5501ab7a06215d2f4aa3d1b3345b38dc819554daedf5a91abc993025abcd893d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
Size

1.5MB
MD5

ba853ff105f92b0a8736931cdbbe0800
SHA1

370094c0a6f76f2716a16f6b69124d6c806aa738
SHA256

5501ab7a06215d2f4aa3d1b3345b38dc819554daedf5a91abc993025abcd893d
SHA512

346c63f66fda784ef0f68d46f4448c659c2edade4a6d10cf3043500c6cd4afd328879c21923389c93be36992a0d5bc6db2105509b081e97997772a50f60a453a
SSDEEP

24576:Oz2DWN8S+LbzQkWWbCzLLB+lMP1NFzSRY:K8FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2308	alg.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
2512	fxssvc.exe
1616	elevation_service.exe
1552	elevation_service.exe
2228	maintenanceservice.exe
3268	msdtc.exe
2340	OSE.EXE
912	PerceptionSimulationService.exe
1468	perfhost.exe
2976	locator.exe
4388	SensorDataService.exe
3312	snmptrap.exe
3152	spectrum.exe
2032	ssh-agent.exe
4776	TieringEngineService.exe
4248	AgentService.exe
2636	vds.exe
2432	vssvc.exe
1612	wbengine.exe
4072	WmiApSrv.exe
1548	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f05347185ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f68426048a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bbeb55f48a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a332cb5f48a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b95cd5f48a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cb0dd6548a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d20b85f48a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff47a05f48a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
1636	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3484	ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
Token: SeAuditPrivilege	2512	fxssvc.exe
Token: SeRestorePrivilege	4776	TieringEngineService.exe
Token: SeManageVolumePrivilege	4776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4248	AgentService.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeBackupPrivilege	1612	wbengine.exe
Token: SeRestorePrivilege	1612	wbengine.exe
Token: SeSecurityPrivilege	1612	wbengine.exe
Token: 33	1548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeDebugPrivilege	2308	alg.exe
Token: SeDebugPrivilege	2308	alg.exe
Token: SeDebugPrivilege	2308	alg.exe
Token: SeDebugPrivilege	1636	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 4780	1548	SearchIndexer.exe	111
PID 1548 wrote to memory of 4780	1548	SearchIndexer.exe	111
PID 1548 wrote to memory of 4620	1548	SearchIndexer.exe	112
PID 1548 wrote to memory of 4620	1548	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ba853ff105f92b0a8736931cdbbe0800_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3152

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4780
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4c0b786ca4c8327e5629c69df8524a5e

SHA1
71df58ac064fb82f0974e23aab345a56467186d5

SHA256
aa0ad905eedefd8d498ce43df8ae5c031c8dd6c8f8ab390317d68e3429aba2f7

SHA512
cecb10adbc4d92ac2ad67eed6755cbc3b4aa01651e1b4647ca9c4987cf4f4c622a59f9cdaf3214c0dc39b7fa58437599c972996f44912602ffec23d800c449ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
0276dcdd84f9ada75503265c8a74272e

SHA1
e01276611f071474c41a20ce889654d2363d142c

SHA256
7067c211d1b38001c22bf0e0b30217be461edee27b76b8f9fc789f211cb360b9

SHA512
a2c7ef2fcbdc63ff503ecb22d5230c8a17879bf2cacb99a5e05cfc2e792fea44f477f1f5353671be8c446a86980cecb686870ef5b1ea1c77a5d29ad497ebaf94

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ef35fe6c1f1f4f1329387695d2891de0

SHA1
9a5381f104d8d2e7cd48a216e4dc017521664029

SHA256
8d1f8caa04ebd7ec9edbe681d56d036303b5767704adbb62108a04ec93541750

SHA512
923083ce13d62e1ead87c8ec0de428cb9aea5490663648e0271ce8b6736fd3b1cfb9b5f3a1f59190ba2d9eaa7038ab258c9c2003e80d562e2789a597ca72752a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ff69195b0907c4a80f523ba0db67bb2

SHA1
868a5114bdcd7a36fee2905af3ea1e7b68465527

SHA256
94037ea624cbf539d1d558e8331fd312cf9fa5ffae50623a9c62d4bf01e77382

SHA512
1b8d39ce183897ffa8211a21ec33778c98487fe305f8fbacad8301a7f440a77df42b6228c5e0ea6cdde3e3d23fe877325e4de844b09377e4ebaef30b72ae7da1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
823e2af59b265a64b43849dfe97c1710

SHA1
ae75116866a495a53493b481955b3d4e05086aad

SHA256
3c2493b1fbad3fdd60e93dcafc3fbe65001f214aaae119c8dfa956b917470d54

SHA512
a35b2283d7015d66b013be813d3cf105ce88c4cab5cb3079bd75cb15a012c23a1430331d395828007ebf5ef090bb4a31cc5f1ece9ebfc160cc5a0a7e0919437f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b7ad5dcb312da7277aeb6c5427571928

SHA1
a4cb0acf49f65b7fcaa695d0e0e89a8a8d987d29

SHA256
62d92d8a09c1b576f58eef83d783ec27755c8486cc9577795255095c161481d3

SHA512
7f09122b3fabaedb40b5acf0dd0d1af88cb3039c206e56e33ff5202b520ad6b08325cb9024cb778bcfb0d24ca8bdabf7b75a73149df6ce180fb75cfc7b8320f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
16eaba8b75412bba2b2890bda5516fbd

SHA1
176fe28061ce6990fea97d1ae13985dea27a53f1

SHA256
284aa651a52ee57760edc6e26d2a2af10f089981abc8a3e0370c1736e9b8b096

SHA512
2a1dd122de399d239c51cdfd8a34aa91566da6adaf57265e762488356173859e6cb233de5577f584fdc31df6d86694dea807dea024876ee678fb937af87cce93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5e14ae142df83a06ce943b2b4261185b

SHA1
6dbde30df790d3e608ce406493f427ce63090a1a

SHA256
6893e01ca9cef897a5baaeaaa0556b6c27433bd5fcebba5f599ba2e6e9e5e944

SHA512
eaaea52a396d315c62970073068ae23fa6132318badef0cab961c74d2028c4854bfa8e7938d97adfa502e2c691ab18b69e782d4cb0eed4eee6e388dcbfd53108

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7c597228e4f325b8ab08855294039076

SHA1
1a21e65117a1fa860408caa9f8dced54ee43e08b

SHA256
ebd0a6038a2d47765aadfbc4f91eb936bf863cf28db41b44058dba3336bb8c1a

SHA512
6033c45a746038690bcb56a890f946d96514d44f7abb3e6e26872eff7ea403de55843211d09e9719686b2eac48170cfd4c61e9b9b69fd8fcfbb2b7fddb047034

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
82b33bf897f7c08146829c2007b4dc78

SHA1
8482ff2d19ad8614bd896637259b1bb355307121

SHA256
810cdfc3b1b3d169c2a658fa4769b22ce58da629e0c525c5c67d49e8a4bcfb28

SHA512
ac7fe891d37a268cb8af94505c51b59b254a9edcca6f81908779a3dec9caa685fdf31a4e09e48794ab23ddc6297f8374f2f988d781c41bebd0ed62663de71d90

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
41610318c6565ef13b12f9412d520bcc

SHA1
a824351ef29ac565539d52fdb53016a45630fdeb

SHA256
06d07ede6dda710df2da731dbcf34782fe7cf3a370f157728891d1bff0b855f0

SHA512
596d893bc6f84f03dee188c6ce64ba81eabf732f785cca2b4d7ff0fa0c8f79c7689ba75eb163f5dacccd35426a93954ec2c5b3574fa4a650f55b48b066a7b980

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6425a3ac214feca36faa5a415620ff39

SHA1
535437cb7f1d213f207fa9a52741dc482547752f

SHA256
84539f28d4598a79b59b93db2c7cfdd78067d7657e857cdb0f5ff071f872dc42

SHA512
9b0ac27303397b387a14870ed288c96cdf7754219847db3cab4a206f83e82329b452bdc630a675f0b0ca8adeabf0bee6258c92db32377d661c1a2ce07b81c6b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5d7a3d502b3b74b6784554d6279026b4

SHA1
fb15fa85bfeb2c0f3e685bf9f15efb190d8dbe5b

SHA256
fb12c06097ce10ca019de150e30506c8aa09b57880023d22afc3d548eba28162

SHA512
a8bd1e7df189baf1a5eb59fdd745fd87c0e67e7990d68268b4b295cc537ecdcb72ad2741c1e53daf65878da857b0cad5ffc6a726d5cad953196697c79dd4957b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e8d8b89c99ca58a0b47cdcb07464d8ef

SHA1
b5b9d3a5252d2f37b236273ea62cbf892658754d

SHA256
5544c19f1b1453e7c01ad75e8c70306e365594968c0e92e1c7601ef24766c27d

SHA512
3c23f22398b9e4d87e0066877dabb2c308a860cf3f97685da9811a3ad9583b7238e5eb0cbb92262c8b5d9aaad8b25dc3fba63377972b51387a15837b658c59c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4ef4e566566e9967c42b13a73b23606e

SHA1
b101f69a0dc30e6054c83d3183f328c10ad61e08

SHA256
78989b726d94096309b529bc52424ae38b0cd2834b4735c3057113d3b9bcd5da

SHA512
f27be78cbe00c4e2e996102abc3381d5242618e4bed6461ade8f93ef25b56877dc86ebc52818ca641217ed921dc8f60140b29b5ed2d09455c6e2d94e83f371a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
0e0434665af048d51a1e63a1d9e92377

SHA1
8658293b54e7d560076f6ca02a90a16f0beaea40

SHA256
78d3a72a3fa6554263221e7a964529dfd02f8358ddb2e96a7d0d97c8ea48f5f2

SHA512
9e072539db1be6fa51d1ca980074ca50f6804e2a21ec565a49c9600004ee0cfe7fb6d52533ed88acbaa8da336240d37195a5a5994cc79518931cdb9115457440

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e5acba224883103249512f891d3a109e

SHA1
bb0de2dafae32f99e4db8f521e7a5358d3343f58

SHA256
893ea34f44169bc6d8a00f8aaf634a99626819b853e1c15131af654d17c07b8d

SHA512
700ee8377ad7b98022128660c7bc66b01a0aee67287b5f5088879081ce845a08d9cb2961263c533e68ac67a3abf8453cef5d1da0a68ff89f5a637a04edba3287

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f39212099111bfa76c64ddb86ddae74a

SHA1
a868b2d8796fbe399c4960f4958dd1feba27b3ea

SHA256
feaff4c1479480ae2a511f05befcd9f372a7c84d0772b31dbfb11e93ea236210

SHA512
fd7ebef192622bf21ead0c1744e04378649d6371e670cfaf81bc467946096878a0ad3d0845898a44a547ce722bfe8085b4a8d0413bfd30810921f2d5cdb49442

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
79fa3d4fdee51622e19861602dcb7367

SHA1
e90b28dbaacce15b5136c9cfe536580747f3b3e1

SHA256
49f521fae8abd16be8b2ee9f5ab25b5a909871b0e4100d7ca4e6949bc28b1c4c

SHA512
5050daf47de5991fc19e29af8add77c337d5d0d92ad9d41c7a80d6cd1da569a140e4f07ff299e7bda626d28c1f0f7d76ba2aa8677502314fe5e426325c446de2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
de3fbdcad9c30720319404269542623b

SHA1
42b870b33c520ff4aff4b554cf0a88494335aa0f

SHA256
05701eb989f21a66189c7244bcdf07861a7f2ea33c17a669d6ca747de7fdeb9d

SHA512
ad83e262b427de9653f1fdd319dcadf555785d9346896b05521d5dc198771f49890baa84d1b9ef3c3543cba6be64d7dfcbd72bbfef8e9c5f0deb3389753be42a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
5664ccdeac869502abde381afe1ca6d6

SHA1
6c06a0c7c73bed16f1f6a00ee8613c8279bbf4a7

SHA256
50ff8229946f90b01c862e0fae3a2c45de2e76a34ec546c3782c9a4e74b2a3d2

SHA512
46405af0dcc75f10299844f4183f07d76936867f3b6a01f53560d82f778517693f91330bb550e0265c3a0f8c1aaf99a2d8eb2577bcaeac32840984c8ac3b0e63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a8cb9b27107186a9251e90ed9426cf74

SHA1
68ea65d7886e1f4695f19b5f2858bf2b4a39874f

SHA256
e690805ba50a77dc3a8abf05dbfeed4914a7b47c25ca9f95bf6525a9e6571fde

SHA512
e3f61677d2a29acb778d272b4b40b577026527c374390d68662f96d8d50b78c1b6a6610bdc7fca056024beaf174cafcf61305135c714013f32113f48c22904ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
eab0b1b8f87a2a8e37722e919e518a79

SHA1
fcbc5f0a19a3dbe8c733d16bc346019845a6d7a9

SHA256
28b8132ac403a78d83d3168b66879a0ca99157f7679fc88b4b55914a1800e84f

SHA512
146b207bde1933c7b92e83ed8f3650895959813efdaa5abf41996f0d5a688f5e9151a3da647977312a6924f52e35f4b3e663d43d03f592213441aef75c55cd7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
2506aa4dce1ce2510ed17849e6a198f5

SHA1
e16563f72784a33cb97082e07dcbf4f168a00b4f

SHA256
be3e6538cb27f51915d5d757d673f80d96794b18b1d3e39e3d37a68e53bdc86e

SHA512
84b7d2b5a200dd99943b9fa551ca6abb5c3916aaa4c92880893763ef82e5006f28806f7fb1abf5af05e339c8d199f37b67488531a47b556226910d5b5eb706dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
0f49a2db3a67e7469472c2ececd6484c

SHA1
2f7d3884ce606442f127e0b0c6c3a184866a0575

SHA256
1f9a0a94f8a739b419f0d3a943d11a4b498e1157b69db67136bb6c10d08710d4

SHA512
82e0da7ec350b46e594dcd75c2cdcc4e2f8ceff5a6f19457787bec3b9a2aaa27405822ffbbb7e7b2634ca9bfad03ffd89ba39eae2bebcfeab41c6d07b4dc5214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
417c2b3188a6963b5f284609ec2afb9e

SHA1
c8cd4eaadee262d9b98f14163fdd8d83c9e0a66d

SHA256
91e963ac263d720ada538d84fb1142a8242e62648889ecfefb78a1e3747e0dd2

SHA512
32baff2c146b30a993444acb172b22e76a576cca6ec765a471f2e42f8965f9e9d35b96a0f6cab8ebb1f0ff26199130cec8125369cc686dc2dd97fe31fbd98586

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
354a0382f43e218b4a64aea9dc3861ec

SHA1
e9c341c7a435d4518af7f1301faaaeb3a7d90b9e

SHA256
c0c34c62e8f1cda0a8a6d6845e87a2b1cd631758e10e7759a913552ad29df38f

SHA512
286487eb51b3936268daeb079b014c249e07986ebbb5a3b50690e830d6046b85e3d902f74084f68e6b3f1077ac21624701b79bf28fb3d91031021027270588d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
d3019cc9d3f4c4e3a720c7f122e6dad8

SHA1
3974bad2f79ebf5451b4ba13b78ec0841c102d18

SHA256
4122c6dab86f49dafcfd61ed549c3b78192667e343404480457fb83e3d49d9a8

SHA512
f2f14384744aed35c636ae6dc3f5204b9ca5b7b5ec945a975a9fc7b3be21fc8bed8abcd7e978ff31fc7eb989e72047ca94f96fd2c3bd871c1e08d8c35391082f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
7b579534512b521c3dde26fb76217112

SHA1
3c33c80eb6ce7d0657589625a79f12f217cbbcfc

SHA256
c802842e7871bd7343a9243edf1058c70ce5c23807bc68f27af1abd3507d7db0

SHA512
bb2e853c564df8589c9276543c4d30e24cd1c1a9c15cf826ab62a64e5b40cf9d376034d20772384a18241f5aa57169890b0725770d53dcfb1596b5501d72ecc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
c8b3e8a5e332f7d4ef3e585da88c0952

SHA1
05a88b9a15572a2341e38fd55d7aec784e803fe3

SHA256
fc2cec9f653e852014f9ca6912fd05f8e50044bafc233c27cea9f197c5467d1f

SHA512
92ea361b1c2ac747b4e429ce6b622c9cd3f2d84d3da2db9a93ded510acf129602c301964e576f2715be32632b7edf70fd67b81532d95cd814cb2cf5b87d62e94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9941aa8da99d584099f62867b036524b

SHA1
36299ebc7472ed1de272953d1ff5627bb4d78fe3

SHA256
b790423937ddec91b4894999bca27ed2f2ca479e4fd132ea68e3b049af979a4b

SHA512
45502dd8fd917a6df0666165bee7a03e6c5e3e77792a3c5fcbb1ffddae5a48daa2af2d52a65d99a4cae3fee58370409fc764194a3967030725c0b3aa2116f2ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f973ebf53db0f7d1b4e6dca55b48ac47

SHA1
e6d61ed7169619a198df53eabd97352d11c3907f

SHA256
564217c96a580d70922e78e99c3c5bc3d7771ef200bc6397def740ed34f4ab6d

SHA512
e5931944c9a8dbd5ec54a7e155bcd4771f4da4884fe157458b6ce3e6432c76ed09c46ca59f0f4c124ae5240dc95d63cc1fa09942083314d23583006a36419494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
89513b340df0ad9ab354c33e6c355727

SHA1
9ff7ae2a9d2b287980c827960259b80005e41569

SHA256
3b4c9b009b734fd8a6f2818bf05741f15a86d3f24fc661283eb80947f391d4f9

SHA512
1dbda984f63e698fae0513c103197e9bb87594f0fdd258ee3a577f08ed2db1d129123f5e2059f6abe5fe7780a34b94e110f5a085077ac0465a3b753791db4e5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a05abac928520842912c63da846b7f7a

SHA1
66374591e3ebc5033e81f3ef8130f2f13ccc2226

SHA256
1cc57571ada2f590830c27c74d3e8d5cafbdf1d88d0762c535c5def37ea81a6b

SHA512
159d401877f203259e4820304f813ae07e4f21b703f1c64eb835942e0219053452d1283adff63ed46d8d0046ec99062a6bb8cbf9ce276d8e8aa9cc506ae99684

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
963928c29ea19a286f0e11f2e98d177f

SHA1
bc43d3b94508046490f5368904dd9fffe97ac6f9

SHA256
1682b0947fa71ee6bea7bd2fd1740ef2587027c0d7ce1cb8cb5eacf5105b1efe

SHA512
24ddd195577f3eb9c8d8e7d44b6354119c14aa07717129b9b0d3ade7a47f4a9c915b78cd8c0c77e973aba02379073d71d1dd78b328d324f37b654111e6ab7d21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
97ffdc3f1e2324ec331bca7fc74b303c

SHA1
a9031f132d716820fd33859e0cd5c7e007f7c684

SHA256
98e27aa27f7928dd6342b69b3fd2188c9cb166c2cc63d11e25f81eeadabe2965

SHA512
41c06d74f824bc9aaafcc8647efcc6cce59960510c79f1e2d07528da2d0c62fab22e32bb68f75ef4efc22014e36123d763e1da64ee42ab4d89231893a1621bb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
14ef6f6701a76b9e85cb5ce7dae1be37

SHA1
12dc67f601b4a3aad1228d89ff9a591401391b3a

SHA256
23ea8a4475fe179ffe1f21c7b0b97570d49f895e2fca09c0db51b8d106a2212c

SHA512
c633a78764221d7fd4bfcab12dd4f6761d5c938c488b5fa10bd50307537f6cfba1d5b0d929b32a37335397b201263e0d4af7a9a7597f92c6d3b5cb911ab56286

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ee58362526165fbda5bd6f4c996a6c66

SHA1
7e06e44eb8ba1dbb1596fdc6d8e79bfe3c8f28aa

SHA256
52f250f18abc8cf7ccd466bc1634c107d2f9cdb3c073df5dc310c4038d98da1d

SHA512
87418858b99181059d019fbf166af037545b41ca4394d747ce38188076487acdbb3922b048d70572a608fc8fa7d5c7522b017073f7b2eb5f4e4c807763876bbd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
5ec49f203701e1b630ab8a5fdd654f3b

SHA1
dd583a22397c47a691ecfa77ea71e61061cd62ed

SHA256
71d9ec73ae33b0bc60672e2a661d917970ec8b163ddbe6dfc66237e0321c9f46

SHA512
986881495ba2a31dc3ff3fc35e17a11b29636bef58f9ba9435941efe3ba99c4bb0e83301336c00e4bc54e7038b75b95cab8b9e7ea63196e654203d6183878559

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f767113072c7291fb312a5456bb4d671

SHA1
aa10903d0c5687ba145e0e20227d0f14eb98cc22

SHA256
816c6cfc95884523fe17760b0d6f2b03a0b32a741da3983c127025e296a06acc

SHA512
51f50ce253653c31f0224ea864bae85a6bb4f73f58e8dc0a01e036946740572eb89b669c4da5bd4dace0ece1d1ee9a6fd55416ea0e00f9e998a4dd4c719af2aa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
45eb7db7aa670449b39b906355439462

SHA1
a3f5f4c278cd36f0c59495b02fd559031b2aee0d

SHA256
35a011d69891d24b536dd06c16f9ce9e69ef733cb149912ecafe2e05c6661056

SHA512
add6d2aac98e425134ea99288e0e85b100a449fb00e384ec1aa71dc7c6d9d2f0f5411cb6fade375baf388238f4be324fc62cec718a5d57514a120cd7a66f6b34

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3571f1c6f3c043643c7c386ad9e6ca11

SHA1
d728696378f28146cf870e360bbb2fda10104641

SHA256
1fbf980cfa219031adb3daa65504a5fc421b042c1412d1965438b7a9990f9bea

SHA512
2a1d76e9e124b690c4c26c7c39da1b6a57c68b9a44af86a39ca5ac62bdec438212919f6adb2cde60a451c7e2b2fc5390d67c5c07ac52d897e001094e3456a32d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2b936e5844382c24e48813f39d0297d9

SHA1
1885bd1f34b9f0c72802f52d05c1c4a2402d0be7

SHA256
b207661436637d66294da885e0ac5a559c53af8813e261a8b0f2599877f6201c

SHA512
e4d99f3b038b80c18ccabedaae55ae51e263bd98f9a1fbb5be7779cd34cecac7850297a8333add030011d8cedf10a87d815a71c07da95cd4b593f5b2c59c8e35

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8ec26b9dbca57c110fe5e3dbd431536a

SHA1
7e1dd7041b94a4e69a57227171bde0582c4cccf2

SHA256
aa383a44478f9f165825b99044360bcb06136e5ff209ad974b92a529240eaec7

SHA512
714b96cc04d49bbd52ee9372fe0779db861b7e9da15051e5596452b36489ad22440ec778b47463c7217cf088f73de0ad7a4468a2d9b64e36099220066044ab0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
08fdb0321719459f12962e03c5f15277

SHA1
7bb8455fb9820e28ced5b16658159bb92fecce9f

SHA256
69878187648f626b793eaa8d672159e7788c84486683b4a17a2b6d0e86aad0e5

SHA512
7eae5ddca36d6b7bb076d8d4799ead956f88200e84ab94faae5c803cc00b38d7413c3c80c123fdbaed8c4efd70fec74bdc5fd390aaaad7360784764f20cb9912

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
b5b85f1ea6e8771b1bb2326e8741f5a1

SHA1
36cb4cc4487d8cbc311487195ab52c2262020066

SHA256
d661ea69813cf200878a0f97be2dc33002f000571f48ae136d882f1d4fb7fd78

SHA512
a8cf0c9f12e81f30b0687d20f8119c02b09288cd436d6fee618415e96d41fc854ade11f6788c2d775542217836d08a6b2f549e2b521353ffe614439c97e6e57a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e709f082491c0bf9c5b2542966a5e9d

SHA1
30748fb6f41a8051c028a1e4dea0c090ab51d864

SHA256
f401248691f1b449b67f814eac57d07aebe8073332eb4dcb7e7a465d6b2c42ab

SHA512
f34ed2a246173d58936fae4a5bb05e1ab0f157dd19d7037af89a63914cc1c3890294005ed6ba0c1b1194b9acc084f359390b9ff0630e49b2fc8c340aa60b0893

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b35cf4aedfc8733723ea663d741dff50

SHA1
8a76abcee6b815023e2ebb1de56d09c41376be4b

SHA256
162f263d711f9a2c99b50bdb69398dbcca012fdf6fbd66d4c685598820f926b4

SHA512
7f747b92e049f1dccf80f5df7a0e941441e52dc3a7dd417537a3b0385f216eb6df5d5061f593bcc0238c83f7e22b6bc483003005c04e492664826dd846617ed5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4f50d86a3bae46160b24eb3610ecd4e4

SHA1
25b81b86536d02c66497f0f80acdb529bb865b65

SHA256
0899bdd55be0afc1c100943571ed19b5b324a9870b7b1836ed1c4e2972143561

SHA512
ad6f15fb307ae703a878640cfe4f26ad23bba518047a1d61522d2385a068b03819f30c345875f89b57cf282a764eacdc49a85ada7c843fdb4d6c9ff8a32c8141

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1877e204a674b52bb1a1ba746dcbe593

SHA1
71f141e3a0d30406c208095c131231ce18d4e048

SHA256
8399b7d5f44d8bf3ac0c32b815bf1be71ccbcdeec3f2e6389ff3fefd396d6b3d

SHA512
5d1b47a71149e680efeb443895e7c9ef8fc719271930e5188ff8a272cc140b4a0c7949e4b9128d34eb464686289eb5fc748a285f9c6072a3f6b5af78eaeb11df

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aceb34ee07ccc41738495c9b0472ea69

SHA1
9176638cfa25dbea4a77c9463c7406e872e51d8e

SHA256
c933775838aa09863ef34b06f29d568d0bf03c4c3658f1d0b950475c8947d41b

SHA512
cd5acab52b1784df8372b29ecdc5bf365908bd98e811da9f284dd18f0a1ab0e384eb9334adaacd362f8e34def3a6e2ed14175cf4757ec79fba9973a6b2bfb33e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fa6d45d413932f5191bb68f6d7e6ddf5

SHA1
cf9b91a11b035f0e67f4c2be94d2bfaeec86cf7e

SHA256
f38c830a114c131257b72f2a8fe589e67e948ba7938c0b41f8f8e393c6218a58

SHA512
8361297f70d9ee868d60c95fe9273fdbc4a2151d7816bf35314906281274320b3e4ec698aef17d85b00d55ec6faecf29d00862743d6e562c69323d102902656f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8e2f2085b4fd0864ec60e7049b6cebc1

SHA1
052749a7474d903aec60e54c85c0a86f35e45778

SHA256
04b2f0b7ab6b0edad5af659ff6056aca5950b79211cdfa774425c7381534a785

SHA512
bf1b7cd178f6062eeaa7dd1344e5f534a53ce109ccd66480c9280ec4aacb20e6adac16994942cefd47919e307c99583aeff2789601b52f88a3b40399ed108bed

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
264580c31125ea1ccaccd2c66c4d0fcb

SHA1
d73435efd6216f967f0a81e1a45386d89369ab2d

SHA256
2558bc2bf44449ec88bb0c2a408cf7e5ebbdbcb401725fc1e22a9e4f312c47a8

SHA512
726b44e56992252cf355100fb3cb3fd216b4e9240e6cab2442aa898660c9490c3e30ec13739d877f2efb4ee5b22f254970ce128c0a96c14ba33df5dac5d3d0db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fc9371ca63977b559364026a6f2514ee

SHA1
e1422bc22472d1f724694951ad6c95fe7c6f59df

SHA256
4902d89a0909dd7260c8f5090ed966b26a6c267de39ac037d6936b7924b43015

SHA512
4f83d9bb8fcfea946bbf5b7b99734dd804def736b820cd23caf8100c43f4149f6c059f13edff44086dc301612bedf705846f27226460285d9d1918ab34e5e28d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9174f18c93e68eca8b58533debab8b21

SHA1
8178e90cf6655e24e5318062d126f4781063b708

SHA256
a7d3210a15bb91563999fbd8225e599739eb52673fb84435eb6bb0d32e118dc0

SHA512
db58f405455d9b5a22631142cab236debc8274b69cbb309ef2cd7dc0c9e48c218f3a681485a203bdad6b52213c6681d633cba2510089a2c5674db9f90606ea00

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8cb2b7dc4383a56ae64bfaac31ce773c

SHA1
3f26231db02e98f015dca0c71a82f5d7e9409a5a

SHA256
9b909f498b73d5bd93a4910cdee394494632a2bdd7025943f2f6a1c9e93430f0

SHA512
dcfb4d38e317c07e992989f1c3f0f9d4d0e295735ab04b620db11ab9ba918942ded4e4ae93013705d59ead5c0d4f9e0b7ebc245a1f6f119a0c209c91b0698bec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
32f90cfd6cd7071b1515b6f89d6b8b9f

SHA1
7885b22464e9ca2491867bf1e069917ee397daf8

SHA256
4ae356a4844233d21eaeb7d0b684fb9dfda483cd0e67b1b5d906ba43be50e91f

SHA512
a8bde7d5a08fef947025ebe556fb56493485eb70cfb89f141bb4c77ae816dc1216ffe60af689638862f617930c2d04e13be0cdec2b029b5b8f84f10d43e76da0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
9eaf6b72755a076fc1b8ba4cc3fd8107

SHA1
dcfceb56ae918a30fb7173e8236913613b83ce46

SHA256
24d1bf71746d3655f52724313602db751a443f48af0d92e5c5bd8e455667ae45

SHA512
0fe45c4d29076d25661af80934aff32adca9651ca5c9b00ea01c9f2a038d19adc4fc2b337746f68d735f5408b09b865dfa0b3f8b2209efc1aeccaaeccde32517

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9cc2fc417ac78d4e1ae6143a6bab522e

SHA1
b853c0a18ec118b3c2eaacb685e88061668693a6

SHA256
e1fd84feee405957c6401ff6b20642b44152d464cb37d4911ca8b07e69a34763

SHA512
9d71cbc69cd945c1115fbdc66623d03444cb550172021ca393f006a85724167a11343583f27ab717a9e85a49004ef83a5ce9768a218450275a7efff886b6522f

Download Submit
memory/912-265-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1468-266-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1548-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1548-686-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1552-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-683-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1612-276-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1616-55-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1616-681-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1616-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1616-49-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1636-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1636-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1636-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1636-598-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2032-272-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2228-71-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2228-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2228-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2228-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2228-83-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2308-501-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2308-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2308-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2308-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2308-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2340-264-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2432-684-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2432-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2512-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2512-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-38-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2512-89-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2512-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2636-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2976-268-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3152-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3268-91-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3268-263-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3312-270-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3484-7-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3484-518-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3484-515-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3484-80-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3484-1-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3484-0-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/4072-277-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4072-685-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4248-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4388-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4388-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4776-273-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download