3f948155f707c034647a161f25e47e5cb3024784fdc6e00bc9db4666889d8549

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
Size

1.5MB
MD5

b34b7fddef637dfdf9ec857e8d507ff0
SHA1

62d3db001a175e351c97bf67f53fe5cff419a6f3
SHA256

3f948155f707c034647a161f25e47e5cb3024784fdc6e00bc9db4666889d8549
SHA512

43ecf64f32c32d23f3c59578540b422ddb56de08432a738a0aaf93c954507ec27d5256528103943adbf04d4a99527aa1d048de332c19959c825b4c7e0c55aead
SSDEEP

24576:cK8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:cKgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4944	alg.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
2804	fxssvc.exe
1688	elevation_service.exe
4136	elevation_service.exe
3964	maintenanceservice.exe
4768	msdtc.exe
1368	OSE.EXE
4300	PerceptionSimulationService.exe
4464	perfhost.exe
2244	locator.exe
3164	SensorDataService.exe
4384	snmptrap.exe
4436	spectrum.exe
1112	ssh-agent.exe
1328	TieringEngineService.exe
3432	AgentService.exe
1220	vds.exe
4404	vssvc.exe
2604	wbengine.exe
1172	WmiApSrv.exe
2744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\327e932bc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009487335667a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000a3325767a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee23f65767a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cd5415667a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bacedc5667a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a799ec5767a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023ea355667a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1592	DiagnosticsHub.StandardCollector.Service.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
1592	DiagnosticsHub.StandardCollector.Service.exe
1592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4996	b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
Token: SeAuditPrivilege	2804	fxssvc.exe
Token: SeRestorePrivilege	1328	TieringEngineService.exe
Token: SeManageVolumePrivilege	1328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3432	AgentService.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeBackupPrivilege	2604	wbengine.exe
Token: SeRestorePrivilege	2604	wbengine.exe
Token: SeSecurityPrivilege	2604	wbengine.exe
Token: 33	2744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2744	SearchIndexer.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	1592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3684	2744	SearchIndexer.exe	105
PID 2744 wrote to memory of 3684	2744	SearchIndexer.exe	105
PID 2744 wrote to memory of 2920	2744	SearchIndexer.exe	106
PID 2744 wrote to memory of 2920	2744	SearchIndexer.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b34b7fddef637dfdf9ec857e8d507ff0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4616

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2e6ad5bb740c2ef85916c43c8977c88e

SHA1
6881bebbdb58e588fe12deeaf80679d4ef8ed04e

SHA256
a4217b6028cf7435fa6d4ba12a89802b7922c8be468e1cf3708527a67179fdf2

SHA512
d2a306426c031ec594ccfabae1ccb424414e5b82f1f411d2e6efea2b3f18d171555cc97aa7709b0e9791ceb78f01776f5165a629e5a4dfb3a58295856dc86e29

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c74311c2a3fd7d54d0c10dcd1a762c9e

SHA1
80408dbb38f1bf34e82445b7c6fc4219f5c70692

SHA256
b2f4b908bcc285ffa87f1472015e5f41eaecbbf81561e61bd0072a0bac971fe7

SHA512
46a95bad68aacdfeec73cb1c89a4b8c880ff10087555b5de408209ed64276d4b0b8ea534249c9a9df2ffc2bf6d4281ae42a45c1c788e63ecdf6584e337c10524

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c71527d15d7716f21f9e392aed97d474

SHA1
02dc0bb09c95d2159b98d1e5a9260736de966727

SHA256
dd2d960e74db9ced22212a66a330722de6e64a292d3d7087eb5dfd95234ab335

SHA512
801c6c1a69533a937400dd20d7b898cdfe7f0f54075ec9c7392c2d29113ab9934d2f2dbac32b1d81bfbee605498917ef6bca9a4ec0cfabb71de3b3663644bdf9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d70bc30113244bf4cbe38cebb9e835d4

SHA1
e218b094545cc1cf460a82a763699f452fb0ded2

SHA256
38b0d1c6a6724cb1791e699fbf89de66e7474bc3b8f767d5f7e516c601e97564

SHA512
eb93a08c2329af951d72573b7f583d620cafa354a160199e3060cad4afe6839dc6c63cfa40f39c780a3453dca4c210472b9aea32d1a243403f8a3787cb69369d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6fc50185ff620864e46a6d5831f61c8c

SHA1
d50c8b4f1c5f44f8f098e23c60b8fa5d0c1bddb6

SHA256
c1dee999afa1a6c317aa21b93dfa99918cbdc1b1a7a31a1ae3c22906dd1da4af

SHA512
f03c8500dd27e55db4a3b6a017dec2b320a04a2949d24aef9f0bf26caffa09edc0483297612ddbafa0bf8b0fdf6a741470abc563e64fd593d129fa48048e70af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
55c7bbe2661a751535613a9ce64c2d9d

SHA1
ae1478a0955d839ce7c1e77022723817cd2bb444

SHA256
c974df7f6467ab554f24923413324079a21985b9c10bb705554b3eecb79465d4

SHA512
abdaf8b8206952c22514825a610c9eda1c5f5fedc2644dc423d28ff4585b10a9c850c0ece08e821e7d00f05efdd114e3bee0d24cfa03c5fa2b0f3ca86c35a57b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
da6182b3d8105959e221138f673ccd89

SHA1
d4e481536632ba4332a54f8e56e5d7da40b455e8

SHA256
f793ccd591d8a7e72d0a3e5f1e70154b340bc32004dbab8c9bab99a2f86a8125

SHA512
3e0b654930b4e4add3ee08e0299f4e5e4b883ae7e045bde660681f62578c8bf0d728b1e996b3bbe65f91d22b5fc4ca777d03e419a2370fdddff98d6ddacb0702

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a99d325d575dfae51730c1149d180ec3

SHA1
6c1dc1578e4b248d62ce8d87709a2471774c2af0

SHA256
a9c51e976e1c9282abfdaa48505ba55292361ea27258d605a561bfb6975d64ce

SHA512
534c2a25501721115781f58453ec8d95948f2c7d1ea58717585425ceb9956db7fc4e32ac486e6b0ac9b2384a08fdbd4c7d378841847342e537fa5ff63108e5d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
fcb7770be018a188195bd068469df212

SHA1
0413d9561035149a408bca7173bcc7e2dec14258

SHA256
27573366e8be486d6da72f8dff4f530b8145c02918a12743abe91749f6faa553

SHA512
99f89cbb70bed57ac348b9d8d984f09355c697996047e1f2531f17e7ce129f32c4c79cfc50165105537320f04e8d6499fc03432016589c5641987db19047747e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a6e3694ad1a3b49c40c47c869d7452f

SHA1
35472e25d265b88ce28cf53a9301107c465dd9e5

SHA256
ced7065009043e486b310a3bf3133844160fb93b36449f1a6924ce8f73512a36

SHA512
e463fbaa79c67a0a98559e33970b44df480adac0f64ad9a1978b35e46bd2e78b5d2b823f5920277d89027bcadb7f5f3cd606b23c43355c9a3ba4dac38225f634

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e039a383b0fdbc560e842eae2840ad86

SHA1
20131e3e132221567522c7a565e34718f0e6cd63

SHA256
12a1b0f88f87017ff5fe1a278b1cb0abf82eea21919e0804b3fdbb4d8cb6116f

SHA512
1db16a65fb48614594c4adf139d2fd0dff82a4ee4f21741ce07d798007189ade7a73a33f905aa933e417a191d1e5240000d70deaba334641f753749744c08cc8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f46d1cc3dac9100e31f53321343ce4e5

SHA1
940ab44548997356e54ee8a0c92b1d0d9e044d32

SHA256
8fe73cb01636eb787131226b4c04395573d994aefc64cf1554c6fe60a24373f9

SHA512
f27e66aa6cc65f17d984123a0d87eb402ca75b3e0450ba6c8118b09a7dd0bd8904e48d0b60aa478e122adb6aba03bd4ea4662b2a9801c4c0fb6507957dcb6641

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7e3e1a023f1b7754260bfdfc48ba24fc

SHA1
5b819ba44c55a3c6ddb66344a06620f1ae25c838

SHA256
a69c4b683a530213ed4d0e36f48c292f07df9b92726e706e7f9fb894f5f580d1

SHA512
369e5a0bf546626152535bcb549ec2097835d942a450c24f0e48742846ba26864b2bc1afa76cdbc327306171172885dc67e67c74386f5ecc822eb95a7d73086f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
c78cef2eec60701f9730b6e83869f679

SHA1
0466fee12d61b0482ca1c6a254b023fc0c5e8f31

SHA256
f50726b0022a820d9123003209a97bd9610a7761b07a95b55e8137d108ae2eaf

SHA512
076c65ef30bab02d90e12d5fe2d2743d49e8075de52c3d10189ebe874411f8a8572f9677525f0ea058d8ae228869442b0dec2ca7c77b617f48a9d8014a86791a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ada2534ba5835c296ca04c296bf9628f

SHA1
c3b6b42874b04bc878bddee7dcd923d19df25fea

SHA256
bb3e5f218f9fd1c092cdf5b40435436b5f310b3c11f1843157299b81085c8972

SHA512
86f4f1f41171787a7654d35d9dc32fddb3b7477916621cd5c2b0283b5aa96d3da961becf5ab0b5ba4ff80e7c0e04c4a17604eeb4d856730066b5119c31542731

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
64575c6d07c3a36c5280742943a1d211

SHA1
c03dac7486093591d507154ddbb48f7b3424ca2c

SHA256
66f8bc2cf64443a6737e2863a41ac9daf91c0561249ca5f1ba2e5d6c30a0a10e

SHA512
3dbe5bcebe73fb166ae1a9ac1507e52a9df31efb9e670672748047b8f3ece2de1b9222b56e9bd70152e547ebd54342976ee78e887d21d9fea58f65aee086c78b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
48e0637ce3fa5c26160489661e268e00

SHA1
15488d97be0cdcdcb3aa6bce315d7322cda182a9

SHA256
96b0a319c95808ce47ed46988f1b02fe55cb62a6e701b57878fc04edac216788

SHA512
21832f1fa7bcc7e6b0c392cf0532087355fb2cd96e859d4266d8cafab57923bb8f0bb3074212695cc9fd7ec597e77e8336ed9709198012a3b86f45c6aa232805

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f8617b637a57d96b97974de1263df9f6

SHA1
8ae27a09612e4eb21d06478c51612198a4064b59

SHA256
7216bb2dc3610ed6db32d7a5d552f58108fa60e7551b9d96bb2f6085e5ea6568

SHA512
d1644cc929b4a9f9f00b451dc8063247bd8c2a700160a5f598be8f50c85f4f5c5077479b8ce704a70a273110cdc2f1da730d42383fa4253a957a09f69329fdf6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
66225788d5b1f79a5188ab8cb6e5e084

SHA1
3479a3447ac21c4c714d5cfe5335e1fe692d7c07

SHA256
59815637b2054e73e58dca2d91dcae187aab52abab97a178c295c81014af70f9

SHA512
4b59b00292281729f4c808128d4433cf5d7a959167955006bcb4dfc850d78f868d2938a678fe9825908f3acb4c05c4b555d14f26d73bd177f641454b9403e7af

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
59d787e34322b8495c2d0decd8a0d1f5

SHA1
0b9a286f2534987d946cd7885e306ad35b5c0eb3

SHA256
4dd07cbd7489086e95233bbbdb5c5ab2e60400b15bf5f7c8036367cded51fd68

SHA512
3bec1e3bcf474771a653733c2443d44041c0d05008aec1c6a1e0d0c5ba67f6e443da8ed641216f43a09af68955bfd33e823203d3146e3cb65c3f2e02051e28f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0a502403e180cd3cfe80ac8081608b70

SHA1
b2c4e79c5d1fb8e34cf380d8ff8b4df0d41b3acb

SHA256
a16f0d772bd3932cf239468d3c20d52157ca04992d2a4298ce811bec4b364e80

SHA512
f316c4f5be66ce2ebc6485354db0d1442c69bf3201a9501bd989caad86dce9af500d6de4488f885ba3e57d92eba475fef9f3f775138a57d63c441ffbed6497d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
fe251e90ffbdb77e6edcbfa32c47b13b

SHA1
627afcf6c81c630b7962067b3f0e1af89366a293

SHA256
b1d4cb09838a18e4eb7f5b2b99f78b1b5848246b9577975d27fda95c9f2175ce

SHA512
41240a47cfe6a5e8b2c681c478e651030d387c71f96342b1ebb5a4d336faaccd05840dd1fb7505d70269fc3b6816a351a84436aed32cad6068a28c79a06b33bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8fd1f27332dace678944396ff5e56c40

SHA1
e558d7fc3a2f02c6517350205cacb2fefc7c1788

SHA256
199b528cb98279298aa3928dff0ba9f2692184e0ac91d79d6715959285afad5c

SHA512
d1a9c0eedddfa4a27aa155211ba165f462fb140b0044a7c64a145ced33632c34358c153b816b77276d7321bf267dfe5c6dc24c49309a3d46667294c17b15c24c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
2abbc322264cac5fe38f217ab8d0b31a

SHA1
cd583dce5c293c9fdd4a257c86b12a5f08d38ccc

SHA256
e51525f0b1b7a4a80f943a5f2e27f75f7793a99d7f8b4e7ee7b957a3e7d21e47

SHA512
98b4f4368eacecfbaa6e46f80e9fa9d07276dc77994b0270c24ce989ab11039bba027b097075d3511341696814dd8b9d271846b1402c5c24d8b0334864eb05e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
5099166c97812151ccb66a8cf92ec76f

SHA1
7a99c93c79859532a1a3f6f80508ceb5d87960ed

SHA256
2689a7fd12d4b9ea92d6711b4d40fa922092bcec4615cd3d741e02891811261d

SHA512
593d943688b3498b5f0a16c7a2bf3487fb869f6e8e58892ed4ed9a8c3f167a53702f1f68fb40c62c13ed6dfb1664264e71a47d8fdb5dde8da5198e0128e5f86a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
6216136640275398fb4246caf6a039e5

SHA1
83b2eadff2c17bddba813506f7e08f52fb699894

SHA256
69e0e2c9e9e9ee75d6189d52aa3968e887cbef4a287b8908bebefdf96a299d82

SHA512
584016f7430eab3b8247201d7fd751c45f2019ae4ac7f1b3842cc8a631711c25122ec6a398334054d1be06ad9ad49b62e7b3d47a74837cbba58575392188d579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6eab25500fd5010ad8bf050367cfb4a0

SHA1
8bd51acbceed0078d6a5f219c5bdef0b93e58716

SHA256
bc7558da2b7a4206006e88890ee19f759981395d8128e81dfd9ed097cc7d9586

SHA512
9bfd4c03c5bc19938c1e38f8d5e411e90f1f9f0aaa0d3e0725b61fc57b3f3ad64251ee5bd8bd4a2ec488354233057ae031e69e3110dab481bea12309371957d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
cbed609fe8864b6f2e674d5aeda4bdc9

SHA1
5defd7a6c2ba373390a4f280c1307760bdf947dc

SHA256
84ff6c14dbf34353fbf09483f9c9e60670f7c621c6365726575ea01bde6ea4f3

SHA512
eaf5f722b148fd0ae5425283d3f46a0dc1114b2f1d0f104bd7797b5950aa1424f8c9dcb135a028a6f1afc3d9e332f5297b88a6342ae3c30f3c9e787b5d9a8f6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
fcb927ac3a267f55e44fa68d23118e1e

SHA1
9a9b64882724754c308a7f4614984e2b5070a33b

SHA256
b44bf291409831ab1f7de276e00d8c2b5cc5258e798cc4a6c60da315b5f90880

SHA512
56c903692ae40a6958982a209128c83f3bcdb2488a2b6b3cbdf0dd02d618d36fce1f32c960277ed350a80e876c5c3d6bdd7173d911cbec3cf7e1c0b6c2861d20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
09d718eea744c5d1505cdc9e11b5baef

SHA1
1cbedee55da04c1ca19b2e93a341795311ab92ac

SHA256
c4eda21840b64ed22da793092f0a783d2639a8321261e99f06e64d98709ff289

SHA512
3da38eb53220cf3455b7eb91d0cdea9a9edc9e8899028d0d88fecbc5c445d34ed0d7900cb4be7bdeef5445bcfe89da2b427b37704100db7ae2aee092bcbf4475

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
af9f3d55cfc48b24f08c44acc917719e

SHA1
da617830ff7e5086a27c8a7ca494f0d478365b06

SHA256
31b0f1be3fcfac5c2c85c5b0c0e6f88d6240229165342fd2eb370d4d7a566674

SHA512
77e1ce7e7a79317f554e47e3c2945bd02880530f59ca5d9f3ec876dc208f73ebdf84b9c0a8bc8468f8c722e3220426d1fd2a58deb6d918cd8acab13abfd3d295

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5639e78283a5b821ad9ed9aa91f172d2

SHA1
e3c59de53047411a2327c412173991a2b39a4614

SHA256
650cf0ad3b0ac3010e2360b3e7c2388078a405a9b87ab0b8861356c8c0fc1e57

SHA512
9a655f0b9c15803ebd73145660e5ee216f45ed67eb98eff88e10d4de5283fbc5419944cfce59758a049c61636ec87bd91cd5a2f6d00d4cc1eaad56764ccff227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0deeb011ea3c6db3bfc69d31acfbd696

SHA1
e56eac976322be15382d5434be864b847b1e8bab

SHA256
967bd83078da1ec60e4f6f89799de567845c1b970d19bbc9195ff940bf7a44e8

SHA512
4bf6d2d92ecf76dfd879035e434286a584734a950bdbc2ab9e875e0b9a62c539ff34745f2ddd637054bbdabc6f0e0494d77139b7f1d36e0abadeef68fb557397

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9c555d796e0a492f59b34826df7a7117

SHA1
eeff42b3991de6be33079a1d7fb839385b1bd5d4

SHA256
1d4f40299782c83e4f7f0ed6b3ed9842af5b70d441acd727fd966ad7c966d5ff

SHA512
fb09db8696d6a9d4079a61fa1106ecc24cc47f1a44a7b82b41203d5c28a0525ccdd6ec11e409612464b9e1331b6395312ae772e18e631d6e79645acb21bc2999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
c1f081e42a28b66824702ddf7dd051d8

SHA1
aaf09c43abb7d25ca46ac16568d678c813c83f78

SHA256
dc9d5bec3502417bbc1fd247f05db03870fcc07c0c83af5ba6052823c795ff1e

SHA512
d2b0d39973e5823d45d58686187e5400b064943ef2078a0790bfacbda89fe88e5fd0d6bf47124b6fd5265d68fc568cc99c615efd65ef9bf1b3c45f27a8f70335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
626c3afd00c448d3841030315849b7c7

SHA1
ef81848135c294ab592d5affbc1c444e23883b96

SHA256
000a28b0ec11e87d88259e951ce9f7c72c211856194296ad427153ce4055e29f

SHA512
564f2dc0c1e65e8e25a7f7605a0f9e43b5027208fd9316630cdb5b90f1f581eaf5d3ec12d346817af3b54e5407a173abf2a988b01a1c3837a849f8144c68a1d2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
681de2839dcc4d40137930974bd20a0f

SHA1
a41e53d3ea5593b3f2478958501c1897102c12d0

SHA256
9abfa05d433b22b9218074f6a99465359e49bd2cac299aeb903cb02066ed348f

SHA512
1849b4f4b8f807673c80742f76826eb480c0b57eb46fb2de69950bfb1ee0b4bec9ef79c6bfc701ae02cb86cd336f7a898f2eb281aae9992ed2285b29491af20f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7fee5ba826bca63f4cded07f14abaf31

SHA1
3af1ba34d0c724bd7e0e733c172202d7297e7649

SHA256
22c046eaccce0bd849cc3268081beb922a36141e770eb21e6a6a2e55614ce4c2

SHA512
357ca9725229be07dceb11899cd76620c4fad5c6acfe6e3db7bfca2016edf3444dee5d2fc1d0d8b862ce220ba57ab046b55dd6d15913b387cbda1550411c3d8f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
13f83ae6bb606b5382097a1b53772112

SHA1
33afc33e4a46ce992f34271d7a5b6476b70a63ce

SHA256
e5808b4bbbc9fd41499b4fb58db102165d45ef63cc7c3993fe23d864cea11045

SHA512
35336286d94b102cc8ab056f17fe2a5099c02372cf3c1e9a4ba0833df65f11f17778227e6e142393e7dcf87b153a753d3dfd3b89ce97dbb6df1cd0fbd5c78437

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
87afd17c7fe675cf58ea2b7943ef6f90

SHA1
c3fe57af0b7db913aeb2cbafeb13ffdd874b87d6

SHA256
1fb2a101f4e3aa1ac152c68234df7f33a608958130dd28c93dad225a21818421

SHA512
5fd186aa6a1daad4020c05693b976aad7564c3192edbdfb03fb4f8c5a7231c7483813f832434dd280a77f34a2bf70737f9b6eed811dfea3367994932f3e33642

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
91031a88d4570bd45914f4bede4a6233

SHA1
b031515e1e01687bb2ab7753291beb4a0ffe0e0e

SHA256
c9dce5ea9c9c295a4b3617f740d0a0e715ccb488f6052f34a6db2987a1aad007

SHA512
158899e7b4fee58d5334f2515fe3328e667b63262a405a66368caa1f87c1a1b252ab623e179b4d21025dfa9615eca4af195f1de0b099f0158f163812c5aa6e35

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3e759445bf33369577e97f8b532ea4f9

SHA1
653636077970399be0c50a61738b140e73036d51

SHA256
75299255b727489b313d59fa0ff3550a12d1fbd1babd5aa3f78feefaf7eed605

SHA512
236ec95196c1c799a0f8e7a2addb5d18b8b38dbf35fc601f0964c17e6f053120060101c40154fe5cfbe6bb130652d38900adc32cb4e6057764599b0e08390274

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7bfce7bd933f778b75fb5f933a289adf

SHA1
81a306a23cc25d426a5177d184dc0b8401f143d2

SHA256
80ea5afde6152e8478805ae7a3c8b25c8a9c67a03889fb3213c81ec59630f0e0

SHA512
4fa15698035285e038902e0a853e576065de6c8c8aac186bd3fc679b20b8f5a91cbedb0f6d8d18a305d73099944a88b620d037dce22d7de8ac1cccb39e509cb8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
4c1f9e24ec62557b8c01cd2548ed7444

SHA1
b867f0ce39f3f15e847971240d070b7f8e697b20

SHA256
2e752ada5d78305d795c37fed84c39c105c690596066631e44b6f562ab847424

SHA512
9f626b63ecfca73e38ff765511a69283ce6cb110000a7573a67dd6a2c3a3b7f98fc3f37c38d4ddd98aafab146d54e11d736348527c9bcb11b2f4f4f9b3fa3706

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
dc5ac1308730918e3c3e30d44dc1cc29

SHA1
1a268b4698d4943cc3fb91a09cab2cd69a406207

SHA256
853bc6fa432498d19fb76eaef93e98aac23b8ad46bfc7cf1f17c013d3c52cebb

SHA512
c2ad4ca2444ec0fdd27b962790b562aa4158eb562e5621bd9cb7d2fccc007d2d49d5924272968a7951df157226596d0b9f9af808b418cdb3e988ff06bde60962

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1422ff7a8397afdd2432806136f6e7b8

SHA1
844865cc6b6c49a81c08aa615c96f57d92858afc

SHA256
40a0e3f176bef0478110b4d54c20b7bef7d0e218be5d8e0744692ee7d6d827ea

SHA512
e759433a6b31f00f996fd61798ff84247022dc1185188f196004cbc282ac3575868f9ab8b87a54d725947f578b3353d933f229285fa4d4e407a5eeb2743d7307

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d87c1152d92bde9209e66034a09c11dd

SHA1
b0a585b54cb1f82311c585f390a13be5842c76e1

SHA256
f337ce77595c8089739aa30a3bf0f6f797509a4df81eca6d8afad47d9298257b

SHA512
b2db2dfb83104c1c1b525d9c779ce9b38efd22a266c364172bda4cdcca5b3694a203e47ba2b1f4972b045fe9858b8002ab33b50291edca149caff32b9b0dc32a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5b286d7272e728c5c07437b268d86dc8

SHA1
28e737e81ba29158615ca76b321cbada95d32941

SHA256
6842e7179f6b32e068a513409edced09f208a82bab3b79fef9335022c29f6fe6

SHA512
84dda82d8048181510b315b545fe738a870e5a3ea87f8128276e90aa1558ff9a2fa8b3c86a833fa3962b5b378b29cbfaeb37551b54351ed67f2022823fd70003

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
780fee6d0216f49f37c2651918e16e6a

SHA1
87083100e77dcdcd3b1e03dce788f59dadf0c092

SHA256
eed94064c0a71c3ccd778591cd1fe940c2c3b2eb4a6d9a51774dae3fae073282

SHA512
c5055bc07e07683ca5faa814b4a3b1c2832a39597f0761ecd4520156c3a3fce21fdec4953912fffa3295b5da787c496fe95f916d8a324fa734ab783b0a1673c0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
68fde5a70c9b655151c145f073860453

SHA1
e600318a9350ca92a7a872d6ed0a7867bca91042

SHA256
0d85a5080f9ee13aef17f6fca56b28e00e510a6d13bc3ad4f7befaa6a42be310

SHA512
458f4b34dfa40ae011d64a37f914dae6c648488b11cf97b4cf467da287f6faca9ee7371b9c2b65012e0b9e224c299ee323cac481c718dc1e2123691819baa68e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
443b49ffa2a688e03147173608cee972

SHA1
e311bbfbb62f51d3af7bfeae20088330a6b070ba

SHA256
9de0d40e55b98a98406e839bfdaad2324ec2ac72559049acb100a8a517abc2bf

SHA512
f684870d6f2b3e476355a029bd3e2a081423c1b4f4d8385afdf573085888dbc2f92881215c4edfeb3a4c1e7b5e790403f8f8526a1c7a657374c82a2ef5eca7e0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
fae01a69400827fcb0683107532e4124

SHA1
328567eb55bd59179bb2a873cab1112e4f76702c

SHA256
a2758d2195e42d2cf8cd349b866e5794d9857a882e2edc716ade6340ca8ba669

SHA512
a142eaa38e721dc366762308b5fd9819d905cb0af471c5c3707e7dfa2fe71bf538c32604786fc774101985020c55bf7674a68b9230b6fb24f6421591384d6992

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f678d2953d37e541d007968c55d84a8f

SHA1
abadffbfac6ba544e2da1e9d605231cc78c5c4d2

SHA256
ff3d64051836e7d5ff5bfb228dc0e2c7925d50e2f46fa113f6c603f38fa73ec2

SHA512
670b3c47fc1b05df10dc5bba12a8e4ac04916f394e54244cec194e3b464fc01002439031c3b4b38df0ff568a196fdf63a2a4747d73acc52271094a5a9e79c0c8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef0e96a93b8f0855113f5e8848ae38b6

SHA1
859f933dcc78a6c5a99d5268f94d2722f6f59fd4

SHA256
97fa2195f6afab89ec640f37c8e7f90db30c0a7538b8aef23e064576ad1f3830

SHA512
07108891d195894ff64969eaf663097f03ba421fe17f4f428d476cb9b9a3a0e5028bd4d6fe0e2027b57b4602957110446b14b46e48bf1614c3956a6f907df5fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3ebdb09185989f5e21c048384a4d828b

SHA1
97e9847cd031b22698cd613793bd683cd02b63a5

SHA256
74df28f43f66a6d5d0e2286e5cad119a35446759244b83ae671dedb44f7796bb

SHA512
26b04fbfcfc28e36b709bd34d90b399df92ef5017a630fa94cb24e6f8748b9c1ecd491f644395cdbca22901626e43b8e1e726421d265e85fb3ac7472c1130a07

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
05d8feea65a8b0a733a32cb2dbbc06f8

SHA1
31f504a06cd73b34ca071c16c21285461c9722c1

SHA256
ac57a480b8e1984a5fd24172878384d66447555f68698ae072c6c223af5c146f

SHA512
c50ff2639882aa665eb7fd9f3c87862790bcdb59ebb13004c05af8907335ff9312a2cc5cf95bf31fe3c42b61a2d6ce7d7838eaa8a26d385c33b15d03fe51a56d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8d143bc335b421bc8f9db7dc2f2dce4c

SHA1
4e55a0fa8f15efa184fc35e8e8c009f31252002a

SHA256
c2a6314ac8ab8b42d67c1856151d90f5e2fae9929f0cecbbc76d309288f050d4

SHA512
13e81bebab3ecba4981f198e4c80d189c2575d89d34fe8b484ddad3e9e10e5f6587c731254757644adde9fc4e04292abc65e4a54183f9e08ebfea8d018a42e51

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
e276738cbf26da09ae3063314f32ead6

SHA1
a69a25e52305b690fe41fefabb7fed354fce9911

SHA256
897a8ff1cc92ff458c3ab4f2c57ca53ad2b585c3b93216c4c7a08f39edffa6ce

SHA512
1f715683c098cfb5deb4276a5dec46bde8cdfb7ca95c9f414164db891d40bdf10841c099dfaaa8a79aecdbcc791bf3620ce9ff036da3189f9455080dd79b0076

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bfaa9a64c2063ce8b6013f90a3d0bee8

SHA1
b4fed164d514c7f9c68bc735d28eddf4f30e3a91

SHA256
b102e1a74cee18288288fc1c16375c983c7d0b4f0511829a54de78cd5d2f5611

SHA512
13b2eea41b9c8b1677bb3fcaef7cb025ca2ad74638e23c8ff7908187c727400cc8cf5bd6fdb9475f647d3471218450b127d8a9a5640eeb96b3259a33afcbd093

Download Submit
memory/1112-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1112-574-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1172-581-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1172-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1220-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1220-576-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1328-198-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1328-575-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1368-224-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1368-113-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1592-35-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1592-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1592-123-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1592-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1688-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1688-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1688-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1688-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2244-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2244-139-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2604-580-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2604-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2744-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2804-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2804-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2804-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2804-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3164-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3432-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3432-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3964-84-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3964-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3964-74-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3964-80-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3964-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4136-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4136-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4136-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4136-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4300-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4384-512-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4384-162-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4404-577-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4436-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4436-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4464-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4768-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4768-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4768-209-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4944-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4944-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4944-116-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4944-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4996-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4996-89-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4996-339-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4996-8-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4996-1-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download