8f017fddc46d4e87bae5f02ecd0d10bbb3828ba904cc28af62fb2bd718d98c18

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
Size

1.2MB
MD5

aaf12aaf679ffec8085ed3d687de9d50
SHA1

111a8e177f69d44ddca7db9f5859581110317fc3
SHA256

8f017fddc46d4e87bae5f02ecd0d10bbb3828ba904cc28af62fb2bd718d98c18
SHA512

5426104fa583bf195a4f712f54e8e85ca1c8a51a7dfb456fc2e46258838bb0dfd596f04e287207dda29b73a89e42ed3b28f08ec5a6fb52824e8a275a86a227a7
SSDEEP

12288:kwgUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJz:ngUMj3C/Uvw3B8atQVpZJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5100	alg.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
1200	fxssvc.exe
1636	elevation_service.exe
2112	elevation_service.exe
2736	maintenanceservice.exe
3948	msdtc.exe
2724	OSE.EXE
4568	PerceptionSimulationService.exe
5060	perfhost.exe
4960	locator.exe
4296	SensorDataService.exe
1132	snmptrap.exe
4220	spectrum.exe
4120	ssh-agent.exe
4304	TieringEngineService.exe
3776	AgentService.exe
3616	vds.exe
3104	vssvc.exe
4380	wbengine.exe
4448	WmiApSrv.exe
1956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8f580fa9c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a866dbc9a6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000618234c9a6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000664296c9a6a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000882be0c9a6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc6862cba6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000683426c9a6a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe
1636	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2672	aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
Token: SeAuditPrivilege	1200	fxssvc.exe
Token: SeRestorePrivilege	4304	TieringEngineService.exe
Token: SeManageVolumePrivilege	4304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3776	AgentService.exe
Token: SeBackupPrivilege	3104	vssvc.exe
Token: SeRestorePrivilege	3104	vssvc.exe
Token: SeAuditPrivilege	3104	vssvc.exe
Token: SeBackupPrivilege	4380	wbengine.exe
Token: SeRestorePrivilege	4380	wbengine.exe
Token: SeSecurityPrivilege	4380	wbengine.exe
Token: 33	1956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1956	SearchIndexer.exe
Token: SeDebugPrivilege	3436	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1636	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 5036	1956	SearchIndexer.exe	108
PID 1956 wrote to memory of 5036	1956	SearchIndexer.exe	108
PID 1956 wrote to memory of 2748	1956	SearchIndexer.exe	109
PID 1956 wrote to memory of 2748	1956	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aaf12aaf679ffec8085ed3d687de9d50_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3948

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4156

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0ae4282e4dc92d15134fb7bfca6a8e81

SHA1
e93b199848c9e52829bb9fd6f7aab34ab0c4c9ee

SHA256
63c95907f664c14701d08b4175dd3f5001db42ba2dad276bdbbad13f52b50bcf

SHA512
0ef027f8699efc8afde66bdb8840905d1f59159865abf449c250e14ad5e20bbb0128bbd1217671af396aad75c1d23005bb6bbda177cc30c02627521fbf9c4bc9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
79fd4b72327b584f9946e88d91b23bfa

SHA1
41ca0ec6e9d240bad36b279cfd87a24ceab7acc8

SHA256
b6ec1dd5cce67910bb941839127880a4066556f478e361d4eda1c5f7fcbe0bb0

SHA512
b22b5a853d281255691565dfd6951e962cf0b201a9e7fd1558c02726fb0160b45072be100769dd0b2cc4085bdd77cae067c63c202cba205bbcb71abe7cd47060

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f8211b23bd474cce504ea4f679d25090

SHA1
39bc774fbc25229c03d0b309c596b804d003ebbe

SHA256
558ae969a3d586b9898d28f25834029fc2557e33bb75481547e2b6ba1d789fce

SHA512
454f23cccb875fb68dc622ee49dd0133cd209ef05d7ac4943f53552d1deaf5ee236a42e0952b28c8eecb3ff9d7165bd5e4364606d10aed3c964320936c618c45

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
db1712b68381e744c077b4072797b2b2

SHA1
fa980e5a40a36f7e9c23f7aad7ee294edc4fb6e9

SHA256
7291edfe9edd99da71ddff8e95db752c6a7254b78f1bd39bc95c59b79ee17177

SHA512
7195df4fa6d90c01191f93dc15a12f644f33bc22ce9c2464598871eb512b0d4c4d6db37fde8bcc6ca4c1de3643dd356cb5366c869ed559f1d788c28f07255a5d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a8a8cc38ea324bf8fdc7f25771d8ced3

SHA1
f21ec70736c4df0903546c94c7adff92461da0a5

SHA256
b46a16c19e35381f19b4e35bb2c1b873a4f1686c3dc73a57b9acff97be29323f

SHA512
734aa0768052e9502850eecc7701f2a0f0b7eb116a14e405cec92fe333eacdd824ce5ebbe3b3eefb92ef5d790ea8ea437436a750284333b01b256e78f54630f7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bce7a6fb53c1544d7a77f68a82342143

SHA1
2ca55a4648f34872a043291435e8a5032ea02b0b

SHA256
7ec485c08c5cf2020ed2f851f8368936be8d7fdde0387ce7152a335ae1c0f986

SHA512
75a490dbe43a581e5d05b9a076d6c85ce76892f2f8d2f32269ac40d0b19dfdbcff0703d17fe9d7bbfd42da7af3e1414bb0e4fbcca459ccbe1a51308605ceb591

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d87d9d9d8ed539efc4c0dddf4380e368

SHA1
5af8f0cf5e02ba57be55d05d6ffa7446d994a85d

SHA256
f66897a0d334af9c5f52336613b887695014de5ab64e8efb592a1fafaeb43a2a

SHA512
84b30b39bddc3b1c03604af85196848d96d759a60abbcea6bdb4dafe7b782d60d5f910cade7239d05ad38d3de2699975b42177ed5324244ad99bd4b8239d9656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
751d9fa5d56540f83764f260c86e6a2d

SHA1
19ab37dc3a4293a62243b994a4902d6c18f1d35f

SHA256
54a3ae04c8028cc067f9cdf7072b18c4394b66c6ae6a349f1dfa95da39eca319

SHA512
383ff022c04552bf083937fcf419a0c6d8c4e24d50fe539dd3529439aebe044c0076fd1ad336785be7f1f803db1ab370854b224524386f4d1473626be5ccdacc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b082c1246b76b0765972b1db80f1bb1a

SHA1
d4dd2151b17dd8b4247f63532e73482b0e897e3e

SHA256
8d0e6d58a64da151c7d1135ef3f0c9c3d642ddc33ef7a283227a0b9541c24638

SHA512
d2fa2853a8f5c3ed4efa5656cbc42a579ecef422717346103f8c2a4287391e97042667147ccb22bd463e71e68feb7bff96d2857959ca2ff5ef8cb3ad091032c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4b92f3cca22918d6538347dced73a122

SHA1
9d8ac5d269cc18f4c2b88f6805bdbebcb0b2f5d0

SHA256
2c583e9ff38985680ca3d303389898d9d62c4b0c54b9dd72abd541da83071c4f

SHA512
623edc15796c7e48fefca5a4994717f94a16a82577a082e065737b073baa917719be68da680de4f15cb42ceed1a72eef7f5ab1ab215c2cc60d9560da9c70e6a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
df749e7b76e741bb6958edac1a705341

SHA1
6ea7641750d3c8f87cbe6e5a048431d2a65a4b9b

SHA256
854433fc8156e2abc8a62fc040a76033945681f1a0aa598df48b1bfb9de0751c

SHA512
aaf3274c951cd4d916f27b1415427d96815a3b011f8e87fb1450a0d660cd61d6490ce6c966b3e2662e4371673c959e4af47a9431e6116b1fc81e8081b7fc7149

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e30bcd3eb77db601b35d8961c3dc12cc

SHA1
985f18d5ac9602c2213ab98cca19a38e51f86f8d

SHA256
2e7ce7ca9905a86839ebcd8f2586f398cb952b0fd2d4e4aa489b8fd434454e1c

SHA512
c084697e69492eba4036fbfecb5f7546dbc2f23295747a2e7c63f950145fcf0d803f041695858ca62a90fd2076f09789aac53e0a1d4a91ee3a1f9c22bb6e9f79

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e4a04eedf6e3c28cdcc6f7ada0e4ec9a

SHA1
763aea8c34a82e7cf724d7cc36deb0dae9dbae4d

SHA256
9f8781f2c551aba72b399c3e2bfebea312fb6f42c503bdc37537979fe41fbfe5

SHA512
713e2722991a0b0510c6f481e077d14666eb59ee62cde6d5c22e63a496557c09e4b6850c0670880a16ab3b6fe5b2ac6382fab3e1da88dfdf0bb4cb947e423bcb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a8f3cdbbb4921d9453a58e9b072b1830

SHA1
d7ef522b4d0b42a5d8abd8a21dd21301df326aac

SHA256
50d07af463219d469bba98a82582a38cc0da4d8451534d543164488946adb379

SHA512
4a746f6bc4c3d8df042c703adec74b8ee788c67e68888f69f1337c470f598db8dbf70b1bae813182dfcb3281bf93e5dfc43666bbecf4ef9fdb0ae8c6f6620a89

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a37c7521fc8dec577a961898a70d138b

SHA1
6b281bf2be7ada2b9448a53827a7351cf8d8ed5c

SHA256
a445bc4600f12e1fde410502864f7505f8359cd87ee65a76132ae28e94fa8d81

SHA512
9d51e4005596bacae47d16e3323925e67d513571b223668e43f1a4191cb438ed526c79ef78a6951f4ea92cbde636b896e10cf4434b47e7db5d4ca350725b81a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2c8c315f991eabf0510a26ddf1670ddc

SHA1
e3be7a847122b97018ad27caf819912397cd46f7

SHA256
7832c0d859e9502fa886b87d42704222aa6a16a2512a2b44d8c43edcb595cf66

SHA512
1e4764875f6be13d37e7f64564ca91e815378b1b61f9885e3256e5d147d422ca13e094b441f1ae0dd95f754e43772028f0b2012d9152a32629c10cb7b9b55919

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
eddd03195313c81507b0e6a9db7fdf3d

SHA1
dfcbab886a4b0b684bb8859302ee6880f3302224

SHA256
ad63a17275f1b892d616e60c7088d47739493409a671941f0276e14d2af5052d

SHA512
2583b2f2c1487acaa96339f08228a9e42aab0f34177d07af75b75cd8bbe9ff452ae3494fb2bba06403da39854ea7a907bcc924e51076f5d61357ef44f96f92ed

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cfec2657d2a42fcefb2f96ebd645593d

SHA1
371660f63b14e51241cd12e22c4c0df88a6ddda1

SHA256
fbc8f5d8a8543323a7db7dc2c87a692f03f7d2c0f139501fc33a8c1381490037

SHA512
6a906368bbaf9ba91e608baa7c39b122e0fab7687a1c568b77af5bba28c2237476678428bde65f9c387be97a98d999bbaaada977c3ad548f8c78863ae5e4ef67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
36f83966ef17c23005c06d7078338703

SHA1
9c5055184a1fbcef187cf1f073592e1cb894ab08

SHA256
471372f123d918368d869212af7f4435bcdf9a492a073f5f211a17dd40e7d73e

SHA512
d9b849300943e906d1fded312dbde5597e77efab3abe5288d998b7bce533bd3fee974384966a98dccb852ccd06a06e7eef50fdc3dc4e88972b139a5782fcb364

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b4b16b562799eb3e49577ff5717d3449

SHA1
6424e52acdb18cdb016c0ab521d15dee71b72031

SHA256
c5addb4069fc60cfcf5380bc1ee4faa7f35778d046192859a681564ac3979cf8

SHA512
cf16040fa015f6cd850fe14873e0bbc64698373de078a290736ac61488d74d4b451c36b21408408e169374edf47349125614c761776295410c3832410de02beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4b70f4ac4ebe30a3b329c5b72f5ca408

SHA1
0d8ef4148d997e50ec297f322138ac2ab975901c

SHA256
e8e3cfd360a0ee189a66b1ac4ec6429f20323ca476d5dc9164a4bdce9922aa21

SHA512
95105b6a1f4c55a39af3b218cfc20b0f18d706afa51454308d6630196f12cc20ccaf6c17f98eeaf0c41ad3b1b3ebd86f17ccbf044bf3cbe5a79cefca575edb19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7e09921535cf289bf19787d2c0eba12b

SHA1
fb2d44cb2abb37b62cfc20a9af7c159ee2556402

SHA256
7dd894b7dc00dbdbc00047eb3ea215aca05c13bf6584f5efdb3ed3c632b24c42

SHA512
1b2e5b259ecb81233578c0e59461fdc16f7254d883c3aac42b53c8eaef05edf2336d940e220a153a1f41632c8e420af33baf0227ec6a0323f62662aecded0cb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
43c15f9d0d8fb14487e579889ee861f0

SHA1
df007310958ec94c0beced485df19244063498ae

SHA256
fa1ecb7edac0cb144470f962510061b66ae811372e9504dc95043a6a442cfa53

SHA512
df6d0c16f6e053e0859291514686e8a8dddc2edcd6a83b8c5987a4f88d450bacb74487b37091f16e00d49dbe771e872254e9a8c919a31bed47df2596eaa55d75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c9926b79d9f595f73ef21ce34fea5888

SHA1
657c856c7ea42d308737b3bf4fcc7e407d9cc66d

SHA256
6d8974fc66198abe96de36021efc8b100b1fb6f017f7d34bd24f365546d40422

SHA512
f31859fc2a4cf432817c55a492c8e94e058bd85907ced46f410712eec3c5497a3bc8993776357aea70c044ff7f80aaad80b42da0664cc29188d34b4bb92f8fa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
61c1b268c5da98504293f6e4764331de

SHA1
92459e1038b9be90876a2915f8d788d90fe2b5a8

SHA256
7af4b47546d1f26367377bcbaa6ee87b3b707cc8c66b9fd18bcf79f0bfcca660

SHA512
b8a54d5d57f6fc8076da48948aabb57aac945b90c54198c23c9b6827811e4d8fc9d0f059894cb261f093fcaf2d726118519006aa7bfdc1047935e6d46839e7af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
94c9f010e1cc07022607b67a42a995a1

SHA1
e51c160afd1efe2da89ccb0612893f2ad386b47d

SHA256
921ab96e5124f145d49499f7b82c14f803ebb556c0c15775a3203e863a6e4c31

SHA512
71fff1e8a7c2bde15ed6ca0c9c877656c35ab557d4cdaf6b1b2586d3feea8a68b28499faa5c0d0596aaf8bac3d5c9f1b017a97d3de61df1bef6ece39b0f63e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3b27b38765c575d0a7e65dbd58405dfa

SHA1
ce1824b5c576fb7698784f8bbfacb285ebfb4132

SHA256
c0d9bf1446acca45598336f71cf6c02b4fe8388e46cb11acbb410f64164df7f7

SHA512
2bd01840878f29b88d8b19490db18bbc96716f81dbf110c95fd717909ea1909df56d9446923a6a9a9bd8244cd7c1f1893e412ed707afb0762e3e4921db7f96c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
97cdd9c307d01e8bae1d7f325c232d62

SHA1
a8d6de58637d341626b5114578c5d8f474305950

SHA256
159673ce0cc6c69777df9793c75925ef34aef7b41272375291c09542ca077ade

SHA512
a1f75f7009a16a311b5391e0e59b9abe066ff4820d589816007a18ee102155a97e2aa45e9120e46b2da82d91dd3cee6be0f7c5ed9411700cd4160bdeb9a158f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
20c2b027349d0feff059653b4464f117

SHA1
6cdbc1031433da88e65909c4a45803496940ec4d

SHA256
571a959dafe82502e48fb29b29c5b10de757b73e650299e6c4c5e54547125846

SHA512
024c2c3f71349d861eb4c9a4b2b6daf41f25d3c3b9c91644796595c8a6027be4f2625a2363c5232c59395a2579767c91b0f81f3db76776e7d64aa3b0d4aecd66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
90493d83a3d0e486bedeff731e32244c

SHA1
d44e1949193568f1fe84658591250a08a29106e2

SHA256
34158c4c4db73b4eb52b69079546c9cc38c1f8203bff5e623cae107ce0beb44f

SHA512
1b08a7afa85d80dcb465cd047aeb1530831d0e24173ea6ead087582470f645da889489d055384e168b8f96f705ee21d242f43bc8db8fe2cc8ca9e2b328802cad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
342f07446d96700e761445bf85d3ed5a

SHA1
15cad08f4414ff99af60c0c9f759da472f18d54f

SHA256
2c2e36a3f65b5b2842e0f59c97fd16ddf47eb9a36db8686ccadf68da2e29184e

SHA512
59b43a1d5059d5457bffe5291a64eeb4b93e693ddbb84017e2d9f6141b643ad56d4954d94d4e41ef968a46db639e61cae2148a4bfb5f6817d343c376684000b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5e0f67801aec50f031b80298c6c73f18

SHA1
5cda6821262aa8b9c1b7296ca4dbc4bb52f58818

SHA256
c7a41392ef1f8d84d4a8fb4e905dcc7c4364279a23d5007d7efeef7cffd1453e

SHA512
241c2cb84c8bcc19b362e7a78750224d2d5aec9f304021c0de38e932aa2466e6f7c3c8dc8cfb5b46a42b5230f8fcaa4edaf4f70e5760200713c2d35433fdcc3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a6ce91c7e39c268fce0b767ec98c3721

SHA1
daa8756c0e0cd291f5178954fba2b233bc56c549

SHA256
c9fc6cfa082a123db19369ea828161d289e0385f202d8537f95ee885837ceb9d

SHA512
d736cff5d0849d71ed426137d3c3fbe2d8fa8b0419432b2cdd2372097bef24b8f11eb19bdb807b4ecff2f26af1b394f9232f21ad0389f5ac490b3bef30efcf40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
013b3578f11da6a818270ea9d5d1cc57

SHA1
d63f9cb8dbba0863787a159dca6756e8045756e3

SHA256
e59c672231d8682287a30fc40349a2c6b2f4448aafb903f43a1de20716501121

SHA512
888b6565de1c6953ae350f7afaae6da7ef551ae990f071d2040820c8b7f038a0dee72948f72c5168ca3cd3248775212c61a67fb0fe85be5b459591571c2401d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
16873872294d32de8a525bf06e966dca

SHA1
6c7583a68020deb5ca367d431f40c8e1a89a05a2

SHA256
0ca0936d4e53cfd72d92567b492c30780b8cd29764318a83361f2a83acd24628

SHA512
857c9a5335c0d010bddc02df73c661be86fded192d32e29ec504e6ae27471d1a59c135c15545bd397d51ed406ffd79b4b1b6960cd686a58e2237f0a67ac547e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
3a04f34180ccde4df48b5a788376264e

SHA1
2f05f672f3358e1f32555afbaf391ed6ebc44a24

SHA256
7473cd2d41356a98dde73d4b432fc9b6be6907ecb0eeb939bc0cb476b1c9ad29

SHA512
a0d2689a5c5f3cd5253133ddb4e6f1fa96d5e3ea889b7f799d1a047db49ee83d497cbacf2e4553f8447e5cacde8503a924d7869b8b008af72aee831c93685306

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c2512b7bec86165a34165617b5f528f8

SHA1
09291f030a07db571e3225e83892172cad15a83b

SHA256
a47c099ee6a231ec1df7c2678be421b6be7cc444e39b1e901843b6397599c6e0

SHA512
86dd1b599fa0676fb0c5d6b7b0a5fc0a7463b84601194bb00c019577c5b159c9c0c888db685ae2a910e3663d75add851e600361c5137d241c151124c1bcbf82e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ab9651bd0c18f357adcdc77de9ec251f

SHA1
680e079216e7757190e35094b1ebef943f31d260

SHA256
80e72139f9c8f551de9bc5afa092398695492e62654300bf7e6e4ef319094073

SHA512
445d8537908594e35eb1c718f6f5eb1713d154cbd09061837b7985e5403c5d2efe29ef62e0fd50107f08625c37fa0d05b4c8d58e1e3eb2aeffaf9e5512b81e30

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f5d095316350e9f8d83b79fb5aad77cb

SHA1
9ac31e4ef706acf6a29c0ed8f43bee2acb532a7b

SHA256
9fc39056ea828f71cf8bc1479e1588a891aacd8c58d42033cc4aa22d6de2d908

SHA512
0e9f82f70f3d1d48928a4873b4390543ef12907f4868cb8c1b4bffa7e1eba141d361b80c4e23da437d095ee0de4585e4c019fdbf3997462f48411109d290ef79

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
50bcc0524e795af1eb862b2e1817ee41

SHA1
1edb5787c556a143b869b480c9e29d1c40dbea5a

SHA256
6d37ed500f0c7745d690fd6558be3af94286fe026ad79cfa35ead56f0c1118df

SHA512
4c6d95d42110ae5d233886b5dd22450721af04eb00bf527570d4168cdf71259cf6148a52ff1efd5cf1b4b640a4660a32c3672dcbcb4ec570becf792475040a78

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6775a61ab0f67c5686fffea92db0531b

SHA1
00e3542ed625a209de595b1c9c98469c46c27422

SHA256
00ae919c45e5bbf2dfb0542258a251fe7328d6a4f1733c8143485bbb566690b3

SHA512
4c6a76effbcc877503b701c23ced822a7841f180c227ae0b0189c44f2ea608f2691d778b9ebdb10f2af871f84e184854e096a6bd7865b9c36239498e3c3bd4e3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4d3b14f47aa01c32243c2105f93198e8

SHA1
414a059038c3767d788857254d1712960e976606

SHA256
891d9df5adde45e3184687d83eef5d88abcda3fa8adf3d6d5de16687f273e438

SHA512
146c1c9d88bb6c1ec111a0cf65a0cf8f0161c93173bf0920f2cd6cb225a1a3018177579f584696c343b4c8f3942ecf3f2cbd608e955b230189aede1d0929e519

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f9faf40bbd26ff16370228e2a7877eba

SHA1
71dd53007fc8f36ba940b71f9c6791503a85e6e7

SHA256
215eed5b25ba5bd10404a257c71a6f46caa9c740fa7661f3f0fff50eed66898f

SHA512
81cfe73a5bf3bdb01c2532d9a92240684bbd961270da81d08c46741d6818a397d9df11354ec5dd8f3389994e05433bde3fd06999193556a830798d46c1ec3c0e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dfdeb31bfc2bcd0e36aa5399f19ee3df

SHA1
a8afe135d7a86f9262d5dde65c1b42d118a4256e

SHA256
f236526751a40c1ff3651609d23c2a11680196bd9c4988506c703d0b6b5e3bd8

SHA512
056d9e605396e04e9230336227b805b099fe5d621d112db2b577bd731cc88f6743e0dce91961f3c6462948d378ee380a33c014ef56e0cb6c0ad41d6c8ac3363d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2144e460b6020b3b0103e2227db74303

SHA1
8666ed29f6bb227c49a044566c47845cdeaabecf

SHA256
7edaf46b065668268e6970bb9bb1187bbe9c42c8b2ffb98db3aa908b4a5a996e

SHA512
1c55ff8f500cb379e24ec2aeba1405be9a3cdf87c7690d797aea25d95084270c11f56b984e158dc9064e427e6b90ad43485f84ec2921cdbcbfb6914376b6c41b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bf832e487b5614a8080db89704ec96f6

SHA1
9f7dffc66f5e2f566d214803434dbab773bfb44f

SHA256
1075c37f1cc25c2d62031bf1bf553b01462ce93293ba93784642ef6f220e6f82

SHA512
d2248ce15e825c5dbd2e9e3dfcdc26f773ccf1c5627995be63127ca1a4347f6ac22eae4cee75caa3dd7f8f623b3f807a5d2550681914248dce4002c6d780251a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
431f595bd8ceea51cb41def725620fab

SHA1
0d9cfc8392286f1ee29ccc06df6e77f451e88431

SHA256
9a05abf8733eb0f48d5007b4f74b9a2b81ebb07277090c20532379b06bddbf76

SHA512
f1a76d79fe221522769b45f4760628912935dd13e74781eea0066af4d32534567cd269951792fc228c864fe5134de7e9cf0dcf2fe4da913c972cc0f48f58a0c2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
093f391aad5a1cd6c6a4fc61888810df

SHA1
8e99b15b5f1a7b6f272de34214041bf03f739712

SHA256
55e34e78ec8b383e742b543d59af60a9c98ed174d4fee19e83ad85e21192f834

SHA512
0ad249e7d41d991a8fb6fb1f30c234cf8db777f5b25b1c0078ddc744aa9ece976fb1f2e86495740aa2f2ad4b38405d74bb4727075f02aae47819a9cc6b291924

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
889663e81eb8bf073b5a480fc92bbbfb

SHA1
5f985ad5d459ea2c65806db4a474370515e658e5

SHA256
37cfeb125c23e25dff09b7f41cf94dc660bdeeb783b4e35b71bab48674bb6f46

SHA512
c01e7801d73d7670c5e0d938f1f30d4fcecc7bee54f28cfe86f79a87dfeda42f02ab9995fcd845a6eac2f806aa2ee84554869ba954232a9c3290a3a0e851d33b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
31695651b727c343b2b71010558c9648

SHA1
cfd0aedbc5c43cdfebe3952433c907a29db08953

SHA256
6ae0fe8135ee62fd547e24791fe9d87765ccab17d52d6eb9e2db15f12226605a

SHA512
d8be1398e3974be14f1f615775813f710f0b82519e0ef4deef4561c2b34fa58780ca5aebbdda28b7b86ef9f2ffdd2710a79f87b095461877bb4ac3f531c78579

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8b25c04313cbe247599dad5dcf0aad1

SHA1
e39414cca299695db181c9d295b8f8bdc12b33d9

SHA256
2e466e4ecfc41c0479f00f895f058cba605d3b11a9d0bea8d2322d312617658d

SHA512
c1bcf109b6e20e6b2baab4156f56d717f5091a4ff09964babbbe6e2b9d21d011180ec379b8acaba1797cac855a888454e80af06c1648a0253fcce009944c4026

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
15ab641417a2efc05037ae3433562f46

SHA1
fc286760a316717141121f0d5f4cdd351f7c7af4

SHA256
23d3a710f352db1cd8e1459647bcefa30b167ef82ae7c4c9095b8ea0c977b07f

SHA512
05b3be465695ba1c68e91cf90f41ef41d0d975524785e95ec3912d1c7a59981c208b4875a59ea34a5fc4bfa87dd2bd9f2a0baa44a227913d86bd09ef8dfcb389

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
db36dff46e4c491867b01dfa8a9b5a64

SHA1
c054a69315860f43ebdb793073c73595d6e0cf17

SHA256
c37291c73b7106a261f9f2234d5c85b770707baa12bd2ca5ee1af9e491733255

SHA512
1a0308a0885793890d6ff9441a9b67eafffab3d93107f9294af817aa8b60135696f10ad5f52c0e30bd2bd6d96a820f41a75a16f6005a8d07d634705c008fe85b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
752c9e285189d0637466cac21c7c3eba

SHA1
575ef8c80a741950aeda0b17793bec1606187e61

SHA256
0dbf8ff0f498db6ec91bf0613c28a2141314a15bf262bdeeb1e8c366f72bbe46

SHA512
0fc2d66ec12490f1c174dbd9f6812f2b27de0aeac685c79820dcd90e085df56ff55e450a3d45eb4b973a8632c6470c38b8925f3ac0fbf29dff0e746fd46849af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0dd29e8dcce6ecc94f85a0058b4e63fd

SHA1
cff42055b3829b164d3757ddf5d0d34b83eb66b0

SHA256
2ca3dd7c44ac3e2467d21c3a9934e05e36aa42d1e9734d324c8f2fb8ec749697

SHA512
ebdccaea01efd54860bd16fae0671280a1995120ef029365c9898ddc6cc64b80072264e0933973736c238fd323c557c5c91597e05d9395464fad3be531c2fe3e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e6ab7b2061ce8cc56ee9837f3cf9d331

SHA1
e7b035f9744c13ba1efed5cbafb24e6f6ad9a2f6

SHA256
433609e3d8baabf93f7c78ea2263329d2b11219e57949c54e36d3caccc231442

SHA512
449872d5b03089641e747132cdf994be40a0f3bb66e2b9b8aff586c08ebc50a370110db08bdf69d96ae1d24b50caef5a608a73d5b80d7d49ad3152d198a31df2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2daef5f0c3d9e4e0d5a5d2b09ef02598

SHA1
524361ce25b9afe0891e6f9c7b7c1ff64ba36e7d

SHA256
9630c2975fbb56066fa7be3a73a77d21cb2c8f6af995a82b552a79aee09416f2

SHA512
7803e5ca1780cd54b1ae3f2595c3893f653abf1fa46a2f13088fdd25559423c0d7add790ae794476698ee8d0674f11650d1dc72e6754ea2c5c411700b75a7ded

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
044cacd2e05f0fa5643562a9aad4ef5c

SHA1
2f67c16dc3e38249157bcc1188a273767ceaf281

SHA256
72afe4742efcb9f24b79fe9cd9f8de6bd8b6f49cbe9be78e50bd3a4bf1ddfe3c

SHA512
5f5dc2769a6890a9fa4ca9692d75060093069c85a4fcf2734a4c1ea07727098f90ee13b1ccb62e65f2e348537d869ac8d285401bfda2b4ffc6344e53c711ee0a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1bbb8dba005e93202c6540ff60980912

SHA1
7e859018f8664d8906ad5a6c04577475b0323ebe

SHA256
d32041157e598874a7d2953000458cee692037f741ab8a17081bd40bb67e7920

SHA512
fefb2984b0e37978de85076659c15180f00c18a09bab6d62cff8560d84383f0806139c86bbe7c46fd2d3ce19d9a8bdcb1cb15154cf31b80e429b2903ecf4fa0a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
cef088d1eb6d7b026c51781c3f9ca8f2

SHA1
c656af4689c46896f5d44c611e8437fac83fc5b0

SHA256
a950ff004a4f58bb48d98685b529edf281aadeb4da739e6cf9f57bd1c53f25f7

SHA512
5bfd87254b286749e55a2e839d06e282273fa7adca5f97fc3ea6dc90b741360e8477c2f6643c31d19400421c17b67339623408550e676d407371c0739d90e83c

Download Submit
memory/1132-384-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1132-119-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1200-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1200-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1636-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1636-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1636-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1636-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1956-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1956-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2112-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2112-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2112-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2672-292-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2672-0-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2672-76-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/2672-6-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2672-2-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/2724-77-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2724-78-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2724-154-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2724-84-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2736-54-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2736-60-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2736-66-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2736-64-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2736-61-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3104-448-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3104-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3436-110-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3436-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3436-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3436-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3436-15-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3616-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3616-447-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3776-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3776-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3948-149-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3948-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4120-135-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4120-445-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4220-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4220-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4296-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4304-446-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4304-146-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4380-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4380-451-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4448-452-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4448-165-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4568-88-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4568-158-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4568-94-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4568-95-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4960-111-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5060-107-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5060-104-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/5060-99-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/5100-106-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5100-11-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download