e7d0694f0d9abc6f7e066ad37eebbd58751f73abbe200881050b22d2e43937ce

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
Size

1.4MB
MD5

a921d9f1c615e317301ee2bcc27a46d0
SHA1

32940f7161033509c208ef7aaecb09c82b412a1d
SHA256

e7d0694f0d9abc6f7e066ad37eebbd58751f73abbe200881050b22d2e43937ce
SHA512

258c02dfda76d9e8b0ce0dff837b02479cac9efd1a41d379ad2b07c5a9cd0f98af0842542d0fa503c20c65dfbb85abb48f48f334b166601f79f74905ba20fb2b
SSDEEP

12288:oqz2DWUWCW1MqPdHr96NpYTixKFbyVONup5xIf6nv1Lq:Jz2DWjlpPdHr9JTixKFy06IfWB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4900	alg.exe
2988	DiagnosticsHub.StandardCollector.Service.exe
1848	fxssvc.exe
2344	elevation_service.exe
2484	elevation_service.exe
5036	maintenanceservice.exe
1528	msdtc.exe
3180	OSE.EXE
4700	PerceptionSimulationService.exe
804	perfhost.exe
4756	locator.exe
3252	SensorDataService.exe
4156	snmptrap.exe
3388	spectrum.exe
3552	ssh-agent.exe
4456	TieringEngineService.exe
4716	AgentService.exe
2552	vds.exe
2932	vssvc.exe
2360	wbengine.exe
1104	WmiApSrv.exe
1824	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3dbf521dc3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a54d9404a6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000270c6f03a6a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e08b7004a6a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026c48a04a6a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c793e04a6a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aee64803a6a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2988	DiagnosticsHub.StandardCollector.Service.exe
2988	DiagnosticsHub.StandardCollector.Service.exe
2988	DiagnosticsHub.StandardCollector.Service.exe
2988	DiagnosticsHub.StandardCollector.Service.exe
2988	DiagnosticsHub.StandardCollector.Service.exe
2988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1844	a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeRestorePrivilege	4456	TieringEngineService.exe
Token: SeManageVolumePrivilege	4456	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4716	AgentService.exe
Token: SeBackupPrivilege	2932	vssvc.exe
Token: SeRestorePrivilege	2932	vssvc.exe
Token: SeAuditPrivilege	2932	vssvc.exe
Token: SeBackupPrivilege	2360	wbengine.exe
Token: SeRestorePrivilege	2360	wbengine.exe
Token: SeSecurityPrivilege	2360	wbengine.exe
Token: 33	1824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1824	SearchIndexer.exe
Token: SeDebugPrivilege	4900	alg.exe
Token: SeDebugPrivilege	4900	alg.exe
Token: SeDebugPrivilege	4900	alg.exe
Token: SeDebugPrivilege	2988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 460	1824	SearchIndexer.exe	108
PID 1824 wrote to memory of 460	1824	SearchIndexer.exe	108
PID 1824 wrote to memory of 4716	1824	SearchIndexer.exe	109
PID 1824 wrote to memory of 4716	1824	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\a921d9f1c615e317301ee2bcc27a46d0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3388

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
551d7648d36d829c065ae29705ae3194

SHA1
48a9072eacd6f7b204930dc23920b64b0b5f05ae

SHA256
df0a62596a54f7e77fce828e19d60d1648c5cd4d16556e844aa326ce62b0963a

SHA512
2fc01ddcef791718e1fcdb8efcd286231e8c5e800fdbbfe620ce4048d4817e1ccd4fcd1977e0bf4b8b5c20d51b7070672ed1763399172d0dbfc3a444a6ce5612

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
bf931000405f47269facf2680cc89cd0

SHA1
8a218a90632f80f96d6456d58bc2c1bd27bad386

SHA256
7cbd6a989da24faa0817c89d40ca24376395d14374a449620cbf400f3f45dba4

SHA512
c74155571a7817d08101b774acea350abffeebbf7522b51b31e2327e443bcbcec40451b86bcbac39d6fa27df04af529c39852dfa3d2cecdc576d406e0bb7b1dc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
3facb93f1b8b221e22ec7998c531f018

SHA1
79aa35258e55ead8983333dd8d741d91da448ff6

SHA256
8ce485f302b25126561b7e80bc6bdcb1f4cd03d27865e013d6ef0410d37d73ab

SHA512
282c6c815d94e4da9359e95b3eb170ef6695808706808aef850cd06d12e4ce7173d3a7ee72a62d97e3d2ecce3ec9f35b6d42beeeeac9be47d76426306b179fb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d5f53f605da99f55149b4e44f1f723d5

SHA1
3d42082ec24e0ad935419ba4bc1743d87d4f7850

SHA256
4bb45a802e2a46d5b224056ffa654e56b36c615be118f012bc7ac0ac8f8ac4c3

SHA512
cc1a75715a8f871765bfa35eedac468956e60ee9af9f6fc0ed4a73139034afa12471b1d5a1695b3c14db6fe53de1487c4fa186815f92f9a580dab46d348d0a22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dd36e445cccd9ff1031a800cfab28c6b

SHA1
c3e5257a5a65fd20c51e338ad9c92d077b26307d

SHA256
93eea382817957256926e7667921770c54386e3d710c08c393d9f2c004920d03

SHA512
6d283e544375d45fead99461b82e8aa8229b8f47ae626e01730d596bf9036f66fe0be5a35a24a1bcedc26a7965470077c04c88ea665f45c972e5b4b14f6ce550

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
3d8a13073399fc0f35dbca59084bc251

SHA1
bfdae419eef56674c2e74db4dc07bca3e43e929a

SHA256
929db3f06d056d2245ca96b44cc2a086201e986923d862e06232f3147e9a9611

SHA512
d166eced65d8422ac16ddba69e5a76b0a50cc9df6c13a8dc19a087da9a01faffd132fa650d2e6efbecd8d3b0ab2f7d52da5d762fcc5bad36d00788dd93ef858f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
1c0c2f7f86b929b94cdec753c98b8e23

SHA1
dc74f4b6fd5fd728231410ec89a402c902027a99

SHA256
be2b86ada35268c76fee8704bda30de9cdf45d0e575c84201fda76099964215b

SHA512
2698785d0fdb72027cece1902cf45824551e3a026eeb8dec4f89dbdafde069804b7da2ae303c7a532316a9405d98d840f9608f3c5490a3b0d36d1f93faa8ed50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
64edae23dbc462cb315732cdbdc04b5d

SHA1
15c220dae39e93bb573401ad1fdae54ca758b828

SHA256
02a0a40f674cf1ad655036f3864377302c661f0a50d37c2199144c24ca13f110

SHA512
4a1d8cc2b501f614d48701d4d8b4dede0b0c14bb5d928945c1403299526c778bff94466faf3f2e276946e0b1d1b8197a4ba1bf24a43cb605f11e3059e54f02a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
36a5078a0e9bd9bf694e56c3fff48add

SHA1
e1553c21a3f4c9aaba8dea2634c5b8cf00bf4667

SHA256
3c344f5cfcd7d94c3ca2a78e15bf7da03df8057d4d4618420bb1cd310b4b7045

SHA512
40c98b2e6ee10965c1732ad5f023523f71cad983caff1d67aacbab905894d0f318a94b6b5384307f73c697585c9301414f50875dae74138b660a96bafe7f7d5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dfac81746939bfb2bd2b04e0c33fa9f9

SHA1
f1e93d0172c7156625c51db399e6b8940fd35314

SHA256
22cf8b00c3cf66efdd74398f92d3f5af80bb85673050a54b642a4e34d8665ad8

SHA512
6f31501415af031a98c8d712fc9bb4c0d181d3c995c1cdc57282985507f4021a7ed54a07c3bc1a6738682b0410ba0ee31d7aba900afbdabb15e03f3ade4fec61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a0224daeff109e121c844a018adee324

SHA1
308d3becec96b21f7d76c22a18ae68a39042eb28

SHA256
e52220d9dd77a0a4a94343d4c93c9c80b2daa6b19e60981f73c28d0dc2903923

SHA512
b4cf6de7ebf45c43d9e49c2f17521b659601db4821fbdfb976ddded028b906a143b2a0ec8504e1a876e5f4f5df0353f6d28541987d9bad4a07026cce10a7a3ba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
889f96ca09326a1202479fa9fc8d8aa0

SHA1
fb8e7672a327c3ed62a0efff387cd5f45376cc02

SHA256
3f6c082c5734dd73c79abdefb766b76f9f7ff6be2c94c9ce6d587361950abf7b

SHA512
cc39ff4d606c5bc167b55eef0d440c8da03fe69d8c808a4e4d641f82e745f444df7f7c0ba561f4a34e78313dae86186016cda6b6fec8c5770018c6ddb2a90087

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
29aa28af553189d635a9af1d403188be

SHA1
14af16598041f010603bc5fde5a5ed16db93c8a9

SHA256
1d25c5e28613e646ec357c235c14c68f7ca9c156b60bbc32b763d838f4d0b890

SHA512
e28dba93ae42ca8c707c3c757dfcb29afe6e01fa3b87693875f29a5fc952c07c008b473b3914c073aa9396bc36c81cbbd42c78086e863aa4154ae19100a58fa5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
74e984d7d7100629c5adf6b8f8358207

SHA1
8142cb076862676e0075047ab38b1d452a8e743a

SHA256
8f45e04931eab926b759ec0c361e23793fc3be3dc9be92646be6a99d19e35493

SHA512
f18f9d8c85c690e94442a521c2f8cc589c9c19977bd1c38b90a80d547ef7df004064e0021fbc994b6231af8dec190d769649669b3143514f492fbe19ec113433

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6fbbb2e3dc53679281958030bc282aa6

SHA1
8adaecec003c3937bf37a68628d5275d1c9af941

SHA256
2c7d345cfb25e148da237bd511243f78f2b7e734e517755cd09fc207f21cdf24

SHA512
fa06f9cc869429a56fab191f846d40eb2fe1f3fb0a671b6ce0510f8bc8805bf368864eef26fe4dfdfdaf3f6129b2613a8cad580f5f168600ce438aea70b59b47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
377b303ff759aef62d4b139bb9e461b7

SHA1
aa26fc1513605d1d8b227a70aa645e5199f82c3f

SHA256
e6856e9d9e47da4541c115120e0d9fdf68ee08934c684892defc4ed639180c48

SHA512
511abfbf2a24f4579315ec8533d9e5b146d1c23754b2009111e2dcbb6c364d3cf5576265a9426ffc4159df95c776a8e6c4b2143709777683571cb630957fb084

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
45bf933039bd2b5c3abf63cdabf5307d

SHA1
4a71d1c31c6aed7fedaa21ecaca411e3ceb6ec77

SHA256
7d1c2ccf63fe4b5e4fef5f006380127d3dd014d81dbb27b48b6a84568b76947b

SHA512
b1d454848ba3b0daf3e08642d59cf85ef8687e67859d4357ef56ad57551bdeedde449f3f7170ed50e34440a19e84f24113156e587cf1b279c378ad653b3d7735

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
38fc01263623f681aa90f23d186a4073

SHA1
6e470dbaa4bfe99196607a69a0dbc873c4b063e8

SHA256
0fada0b38336de229428b56e3a3a0c1767d0590d38fe70e755d5949a35e99c27

SHA512
d6a6ca87e14ecba0c4ddb52a7b0186a6a14e8e601db3dcfe7fd2178120665240d2338455d39089ca24a59540af0de1d812f97c090e32f369bd6d5812421b2518

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bab427abfd4f56ce036af693c4749c7d

SHA1
fa52b6b2760543978bccfe092d9fb526a26c045d

SHA256
d8971bc7931033cd2a2aa64e60196536f6dc93a994f29bdbfb49f2e43ff8bf13

SHA512
67e2713c86f132ea258ad17d799a18f7be6e00e6538715d90e3803bcddbf47d742aec5d80cd6e1329600e6263d83d7e2e908cc07e0acfe72160bbf7d0d963782

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7dc8b7c37101e3068555e76056e6f349

SHA1
7370600a961a21c4e1d88582ecdd85c7ba845753

SHA256
1ef2415629bf41e0aab7bcd3d9b2e89857e4fa61bc67f8726e28d966f9f3d1b7

SHA512
8252ce40087c797ecccb51d7f723197755e886059116f0a13667afac9447cf6ca02f8544d67016ec674191e670742f23c448aa1611f96d0d377b0be66986f828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
5efa9377a1fae4aa55c25b7fba62ed6b

SHA1
9a19ff68e36b63e6de770bb71d915f73ec28a852

SHA256
2ee36d0162a19030255b74a830e606a3c741bd90828891a02966e908e5fac7ec

SHA512
687a29a33a4f56054835181d5edfaf3b3ceaf5fd80c93b82795f45d8be6bfea5b9b6e22d67b9affe9f71480462e7fbcd6a20902436c624f8b51385a678c1cad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
286092f1afc1ff07fd9d7c6fa0752686

SHA1
0a3ee45ab31fc59a841fed9c398a5861e7dcae36

SHA256
c22b10df1d5bd12892bd96a132e0f715f510d63ce440fc0334624648f38d7eac

SHA512
bfef8150ed898b001f3b427d39540ce41955d867c23ade042afedb4193a721aedc2afcae455beeedc93c4ea45c7ee1305597757aeab94845fb3b3b699f9f7d8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
969d6393dba8892d85bcef5df6364b5b

SHA1
196a65d669d7ed5f8a28dbb269002e819036d89c

SHA256
5e49424e64458af5342c236eda85bdab01c88a3777576859093da15dde27b8df

SHA512
8dc3a9a319dae8f0bab07ae8c9c15556c5856338bfbdb15f3588d39d3146f068350783a81dbf44c77caaec559ff89bfa617a3d57e23da51f193cbb2ed504d9f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
5dd25002c822d47bb636cb4181f0469a

SHA1
bfa8bbc8d2710e092a0b7ad66b9ff9cd14925a2f

SHA256
b4be8b4cd373e743ba5f9f762170feba0c697f2842e82b1232a595adf3e92133

SHA512
f87ab855dae0ca10cd0bdca2383789d70a6a3819581e42f457f78ac9dec10d55efd18ac6960b2d54e800e8bce6243a2459a5dec79612c94cf976fd1bc4fb1f36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
4450d24dd8d4ae244d713259358768b3

SHA1
4f7c5840cf4151ae93075f46a99c4f3c9aba724a

SHA256
77df75a409b9ce10028a41abf50e7e9b90f5d4cb0e880208ca0fabc357534036

SHA512
d743871278bb66c74b62a80f3ea5b727e86540f0402268400c28b4e7a7ef07ee247a8277f8d2077601b1991d3d3fbd5f9650391aefb6543bfb2eea84a1969e03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
d815944778003f0e63905be4efd98d4b

SHA1
733e992f8c78890833a2578643d0ad1a22ea2153

SHA256
d006d70a24d22fbe5f39bed8fa4d33e096363973a4268fa9763b88dfadc61e14

SHA512
b391894cab0ff60bd91c471081f03badd6623ef1c7b031a01fda94d6b77e29356f5564282792ea26b4c15281d9082df5054d554bf2213314ddde9751d78ffd6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
76955f279781344592736978278c3bcc

SHA1
86eb713553ad76384ef25a02fd01e6d4ebb438fe

SHA256
31bd0aaba58312fe9258a1a90a980933f8d32e192e7c919b066cb28c9c67476b

SHA512
d8f1d697e312d8186f448800685194ebf7b4564682b3f8a6693a3e71d506832594f1542e5725ebb9a5759a07811e17144a1bba888d20d5b38b0bbc8711074cd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
4cc63bd3ff4fa0e2c4bb95dc1ade0f85

SHA1
f8315554c4d576c477b2635ee9bd033736cc4d8f

SHA256
5f9ae5133d997310d25b0d3df57c9257bc2d66b007c1a998df06442cf77161da

SHA512
0639f128f67e34f4f91ccc05cc9e7b35ea7a10a785336361d6fcd002ef12eba2c7e5342f84f9654741b96f61153c56dd6ebc00ea4cdc52e14897cf87f27e2dc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
1d9a470a4dea8da43bd81cdd385fd827

SHA1
7457888dcff53b91efb6bbef4441865f688a2927

SHA256
273373a53bf97689b4c0936fe7239a59883089f2ce58b14c86c90a58cb2150d2

SHA512
578cdd635352524fb6e3625c288c25be95e13e2b2a698a508e153803942ee019afbf9b26093818c72eee117e7d5537d0e94299477863e88c62967f801c4b2d68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
79c8a3940d4ee041b8c769d3c349a5c3

SHA1
2ffac4263ebe9674b88144dd48756d4c02ac97c5

SHA256
2a67f314360e79e5f667bf8962d8e453cddf8b4c7425d6c31cdb1fc9fa8fee26

SHA512
17f715becc119ffa8c1e84af82af571f48fa0ac62ab1329692dabbb595ac4a5565e74565c34be09d299ba9984041d8d8a07d6f78ffb0a6de847be667a9301251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
b846b035c4fd94991ae21c16d16df15d

SHA1
e80c10900dee82df788f2e4920fd48ae19d52fd3

SHA256
f6c9b2b6028c3b660c6a738869628fc93a6a69c05bdb4ca370d58c3b9573068b

SHA512
460e85276d5f0d3826a52ae093e2fefbedd64e9411c713bb7de0ea9579695a7a5581d0582d35481f8926b820f679efd0e43b9c4cd191a881328eaab47d044161

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
1299645a32d70276f7e15fe59ab683a9

SHA1
329f1f026f7c4640512387a5e6580c5a249823f9

SHA256
7fcb81aa03d51123a0b9985b4d4a11c7cedd21c9dcb4f7e20248bdeb949f747f

SHA512
ada1e7504626c2902b10ccc227fe896ce6d69aa6482435f8d2e7c6cdee421dde70c8ed0b381121196ed4b050a44e4e5761f7ac56e3a8e0d495a326579d304f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
83c7bb5b4d22cbfeee1eff38b868556f

SHA1
72ed448a623bae14ce1fa6893241fc225db88481

SHA256
1bc3e7458656d6abd4df27513445bc00fc4c68c12b5a172df58d30a89865c1ee

SHA512
1b9501bd8ae92b2d2a56d4a1219ce01e6d7dee2f20dbea87ff62401e9e9117f0f7fe9089283f00dcf61cce0674ad635be4702997f7db84d949ec66d9e311012f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
53238bb62c15289a90f30f4fbdac588a

SHA1
5e11deb6dc639684395cc7b9e5ecfd8eb9af3923

SHA256
665b055d8f603e2abdd9ff88e67efb3eae4e8c794e752d386dd1d1fe51dba717

SHA512
7554156576b5ef96bafc8046266bfe7cfac9bada934a56804537edac3bd944e3bf07e1fea5198aa089dcdf86b090f7a50864694bf6f73a848d41b4cac09f2caa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
0464f3d3cfa9e74a7227c09e811c600a

SHA1
f5a8fe2ae8acdf46a7fa93627f7577fdaac7dd48

SHA256
bb80231164f996f180bdf5c69616c7fbf27d65515c6fc4b6d0d76cc52ffe8902

SHA512
b833d520c1dd80ca603b2d003ff2eebc878c910a507b6ad48019cf9a190b887b7077a1f65a5854d010512f0efb91afde46533e1a1b0583c22b332c6e9edcc0d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
732903128125e0a03d7a924145affa86

SHA1
092c104bfd6914b0eac0e26aba1bbcca0fd632ea

SHA256
03f59075b2806686f98930221b2ed4ed8c91dfaff0b011d8abb14c6f3f4d1faa

SHA512
02a23246a7aca5208dcc371f40cb2f3bee21813f8683cd73c0ac61395386450516f1a6d1382ea7879c1b31267e051ce716ef43137f0a04a1eb3fb9cc173d9fb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
597302f9518ed9639c6bef983f6400cf

SHA1
e1d86bff6a758700a5f16b58958f02f068d13b3c

SHA256
2b62244eaa17ead2640c1454db81cd3935bb17d84459568b92616652f1a1b41c

SHA512
44cafcb3100b529a670a741641f74bbc9ba1744471bea1b10cc6c97f3621907a985df49a8c07fe3439a1b1c1bce53c3608bcb4c06c695fab88b5af231f13a021

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f6a91f5ef402606c729312ae912dbf80

SHA1
4709d24a3a8b5a44ab03a12c67ef3c20a905c221

SHA256
378919613e6ec63dd54d068e64d0af2834cbcc1392d551642a0b350a0dfb5b30

SHA512
08383edd3d13d0437605896bb101ffb3e8f676282ef27106e87d960db5cfaeff86edeca1b9943221bc5aac18661a9c95ae91c51723362efeb871b7c3118428fa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
577405737bcdc26911bb90b1fb52b4e3

SHA1
3a4f1120e66cd592ab78356577e2af5082874ddd

SHA256
b465c25ae4ca0b69eba1f7cae2fd1ca13d806d26ec688ea2e748acc2a7a3f048

SHA512
682fa531d8c50e9fbfb8c49b1330c971df7d62ef4dc4e86ca30e75495e8af8464a98d3e230a774df77c9eead16fa93858cb6694b3cd71356c45d030bcb4384ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
25aa90b91f2eceb8558b071a84a90780

SHA1
dc4811bc45a2a9600b00f3650eb6720cc55e0a6a

SHA256
5e7f32d947f301dea69f5f8920ec3ae49d003ef1c1bb8e1e18e00cdf0e14da5a

SHA512
b2419a30877fc72d7cfa4338350d52f56b63dcaa8978c845768b2f0b862d09ea503f4c52046f07080db1efe4086760cb6b0eb6373f66a0f3fecdeb0e664dd723

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
158895374cfda603d48818f1a7be2557

SHA1
8025587c1bd58fdc41fc17a5850e2023762af022

SHA256
769ce88365f348ad8d28b0198de2aab2a103ab12e9c18208ab270b0bc26b401c

SHA512
981b1e34ad44667ff8a3563a1ada6c7e2f4e9a594a761a9ff56b58f977222e2e85ac292af70a297fc855d9b540e6ae5a0e6bd685f249d320a5275a39a444b73c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
b0aa438c50265a787f3934fb74b2eb86

SHA1
4feb4799efb88ca65b19654edad86a132d576f78

SHA256
fbdee2de8cad4a6be296d70b0114459c4aeec5ed812738478644acc0c5dc754d

SHA512
a58176c81ce83655bee7734ef349d665afe54986131a40b0e3b858505ead3bb677b15571674449e9be639df4db64e53e2ccc532568b968b52a2153cb02f888a2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
077a9cecb4632fcabb073fa80c85c1fd

SHA1
78dda0b68238a7c539e9e204baefd56fdabffcf3

SHA256
5653f8147268ca20a51f93c976a199431b9e9cdca2ad521413508f181af9a330

SHA512
0124009c8644b4bbdca1f88d96103400e5ee4bba3ca5327832b337a40a14e14ebe5b6e8c5d03053ba6903b9c32e3fe1a8274fe909170a9441a9289db9fc35bd3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
6c83fe0a89b2374f6aa8642759060d84

SHA1
53ec8df72fe5bc1c8eec719795d06bb51ad4fc71

SHA256
bf525fe5366913fe15e1a291027c36e7aac1cf00ca29001e7a905d64d458b4b5

SHA512
bd12b2dddcda6c09938bd3c8129bedf1b6d59f03e239e1fc5a773ab27d0fd0efacab3b4bf54a9b8e81ee5b2d2da8edb400d10dd6fb440d7d9d55a5b813097d0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
697445e839a80b37d2687653d44755db

SHA1
fd8829c861b9aff150100cb586bf0da1b1cd4df0

SHA256
2e36113a5be4bfc7ed591a940f1e842f2a9ead9ea5f3b728dae7de27de799371

SHA512
7ce425eec7d36c8298bdd63157414a03cf63fe5f5ada4a4bdf1cd55406263290c22dbf614bd833a57bb333ac70bde396d935d2e56ee67c449262a560a2f76fda

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
886dbdab96262e572ca34724b5fc7d5d

SHA1
1c8993bd5212d71ab2e2e76a2e0f8501ce0f0a96

SHA256
b1a5c412c0b0fa23b6a9efa876058b80b2e90c54489ea3909b0139042c08b38b

SHA512
c91aace318e01e0d5d8806c6d1214db9ba28ae31df114173e168c629fde406b2b901145d4570c215d468eb78ec74eb60149c772ce5bb1fd69f97f9c068d02978

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a053c13c11fd36a3bba5f6a491d74356

SHA1
fb645597681485a7ecf447d57ae4e5f745e78bf8

SHA256
da39d76d44b5962167e446b7ce59ebf8b852e02320d1c5ea85271ed8dda1830d

SHA512
b35248c9cb11a52be33cd39e1af784ea79b2be4ed3e208ad19ab53512aed8aa6bcd55c28dc1e263570e5aa979dd247f51575ff6524f78b520b85584709a04ada

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01e30161dc878474e9a6275b0443727d

SHA1
c06bbb986e3fff95d2db55b4221dda601360c18f

SHA256
a869768ae4629c6e9f288981a2b739caca0f40213228b11a4858a35aa93b305c

SHA512
c5223fd214247478c31dec43a90de281d8540b6633c4d2e67ea00416bbb6e8d576705d40f0b78b2d27e92c2d995bfee2ac3382204e42fba474852c89d90bb8be

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
04697c3e36583bb7018bc8a4ba7531b7

SHA1
d15bd329681caf11597dfe334ecaade96cecb6a2

SHA256
eeefab0284da5c43d03e7c88eb14f2da6acb8179883f42e54d2f5265fa586251

SHA512
7fe21a776e8f8191b5821a70d053699d12c161cce382c7f943392098fa2f603a9f25d5c594c21af26073441f8ed53a63ee453404b4922ca1af4afb0394165109

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
5a8fc4c90b5b2ec828c5ae6dea7528aa

SHA1
af0fa31f7b0c70d49d22590c96fc75d856604097

SHA256
54d87daa447faa0d62c55371c4a2ae2fd4cac6d4be9dd036c4116f2755b92fec

SHA512
319dc077880773d0acce53a3d7d719cfa87c0d2adb7af0cb882c6c43749c33291fb39e123600f55c494c370d8296bca087380a05a4e2d5db88ea0c43aeaafdea

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a9f04ad58040ef6de6ed16f3b831fe1b

SHA1
8bdb73b309515d5b1491a25268ad58d33b86d903

SHA256
a800372d9fb5a2c61bbf3549ea43357b834f3d28fe1b0300a7efe6aee522eb7c

SHA512
014b53b3a7f4d61947169de2a6e0e3b5033ec0a46b4f298c2ed31c8d008897374219a1d3424f61a35d9b698f0777f5568fe968dfe5b3cfabbb3e37f2839daad0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
a3310f26b404eedbd7f5f7eeda3c0373

SHA1
3aecb331f60ed9fd84bb6ad8856ea79d96d491b6

SHA256
a854c22bdd54f354baae6623864a64d4eaefa1f34c58f7255f69f832085163d4

SHA512
577689774a1aba6262223fa7b44e1c8bf25652c50123a6821b830c25876f47b7368bad03ca8a0988a31b5801bcf4e07f10ea7c892ae64bc7246fea98900c2143

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3a4b1e541b678bdeb4dee3ad15d5535b

SHA1
05132af39fda8c425491cbc1b3966e5ae66cd1c7

SHA256
2f50bf3de097c5a9c859278a897311163dab20c87fb6bb5f2b7eee7a6a23cb74

SHA512
d2d12d9a41a0f251a44ec8a626828b52bc66d1dbed89701c73104d23015149933158daa1b30715d11c6bbe1bf1df70f4fdeb7e300968f5cf4ff6ee3b7c45c9d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
70be7a747ee7a300f5f77b326b41a46f

SHA1
8f375bfc91266d63e0d1002ebc22a0f1bdfc4502

SHA256
5d556539edb74cee8ea812506094c7b2141779782bbdf61c8994d1ab7eb03a42

SHA512
83ce44eef0829b3930f62588f71155b55a29ef2e2cb4677173ac03220c5bbc42b55b86d12936ae7cd78fbdcfa05fcafa0168b1e5a3920468020933a73dd8229c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
07651b6e4d3e8095eecc486cc7d0af4f

SHA1
61161d9e05f82dc435e7c98fc98194fe17b52f1f

SHA256
d120359dbc9e57e1f3b4197490ce45e5661b1d981a6cecdf887d02349876a341

SHA512
eab086691ac3f929184c863f8cada176e90de997d027f16447d99d5bbebfd7278ea985ed8ee8707fa610f51b9e1c01367c45562db63806076e7ec088419dc1dd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
2e74daafad13adf7c3265fc64d014390

SHA1
5796c6d24d01e8c953194e56ecc8fd8308b078d3

SHA256
3a9be0dbd6a63291f4fe0b0515f22312e3c7f290059ae5d3678258ba91a8b384

SHA512
9ed0553351e6004eea1ca594c07b9cee91e943f9d343a1a732094d36eeff6c7a1df583512ab656c1b8cbcddf5b6adfd3dd6140d1e22175d54eb64ac3d098189c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4e63a75654dd0a5409eb10f14688f8f3

SHA1
f904b9f5cbcb49d7d3dfc500e192258abd29335c

SHA256
855409a25f8239f3f1e617e2c67145bb9eee5e964945e49d053a1769a53b427c

SHA512
af56fa2bd6dbe227a4250016ea26f05bad81ecbbd341e5de896d4bd2cc400acdc40bbd99101d1a899c051fe303e8405f85e9ea4a371c4630bb13567b48852b7a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c465bbe529999694bc4a5ed979f3c626

SHA1
c5a4028f56250b7c8299af8519f88039d56e5dc1

SHA256
586addc8ccab329e99fd24fad41d7fb3fb0e397c80d56381eb86e8ff33cb71c1

SHA512
0946f492ccf1ab62daed8d56baff94d3f042c8f3793342dae6e3c070cb90133bc9f2d22ffc5c688a5105c9a11688bf364ff27638915687a684746a1e534c3811

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
508e40a4abd42608a64e1bef9b634ac5

SHA1
64b43ed611c35698022de42697575f630dcdde61

SHA256
adbfcf1680c27cf7df707c91231aa38a34cfd832424e1cfec7fe7ac48e3e170c

SHA512
7b25f0f13a0db11e1523abee4d17315dd673486d2e1c8223f97b4ddaf19feb99210c921b89416aa8a6e1d041e3c5077d1d95d99dab31a112b4976dd89d3842a1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
10f053a1ff7f6b2764fed3ce604625ea

SHA1
53eaef3c7c323987e3a55773b1599df05ab907dd

SHA256
ebbed8a65404db5ddd5ba170a6312613fe005a88ccca5f9f31021ae3ce56169b

SHA512
d6857a290132be2d155efebacd82658d860be69959230285d4d0409d7db87b04ad6aca6a92caefa62771692d8fbcde65237e59668baa4ac926b902170ce67e59

Download Submit
memory/804-130-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/804-248-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1104-567-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1104-261-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1528-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1528-101-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1824-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1824-568-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1844-408-0x0000000010000000-0x0000000010224000-memory.dmp

Filesize
2.1MB

Download
memory/1844-8-0x0000000010000000-0x0000000010224000-memory.dmp

Filesize
2.1MB

Download
memory/1844-9-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1844-0-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1844-73-0x0000000010000000-0x0000000010224000-memory.dmp

Filesize
2.1MB

Download
memory/1844-407-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1848-53-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1848-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-38-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1848-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-44-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2344-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2344-60-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2344-54-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2344-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2360-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2360-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2484-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2552-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2932-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2932-563-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2988-27-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2988-34-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2988-129-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2988-28-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3180-115-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3180-224-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3252-532-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3388-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3388-556-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3552-560-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/3552-188-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/4156-169-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4156-508-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/4456-199-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/4456-561-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/4700-124-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/4700-236-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/4716-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4716-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-140-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4756-260-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4900-23-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/4900-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4900-117-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/4900-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5036-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5036-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5036-89-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/5036-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5036-85-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download