62e50d4447a7eec2a612d5433196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b4def210f5c9b3d12b4c0d9f4c879b24

SHA1
c08631999a2a88d69ed3e37e0946571a57f9cf8b

SHA256
11c901be53296a257d0aa9e939f4a56816647cb07fdd0901c810293e191f775b

SHA512
7a0644bd1652fafa4af64848e6bad8d0a5a9dce5b0dac9b00822f7985736ec0ff629c4fce57e498027002b1f0f4b02c253f2cf91ffd49233489423c38edbe539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
45061f8d89c28a96f246b9b96a1c3be0

SHA1
8286f72aaf12adb26e6491f46c6cb0ecba347f20

SHA256
1143917f595a742ae0a0ea20117c0465d866303738e52fda9591d72522631f34

SHA512
54bab5fe22ac3e69e04092d229a0d271899ab430685fd5cd4995ad2033337e691b239a6dcfaa16142eae2dd5355cd41b97a8043316113f63be00e24f70002b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a0eedf1eab20721c6b6e37461627d69f

SHA1
b9fb292a104c86982e013013f4e71ee17800deb6

SHA256
5622fa2731ab22737cd969c98abb3f85685400edeab87c66bbefa0ce44e24c27

SHA512
0aed78363fecbf51bf5027961f0d82b2c0297c9a525d83d3467bf4659820eb06021e47f2e722d951d8a39a962d494d9065c1679e8231cce00dd651e0bccee8c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4a0ef0245182f2b62135a6506e613433

SHA1
bea496ca2be28a31d5dab5a07e227a0204f1a480

SHA256
c5d65c9ce5a933ac72fcf4ceb5c7955d194b1a56550558884f09cb3e4e9d213d

SHA512
97ee2b563d21b0fed22f1c8cbf8142161c707e40f454a0df53081b02b15cf3217c121cc032a076c62c7012a87032e6bf42f684064b2ab79ba3bcd2caa9c8475e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4ffb98d95787687204ee9e27269268fc

SHA1
a91231d2f014087eef3ada062cf94a950c5eb7e0

SHA256
bac9256d46f2485418f8f4bda3629a9c69b09f93d46f33b3562c4dcf1d310c4f

SHA512
ab2b21e3671f7802929e29d44ea6a5a9f521f704f09fb1d7812906347d91f764cf41b209cf419227a9d72bd2a5b41fb51587454a379e9f2ed0bdd8013e7adb8c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
831be7b8c80a427fd87504c9f2d33632

SHA1
9f52b7ba8b5e0e645b3c97c0b83c0cb27b63ad46

SHA256
3ed4f48dd02f0ad867fc6df78ea30b7543dee78d9e1f48788bf94db400be5051

SHA512
3f2e247882aa83aa26231b648d039a0b0f131b101f1da70b323964a8ea31006794ab607318b21f246cef03ecb342afd3ed22a529b92b7b0abfa1b35f5b754934

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b32b3d9e0f8a89520a6085de6f3aeba1

SHA1
c4674e2a164903e34036a10b73a5785358f1d9ea

SHA256
d869fa0551037995609f28df8bb0475322c7065f9b22784c77655b4a6293cb38

SHA512
d07076d737c3fb911c756cfbac68224562dd7742f0b240c80f7d744d7e0d8f398a84281dbf90f530c9c87394ac8c1acf2249bdca6a1f806b6d32787e4256fc82

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b425c89909d6af3a881b8c7c326ea0fc

SHA1
7089f3e4d097c4294a6ce19d68f73fe19d95ff4c

SHA256
f45bb0613a0e21e1fc35b6ccfe766dfecbefffef285f0e8ba92dd89da2f195ea

SHA512
7333efc2fd0a9c2bbdb234aac54dd621696b3b8c2fb0144a372f8caecac5686bfa170f41e30f5602c632e7f167b7480757b3b41aaea98cc5a5060befa15519a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9697a9c11a7c7bc0e0a014a2c323f154

SHA1
5eda539b205de072f1a7f146963e13584c0cdaeb

SHA256
17f54dacc6a23d0d4c4b24b5eeb4191ccfa4560920c96a8cd8aad2bd8ef16264

SHA512
c9a0abe226e655deefeff58acf735772f465b80d1c77b0ca5674a948c1b05edbc0410101859328f0e2bc6b697a6e9cfb6a44496e087c23e0e8a6ae8556aeea90

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ae97a0ed71d256af494fc2d3f9f6ade2

SHA1
7699bd10dc13bdb17665851a86d87cc86485d6a0

SHA256
a641cd9d87fa8b20f289580a52381a7b9a5d1cff340baeb0800c1d2f5eb117a7

SHA512
4e51ce1fd3b10b77736e236fe86cba4b04959a10f3217cfff3acdb8cc70cc9745827d3ac9682d67865f379a1b541d5ea6a220fce57cf3c2d4383be16b71c6de6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6b54f37354c6c336f3bb8494f9c4643a

SHA1
1f75ed7c9f5470bb624b42dabb847231255019b2

SHA256
5be035ad92ab6c443f8ea7e1f9e5c7182680d9d126a9bb780ad6f6732ef4e16c

SHA512
00a11879d08444a32ea93d9c216f447c4a99dac9ac341797ae780562dd98cf01768c9f0f423fb1a4db70919674c8ffee3fd4f13736cf65038010d47d13f3d0c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
87f5a84582c5ffd1534d2816ce62630e

SHA1
e7fb52b19f7666df9ce32b8106f0923d678b1376

SHA256
e3918c30341a557dfb87040fb79801aaef93c4584a04402a05bd80f56cfe5156

SHA512
f4a26918d32980b87a179e82aaf6b2a1cc6589bb79c28014f22aa070196ddef4cc610e1de118b23b7fee0cd1ee95427fba69f24de69b9b2d768827acfa51f8b6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ba416441e1ec04c6ece104b6910e22b2

SHA1
db020ee714a6f98ae30aa848cd60465bea1093e7

SHA256
49669795730c71d6e8fd54b5059462b47120dbd58814d7ef1b05b4e9a31f7339

SHA512
27ea1ae0419d112d6aaddae9395a00b84db8e260e155c76556bb1bbcaaa4e898c784445345534e8481d9c517a90d38e804e69d5cfb95a6ec4ac02e128ceb9b1b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
64e0020f2fa79b13952b5b682821179f

SHA1
816495912f1fa69cbac02469fcec4b6ca7c12205

SHA256
006902d413e38f82f305aebadd25b1945a7759d4f07c8eb576158ad15f36b35e

SHA512
1e6c3d355477db46494d03f07c8bf978431c2a5b21bea7f519562dbf069d1ccdd8d8b3b0b42dae0c117f17a36e3e6bd9e6aaccb83661eb71b55bff87daf121a9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5103b2fc6d9f32bbda7e63ec456a38ec

SHA1
ee9efa7ffecf9ecb83f10be6318830d9145634b3

SHA256
a1cff4ea9b74e0c4543343c7ee8689c3ba31426c8d05c010360b377ebf795426

SHA512
b8a25d294eadbb4cede4691244e6046f142743286bec8f511ea1c3dd54e7e301fe0159fe5e3982ee5f26d8ee26fa95fcad372ed7df164f555e225d0d991777c8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
36d192bd0fd2d5ca11f01814a769ec94

SHA1
eeb6532621f76f12dc58ca72fd8c3178e41cdc3f

SHA256
7c51ca3fd996a6f76b32314a1cf9001bda224dbdcc80c0271aaf7f57a31f8f5d

SHA512
2e3f73c334d4bc49df5316f62bf9f3fe90289bd1f7f02592dbfc884469da8177b48cec2da624afc95d7a25cfd73e49dfc894436d7acf77e99557c130e6bca4db

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5f4d6d4d23802971a19e397bb263c150

SHA1
d0f906ec3dfb7f361ead024c60ad7386380c7730

SHA256
87d783c7b28e0f405a3af728b4bc406740c459e847c9ca530b84f0cf3c3b8741

SHA512
6be123d9f737f386b00d4a313c3b85a4d31abc3ad006f6f383db82dfb301b7a4fa9254965c7b959ddad27999b5a28c0c35c8ee6729d8e376f12d7bde50ffa9bd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bcc60ebf3e9ca265d35f3ff4987fa267

SHA1
5f6a57fefbe8244eb68ea855f8f44f409c99aece

SHA256
5f6b9866fcafa52531dd5b0b69c4baafa95d78d970587f74e16b80a342b1ebb1

SHA512
170e9ae415fa57bde0a4441cf2df537cff51285ddb423368c8b39bdcca81ad11694195afb583b1455d7a677dc4c310a9b9f3a6bc2d4e228628727aa4d04afe41

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d283b072f43c8cf604056588f707b983

SHA1
0f623d5bd1e04c4b0b45d2aa70026357b43adfe6

SHA256
a613acb07c742d53b4526fec01cf75629c37056fa80c0cc3a4de304aacca5d9a

SHA512
69d9dc762b0e26fc34dcb90702bdc20ce77f3e0bd018258209cf117d0328536ce7c41c21f397e72d1ac3573efb4ec36ae8e9e92b26446ceab169c6d1063feab9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e65d70d3fc2d1112549c3a8f9a1c014f

SHA1
4b3dab881725e274ee453b0bedc19676da932b94

SHA256
fcaef3a442e2daf27c3e32298ceed139523f51460f845798121fa7021613bc6f

SHA512
ec514562d0b971706a2ee913d4ab1ba17c2fe6678e2d5765370212e6d7c89f7cf98eb7ff24cf1dbd801bd4beec840692c32244863c73e6db53382cfe02dd826f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
25bf6bdf7145abf29c2559e20f2da12e

SHA1
9eaff46a6c926c8146ce968143f655c4848f9981

SHA256
9902d4482316e708a84b15edfc9921a0c8626f88d212f912a73d7f59b0292842

SHA512
a024b166c334e097fd0690f39109dd2960eb53a8e0c0110ce4eebc6d727a53b61d7d9da77c94aca960bfd15ed6e4aa42d9d6d655e873b881f8c01b5909525318

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
28b3eef323c4e94f8ad4e7faba20cf9f

SHA1
1cd402049cf41d88a04c246de391b330a73c49d5

SHA256
dd05b4635d556bcee2582e6cc827909ad46f0a3437a371096bd980afd3bc29dd

SHA512
6fd159360241f99dca8bf4195c918b742cd28f02a5294dbd746c5993890330e0e17e9802b78ecdb25bea93011924324cedbc647814e03013c12851301f9dcab8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b550a3e13c61687fc072c9cafab0bb97

SHA1
b94aa71a4d04b99741d0f322d484478dd599cdf3

SHA256
0e01ae40008f93d8d68aad1b891f6628f508136b42035a2f5b064c616ac69707

SHA512
2ce8b4c139d4dc008553d4c7ac913c8d1338196d197ab5f47ed8b4cbe66bcf73e1e30cc4f396134dd5ae8364781c938a9f1dc32e4f1929aa6b57a6c66dfff7e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f6ec73cc076318f4517a5ee1544fd1a2

SHA1
13cb7612fc5fbc97e5d04db26a3014be0f10c404

SHA256
bff4129ab4f64367924813d6d4460612b79f1b01669fc0301ec8b4b78a27b715

SHA512
f6dd67ed94283b482004f02f30dcddb2eb3e327ef3cdd16edadeb1b63754b55378ecf51d60a8254cf7fb28640791c3dc4b1ac7c8f7740568d03b96f2980b45d2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f6a43c19c3e67e0af413703157d67b69

SHA1
394aa183c63513de7b69c6063660e5923be45194

SHA256
57576667a00010033a52275bdb4043d3e3aca6845b2357f6784780c2b40d4bad

SHA512
93ed0c13d2ea1a62bd2fe5dba024b6230a7265a2eb8caa8a3f37ebce5babe251dfb3e7b812139147e442a41a0acce18f9dde140c53dac5c138a083336375f2c4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
474cd71d6fc9635c9ab06cdc8fbc58c6

SHA1
230bf759f3b1ed26d5f4a915c98f88a39562820a

SHA256
56f5f1044322c07becf42a40b99dabd66813b37a613596bb5ed8996f5d266eaa

SHA512
bf0fba06a3eca63ca83332fa15eef60f6c06fae8caade6ca1268500283ba097c85f097715c165b3f916d51cfb10abd235fd85fccd499c311b6231a61c94910a9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
395b5fc18ce476f9244ecc51f219514b

SHA1
b14f24adb6431ce9b8e6edfaa1b00b94f9e9476d

SHA256
26cbc41ce3face60414a78d7532e7f3c6f5c74f3e059ee32b104d05c60744e0e

SHA512
81d19037590ebdc1db95eb23a337337663c9c18226b33d83cb09fb9f6a04731223f9b615c0116a96e5fb7f5d9d5f533684f904bedd76949d728256a454245028

Download Submit
memory/116-435-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/116-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/116-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/116-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/516-244-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/780-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/780-81-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/780-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/780-76-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/780-85-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/1052-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1052-55-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1052-604-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1052-49-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1084-250-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1608-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1608-609-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1908-242-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1916-267-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1980-247-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2324-239-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2324-464-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2324-1-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/2324-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2324-6-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/2332-607-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2332-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2332-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2332-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2348-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2532-243-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2936-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2936-434-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3324-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3324-58-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3324-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3324-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3324-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3496-240-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3496-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4252-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4304-251-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-252-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4608-198-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4624-249-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4760-503-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4760-245-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4812-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download