a3e3da9e13014e2ee6ac1a3c6daef540a659bf07643388c5b00e074b6c39e0de

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
Size

632KB
MD5

af44f8f4155a8924dd675f3a8a147e20
SHA1

6fb75db84340495c9e797291e49c3775978e64b6
SHA256

a3e3da9e13014e2ee6ac1a3c6daef540a659bf07643388c5b00e074b6c39e0de
SHA512

f60733f210aa6b30c70f945ef3be54502e1d2b52b4eb5187fd976999e1080d631ecaf770312ef4007a3aca864af60117afc1ac67b5965716328f911622a11d9b
SSDEEP

12288:e6G9CqY8xewVHK6RgIZOWzxZqfny+LSe5/9qRA8YAC88iA0QWNtM:b18xNqPIDnITSe5/9jSC8A0LE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4832	alg.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
2644	fxssvc.exe
652	elevation_service.exe
1492	elevation_service.exe
1964	maintenanceservice.exe
820	OSE.EXE
2528	msdtc.exe
1196	PerceptionSimulationService.exe
2344	perfhost.exe
3088	locator.exe
2144	SensorDataService.exe
4372	snmptrap.exe
1956	spectrum.exe
4552	ssh-agent.exe
3608	TieringEngineService.exe
5072	AgentService.exe
1372	vds.exe
4240	vssvc.exe
4020	wbengine.exe
2848	WmiApSrv.exe
376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1dc98ccc8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	3112	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b84b9f78a9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048eb7d78a9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7e99c78a9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096d5a878a9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf98cc78a9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8617478a9a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076ff7178a9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2672	DiagnosticsHub.StandardCollector.Service.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
2672	DiagnosticsHub.StandardCollector.Service.exe
652	elevation_service.exe
652	elevation_service.exe
652	elevation_service.exe
652	elevation_service.exe
652	elevation_service.exe
652	elevation_service.exe
652	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3112	af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
Token: SeAuditPrivilege	2644	fxssvc.exe
Token: SeDebugPrivilege	2672	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	652	elevation_service.exe
Token: SeRestorePrivilege	3608	TieringEngineService.exe
Token: SeManageVolumePrivilege	3608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5072	AgentService.exe
Token: SeBackupPrivilege	4240	vssvc.exe
Token: SeRestorePrivilege	4240	vssvc.exe
Token: SeAuditPrivilege	4240	vssvc.exe
Token: SeBackupPrivilege	4020	wbengine.exe
Token: SeRestorePrivilege	4020	wbengine.exe
Token: SeSecurityPrivilege	4020	wbengine.exe
Token: 33	376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	376	SearchIndexer.exe
Token: SeDebugPrivilege	652	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4468	376	SearchIndexer.exe	114
PID 376 wrote to memory of 4468	376	SearchIndexer.exe	114
PID 376 wrote to memory of 3536	376	SearchIndexer.exe	115
PID 376 wrote to memory of 3536	376	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\af44f8f4155a8924dd675f3a8a147e20_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 452
  2⤵
  - Program crash
  PID:4840

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3112 -ip 3112
1⤵
PID:1088

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1964

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4468
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e569a002e1507baa6906003929e74fab

SHA1
ee3a94a9316cf0ab49b03d99ab672d0e2d5d8bb4

SHA256
d1e91370550579d5e14beae8a03dbfbbcc17019ee6a761684eaf5ec5a646bd57

SHA512
98e99a80f2cb200af5068595ef34dc54fb820cd5c416eb0544cd5374458d46be885171defca153b29fc87de12ced5c694b775db95651fde87669deaebd455a3e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
311a084e6f5637b7e74e229fa18d736b

SHA1
7c180565a28cf526266215b450aaba3235a10cbf

SHA256
515ac098c620c82a7a7fa858b8a49d640b7def626e6f69420885678dc6180781

SHA512
09496ec4addf2334d1db2e44ec4543ddaf35a1412f926ae2a8eefadb79369223edcb07e0698b4235733cd75fe24c74e2cf4e90230c37250b58d33a88b99589d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
db4b5603e351b99536946dfa73f5400c

SHA1
3f56a7f2f4ed12c65efc1275c6992b1e83d0d53c

SHA256
4c822c8c4874bbae26d6f753dc9797783debc520e2a5591add4f5ac2b1ec86cb

SHA512
6fadc8e18a21d2a2d46eb5148f61ff46d486383cc578f8ed60df2132c46802e74821da75b54c025d0493ff2b870d803173717e1bbca643f1e248108abbda7923

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5e2c4f38361369e12f2a3a644660134d

SHA1
2cb2c8f7baa3553291fe6cf2d6e8e0cf6b2b3233

SHA256
96155fb41b36abfe2d34a0f78e00ff87721888a5ad4f63a683c91301e6e4f56f

SHA512
7aa17cde4126d50c57cb23d864395b6c9165f9165638745f483b7008a4a59c200167e3e8e9ee29371e575a3341d249f567dc847c876eeef81fff7d15889516c3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
64c85c943d5a3e2de964d239f64b5773

SHA1
c3d92e06900dc9d6b3fd25a728cf11561a6315c5

SHA256
105ea314be77d31a6970e9c84098beb8f58cde9425ae3e7418c6d670e3b8ca53

SHA512
88de02ae4288a2de279cff95c2ef89234c5ec240aeaa5a11e182567c37cf115f9b947681b8fe34f80760b0f13d3ebec3f3a5eecee7c02665a17dfd122a949a22

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9c5205e5dd46530ed05159daaa65cbe7

SHA1
0255744a3482b102e43e5a149de80d845780ffd2

SHA256
93c8bfbdd2adcb27905344098c806274f4eeb9f7032279c8ad247c083ca876fe

SHA512
55599a0ae5955085bb0aca6e161b92be4e848f04e29230a38399c9583dae2db2fe697c0d2367a0f83000a75db1cb622a9bfe546abf8aae578d7b4aad153816ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bc035aa1a7ddb8b7970c27698a8da74e

SHA1
73da2f107b322bc2c095c73e695479b19b28d029

SHA256
e986ba5c452c7ea2f541ed4feed4a4100e5b4af08483553e5079a110af48c141

SHA512
a1d2cd331c34dd6f2351f87591acb0e3d342c2e20f692578377d0628b11967276ef4bd1ba2b9c3866c9e91c8dea1f5e2ee4c53981e3f56bb02cade8bdfe99888

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ae487a6ebcd47652445d650ddf0875ad

SHA1
aecf5a698d3287562bb347d50573ab458b49085e

SHA256
d41ffa75d40df6f138f394900fff0de42c53248d7002dc2eecdbfdf55af77b02

SHA512
afdce9f31fa5ef862ca751a887e79dc2d63e110b05fbc66bef4aee6db2a5d2ac4bb54b754e57861e19fb0f38a4ad3c9aa49403fb723e03ae09ae5a5fc0247171

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e757b1a9c36f843e5b8f7c50579bbfde

SHA1
ee819b546c6f35c133d1f48a61639f915303037f

SHA256
1b09485daf4c1b2861706f625bd1d7fb6c63ca30c306b3ed7eb2b80091185bf9

SHA512
1d57ac79517ecf6ccf2a1579628b38a7517e9053f7b0d186dbd31da104e95ad0bb5da273587868a5f03bd7fb57b8d07e6524ed5772603702bf4dd3c03852f572

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7ee1e213b97a0ae89dcafbb50b7b5511

SHA1
39d22fbe3f9fdc619ba5de6967ce71bc87278b8a

SHA256
ea4be0af7d7459d998690dec279a26cfdce00ce9041628cde569c9ac3084f421

SHA512
14fa3db40db57b00cd2a1f24e049fa3633b3f947257c92a3928cc05ffca8973b7d88a31991c1788c7df0106fae8fc99d264d934df1da69bcafa0f6aa94f451bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5bb3ee9cb3af2d678c2d9b09569bba97

SHA1
716477fd3a6e44f2bbb7c97769768086dfc0df04

SHA256
79ad475bf6cf7dec5457536003d2671535ad44259ee5732eb8a81083d9721db2

SHA512
32282f94e22ce916479f19f1847b09248ab9181edccebfee9d712bcd8d82e44de8131a9b6c57c58c163e6246ed786a18207c2c16c8606f145dc8f6242a41793e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a592d7646fda067461e8bb00b4b8d92a

SHA1
d3dfaa6a21d828a369ba0663845091ef16432990

SHA256
488eeda9f88c7c877c24f7372910f7d46d7533729fa80afe2fd285a97fda7574

SHA512
e33e74d00c0e9c20815807773e90579e5fb0d245faa8006fa0ce2a419fb96a96aa548494caf5d894d549de99bb8a06d30b4584e03c5e5746abda6c0831fb4cfe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fe2f9cb8196c44ae1632042a72800bb1

SHA1
720a3c3ff5030e821c7b6f124e8985fbdc306420

SHA256
b691dd330375da4b9882c38f2a983b681f1dc072ecf6711e8846003a09f4afcd

SHA512
354833cd593db29c8a05bfb109fd3a16fc0adaa93ce33ea6a6393611241e24c12d228435a874060c7af6b4864275c6d0218d6804c71b913c2300ad445f8879d0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9d41a64a8fa67d9fa289dd4bb095409d

SHA1
9f3c1060066e66cb583864a78d83f96ee997edfb

SHA256
cf10ffbb5d46e0b627cace1a152218dc96164c878339968b2c98b3494390acc5

SHA512
e8ea47b67cb0820c21d02461acf5043dc62f9f76b6b80ab52c91f970eef7179b66d1cfaafd980a5995036f3da709a6e405af6f333eba1a6f0c1e0354e943739d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1f12192a2b32206d8585f3487a01fc61

SHA1
20fd79453a1d794f0f281ab0007e0ef0d7f92191

SHA256
b3b8b51a1b049e8dcd9dd26138bf367df7c6389661e9740cd54079851b3d86ab

SHA512
e621f75ad1d8bef52526955ae8e15b3b07fcd9ee44f9925d376bbebe66b0231ecef3e0ce656648585a2a7962df337ea8d00f9955b8f358502f767ef0d543fa3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
dfbbe522c04e63329680e2b6ad664641

SHA1
74ae4f550eb4a19487ad13e1b6fae73e979858c5

SHA256
e7393662f6c2a1e1f32b286faefb4a81326b6913ef8f07d8a0f9b4b1461db59e

SHA512
5b7b041a62ac9645e01d9beb278ad7b23e3bba2be5422c4543edadf77ec4e1ed173bf0095077ed9397abb3f8b5aab6c3a20db7ea14eea2e08954c18db41cc0b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6efa4d20ad7716fbd0a7e66f75dede15

SHA1
94884cca2928b0ed5602200e415cefddc4d66470

SHA256
0ff4c5d5556655d5e43ba30e12232ecc8ed42705a4d7d5dfa160217401c98b9e

SHA512
8cb4cab54f6cd860d6076119733792181b7f715045b8fb726704283110a8626afd2836fb6d0710159326d99b66711f55e6930ea661b3aa6abac8c90fe917a7c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9a6c44f9e3947c1899732bd12a6ccc85

SHA1
476bc6548f7391fdad11b6e835a2f55597ccca15

SHA256
1fcf8abcea865a49b8613f28a5127e6e38de72c8f824248b3675274e4b891531

SHA512
4db41f694abb040c21f631d74e694daa43465191cb3ab1577fa820386f4c6bb9d028f2bc14134a3c6cb36842467a5bd258d2c70ac66af522ea539e250bd365a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
10daae9399abd9adb4c97e96a8d4712e

SHA1
73e640f438908f7e09b115a762d87b660ecc81ec

SHA256
aaeaef86f67a5b0745712c4b002b56ae8a6fbc92fa19e0337b04e80528a22d05

SHA512
ae5f43fa83a0c34dfe8e1b50d4dd44b02e3618b0948fd05237d7c814fefcd6a93a5acbb8889002438234427017e15d4546a32d582108aacc39850e29f43f4f6a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bf238de4dbf8eba9135d4f8befd5fab5

SHA1
b5c127dc71429880983eca13f5265eaa640a09a6

SHA256
1719ee095d689e217d53bedd0c6e62d3a8737e67b3082c2bb671409ccee8a36d

SHA512
08aec957d0e0b7a3e8023464f2f280bd8d8c38e5e80bc51fd7d7ff94687fe12a6d2d4f6e0895bd08e769bd4166f8c47f4b6cd2e7d6aadd61dbd6e30efec8f268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2548a801319a7c45494ab66e4716974c

SHA1
cc62f9319211139de011451926f299066754fb9f

SHA256
ca97f3739a149bb9917e0fb90be7bd84c009d087122c3f70d186795da19f2e3a

SHA512
a9d8f3f5d7366078f4b54ec254f7017a789c34f12c516e790daee57f4fa2ffc34eb8d44f3eafdd0925b29b665f2eb84af3635631d9bf46da08c107df2c50f57c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
99e5c1812bb5a884c2fff1fa3ac9ff3c

SHA1
431e5bdc3ae77e0eb52fd6e788e2f8bf42b1d22e

SHA256
5ebde9c616baf6b25eff1e201d9d158c83360d97b4aa638f5801efc77042faf0

SHA512
10f7edfbf4b5c8864e56215cbd0e19b8b1781cf667e8fb6e2f6ab05c48be6dd1faee2811c4f2097e9d239ae63beb117dc5397cc33aa49ca88a068692b96bdf6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d8634d7c9b505c5a95b813ad8e721a68

SHA1
f6eae70fe9e4a68cd6a8b8d138a2dddacf188771

SHA256
51458dc0dc753fb07f68a5befd4c659e903871f193ccad03d39a9b0346f53305

SHA512
d9b56fb557862219cc013e59b4821a7389dce6455bc029cfd6d15ebebb0ef0c2233db031334102d3158e5562e15a66a179a64632eeb1bf0644d6fdc4c8e086a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
49b69e2c665bad42fb2d7167935f761c

SHA1
c022596fbb58e8bb5662e65acf1484d95a11031d

SHA256
5e654ec3837586db1a599fb6d30dbf093b20c7f417499294b2497d4240e48f37

SHA512
7b623a70ef27a45d8763430c40a5035e33e7a7355405c92c51585182a89e74e3653eba09a6ad1c9ffc4edf73344c71c32f9cec667735ce4719e2e352f2bbc07f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
56ef66f28df003ff520f5668afbb0d56

SHA1
b565f8aa248350cb4c86e41bfaf9b679f50e6e3e

SHA256
901cd720420d46427089f6ebc3c6d00417041a7006686a3d20854c3693c2cb4e

SHA512
351bbfa1c5856f8bbfd6c239d948c7f41a79405e2457fd3a32bd39103184a295106166ac8116dab5534142b5a6b52ced0c1b9c48034c75259999ca41e27e52a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
800325f7447ba8686d1fa4947de64665

SHA1
c271f0a65784e46b7f8ff0e93c0f340995aad0a8

SHA256
f6cd3a5f7e0bb55ff0252c74379e096dc72097079084277f4edc2fc73f534ee9

SHA512
8ca81d99e5a054b339e72ac3ed75757aa64a9453bc621de9263b566a6c5b114be602c866f6a2c422cafe8692b93eac1a5bdb83df2c2d672618d0f74344367ca3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
361bcdcca097aaf00ed511749a71f123

SHA1
578793e60f939ce1d2947b43dba13a2ddc693c90

SHA256
d5dc86f591d0fb81ec4df9669ae39f149cdeb85c48d07ec5aff9ed3e12120b89

SHA512
26649b759e761ae358e3044dfe6f78a21c33b5f73f4fd9b3fb29fc51780d9f460d80f5258e6c6827c5606e0a4227ce0bc1b89c3bf9d9bf3b21c80a5274cb2fb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e5fc4ecd12d734b0204b1812796a7e43

SHA1
9956e630e1e20044ff0433d3b68685fbcef87b4c

SHA256
6932e2d5445c83ecad29a7b111c59724eedc7a521d36041b4b54c7df00362d6d

SHA512
f7478f6e08ebfdfa963f5a90736f090465e1a7ea3a651a11ae575bea5e038b22c7c1a940ce21cd24903aed106bcd5f954fb5a515cdb45db92686c53863d191c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
cc5419b38f4a613fc9ee7c92654243fc

SHA1
63acc0676b71546d83c20ee0f659d994afe33b00

SHA256
35debfb270d56dc81f503a7ab7ed040ed2c77c37e3588814adc07b6343c1e7ac

SHA512
0cbd90ed746f6fe8786cb715770b22bb136c648f280a98896f2dd372c4d0b667e8e2135b07b3c3a117f5d58c17f8ac41e2107d57b282ad5b5c5b29d3545ab819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3845626e980307d9231bde09339808cd

SHA1
63c5b9415f9bac07113b2c8b13150f5bfb9007af

SHA256
4f7ecf688f4c99fb66b033dbeea5d7c28c032decf1fa7b33201acce9fe110f1c

SHA512
23899d32f4dfb61370b39e90f6ee3a8247a915d29ba241c33c6aad39149412891eaf1dcc802650e8d309a2db67aea67e8ed4bb316684de13d74c63efe7a2f834

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
dca99286426732eef7e23a35fe7b1528

SHA1
019d0f727eccede4222f281003dbc17920cdfc3a

SHA256
842ee73a7bb4627b7d79c22face1df5d249445f2721c118fb346cb33a8e5cf79

SHA512
fea6e8287b0ddbbccbc6357e8140ff5d05335466c3f6b7632efbc78a8cad486b5b87b1483776e50df12bda9614488611233e677223cdaea5b4509b0b95446e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8c203429df95b0d1bca4e9909ac5447f

SHA1
7c53770268efbb53b52a4a67745680f1e49d2a13

SHA256
957db70316b6e1ef0e1315408b3b44248965314b50041600c17eb51471d24f6f

SHA512
d16459b110f9ba2ea62bc9bb794819b58e39962a76fa5fe1e7687d33e515ba276b40a8054c64a9b431cf03689dc0e0e54a7fa0449909fc5841c5c31a9846e9f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
de1901102a174b91d13e2fbd770f133a

SHA1
8724ff179fb1f3437622d3d2497faeb581460492

SHA256
747c3bf9c846e01a25a9e703e0a877d37926868350165908219d49f82880e31b

SHA512
45bf19095300f3b468cb8c9280e4d020178f91d2eef5117c7bc86713a3300165d466e39040afa1d8b339f54e72da88beed51280138e8ce0c6ec6082aec0e8302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c3a4b1c2a4a86210279e08d0e7ad4d3a

SHA1
18c838c66deabcd5e69146d4c0c7821cc0836cf2

SHA256
57bf578770f10d77147b60f1d8792cb5f5d45dcf5ea69079d818715b27c37873

SHA512
0b303c6d6f65133413c58ff55c22417e7ffde6f34a2c5cf502f19dbbb2f1131264670d0a9d6a1abb2b9d7fa58d94e34e75186a21991300fb80790ba122993095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1f0fde8f67378a12621d33345c74328f

SHA1
5ac5ecd053ae5e34d762d981240dae4591b8371a

SHA256
4a53089591defb48f6c63026159b7f82781e591a9bb87c52ff50e5595ed182fa

SHA512
9499bca5bf4b4c82e692669252e6ecfb6f5db8254c984e9aa2033f19561888daca123ce81af876ceb04ad0da3ff162812a688be2e6a3747b0928e718a154042a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9334975dbc5627122ca077ba40b20549

SHA1
681fb5b88e427bfdd05b5636e6eafaba86dcff4b

SHA256
0dd16b79ff517601b68c4205e443351556eeb6f884f6ec3e44053ebc7e81ec42

SHA512
8e8f1b890d642c2641737953de935abe0cdb583d9dc1424a65b40c65f3e7d641c1069ef31b9436f0309eb54cfcfe3223194a7c162124a020a48ada2f6056055d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c83666aa317c14aba3f27bd2e4e5d3c7

SHA1
8c112a8e64db499fa5ce527ad1ae047ce42521a1

SHA256
c69826252e72d2c2a5034e20fddf19c3b97468598b6a285c4de3e4f6a434e845

SHA512
33c9e83a99e11d48fcb8d1270ce7c27f3850eaafcecf6587a29c63b8cb616f769bf45416db0d65b574c1debcbf00159ca48475ada1bbf5bb24ed00e6b8501277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
2b1db22a490e6dc65910650816f9dec2

SHA1
55a67045285ddaf619d68f845b3a3c815c8fd3f1

SHA256
2bc180a4af024829aaafcf2de53aa6ab2710eeb661574a08baa82e4e1d3c23b6

SHA512
b95ee4799803ec782ddf3394dd19f408e2ded7d32b5a02fd9a7a2abb593821be586f743fe67d8b883e7c5bb466b7540be771c386d4209c73f28bbe89a9311796

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
4cd913c506b958794f6e2b4c4df0328f

SHA1
57ba1e693f67fc7b835b5d087bb4ecb2f2876e0d

SHA256
58053826d8d790758aaa405784037a7a4bf2c6e3e565f7058199c9b6c6e064d7

SHA512
ee37c122b84f8811510031fc9202a1bf0bbb4aeb2f18a7fc6ec7703d590789fc3390c6822a75ff3b6a3235d13a20a9aba8b40a91eedf4c000caf67f3bcac378b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0ede63f0f0f78c6f7085c6e0f06d5683

SHA1
62a185cba6fb0c95571f6e39bba85e57c42ebd62

SHA256
f1af047268ef92fe42ed202c0865ecbbeab8d65e4ec1c33c721e51e58319425d

SHA512
8b1875400ef1aaf8de4c0a7b3b5e0f3ba932bf7177a167bbca78ad37083dbe9b4e4c25c0e1dd0e612eaf634ee559fc75f99a01463fbda2025909d2a5238016f2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c89b459761826eed147a2cf23261ad97

SHA1
7729e1cc56d10f6418bce93286b6dc6a4d715860

SHA256
1b91b627a675ef9cac9ecfc0fdef707569411ec2b9cb62703b06b5473c0796f9

SHA512
561b77052eaddd011c5178cfc6b767c5dc9e82d5c09520446c7b174c08ec51b970c410dc45acdbd73b3f334a8274520b5bd1489eb24871d5ba858fdc6de2ecff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
38b0d4c716da4b15363c108a6fcd4ecd

SHA1
ae98fe29b955e033900cb4baa105271d182f92fb

SHA256
19aef7dd56a9e4918e04338fbdc07febca9cc8689750587e388b141d16d30670

SHA512
82d7d6243dedc079424ff3b6bdbd8c8231f21765de30eee3e02d157a06479c1ff70217173fe7d91694c394ba2c3d31eaa28f4271d030c9a3a7b488a77dc212b7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
72227434feb7323d5dca1c713f484263

SHA1
c0ee3f610533ec4d09bc19dbfe94de903572b287

SHA256
6de0b61c0eff1e842e27492e4f0827d675463ebe14aaefe0f0cb5cd5981bdc59

SHA512
2af656de44776c244f3c2ef7ce3fa0d33d1c744ca138f43238046972205edb6389747e54b1f6005d3ca7ee8fc48a03b3a70f4090a1ed99237f2eb7453c4ee459

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f50712e823d8b8543ebe3fdbca82cbc1

SHA1
a7e78eccdc3a96f2f66dce916c4c5ffdde203f12

SHA256
21ffe90680b3023e0c1078c82818e2bc6ae498d69bf9684ff1ce24114803d026

SHA512
dfd96ca6df63137379f9e75dbc6da6b192fce5b95d437f8b4f6cf1260e75bb95511f25d73a55424375ce72916b1b0abbb14f69425ccefcdd5ecd1f963e6d0ef5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
27ca3d448f60a4f588b7d21f8a21efde

SHA1
0d46c3f2beda8932101057146f02cdb700ae1de3

SHA256
de3655a9dbf6cd0bb6309125629b563a3016f694209b4bb03ecb28bcfb4e6e1b

SHA512
864678dc90bcb2860b4185e2a4eb528a9e51dba802272e17aecfc448fa226c0bd94dfd7ee55398da2fe996fb2e6a65add28d9e20f1fc834db708fb011a15e9fe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9023b3804b698c0dbf4a0eb16f275b32

SHA1
18d77c5112328d8c3f91de12ca6e27c1f86811f7

SHA256
7ff115025bc4d2ecfda52b1e6cc9a4295c40dbc431939a8ce2876e028a935010

SHA512
a44628d603309ac4cd54d2fd5c65a26eb263ed353a7b59da01457e292dd73a5f5376f5fabdab6faefa49ffe17fbf8977f0faf2b6c485b9c065bd4acccf4c7f5f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d75857e20420d25c867c00bc59cd1d3f

SHA1
3ecb864f40066072ea33d0c242ead7c37077586c

SHA256
4f22c5aadbe8690a76531b8ecdc3e1d73e42a7f76ccb4ff63696832d822971df

SHA512
708bb0d857fa36508b5ca6962196cf975bda89cbd48d42b24cf8a4250ea4bcbfb4b5a1cfcd8e95f52edc5cfbc77d6127fcf21ec91144aea340ffe5c1d9a19209

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fc61e99de6c4e856321fcff6af265eeb

SHA1
9425035a92a54479a382984f4430571315bf4e88

SHA256
7800afe224848d476db385b3a45abfba097c3ee35e95920a7cd866ac2be90f9d

SHA512
6cf4cdb97d9ce5262a3da923fef49a56941dd539ef1c742d77b8c85ad6bf72464a8ab30f74c5d60f9aabdd378931e180f4bbebe9d4edb7373c7d6aed8cecd35c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dfc74257e70e0886a99bc4ef2a0ad124

SHA1
e8a643aa20b34fbc63da02a5bd703535c03b6679

SHA256
46a7cbbc06ec66335fd49263c114b3637b4066f0cc020aaee7130f652593596e

SHA512
e4b9841ad1faa4d5df6f1243778982477d701a5173249f8cd73ddf408535f62127eb867efbd7833f0afbd5ed683636971c138df45e4f43ce167d7a185965deb6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
14981dc1081c9209b6dd426ac4038438

SHA1
5cd56a2b25cd945e9076ed3a2bf10a7ee806c3cb

SHA256
66c4d40477b331ed43c1f74118e1a92312c0ece41dde19bdd31b44222da2508b

SHA512
bdfa847237496406e90ac190737121374856fd567e5b25ee99a3482ec36f5c9159039b4a955da111f5eb707cbba52099694b5a4076918728bf56323ca4c0ebc2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9aaf5ccfdd0740d9465932edd8cfadb0

SHA1
68f7b3e7077993da2083e20656b2b623528142d6

SHA256
5e6ffef507039718e4ad6fe0b80fdf5024085c73249c26515ee22176797310b1

SHA512
59679a85fd33f47e8459cbce2b87896c36e023c31f1ec1e4eaae5f5904269d2d7698d922431ae8ce5b0b22e872eec69cb298741a8116c915e9d7b88fa454f2e7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8c7113fe7e98d1e56156d775a91dbc53

SHA1
720d8bfb78cd42e0a2db7bafb90502d4c3c89981

SHA256
221cbfca6d65105df753740e6e55607f37c60e8a41f57c0b378d93d2f6116f28

SHA512
ca0d00be9a997027995f51c3648dd0617544b5c4cdc1164a3d2e500a7fec2314ba7bd42e67099dd5c31db0bc9200a40cac11deeac667f569897645bb45b0b444

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e81acffdaed86c6723f7c67cbf76608

SHA1
52c60b5b787672104227b5ded233bb467fd339b8

SHA256
f5923d22ac8f2eef49f345eba82a1282f0d9acb7213a29ec3104c9e30495ade5

SHA512
ee6cf09051209011a2ece63c6341be13ae71d949df0d1e785c71ce1310c091bf27211da345345b848d5bc0bb24b6290a4cfdc1c1ce2fcf307b5685c2b1556714

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8d3d48c60b1689fd0132296083e92203

SHA1
bf8aa6fc28015953a09d3e753479fb77928e54a7

SHA256
7b827195e6429e9c7aab7352576d5f010541696b3e377248b23d0975a0103a94

SHA512
4aa5b168bda667f239725d3fee58e718dc303a525b6ca83e86aae5f86ac72e5f673f7749ac1d09262402039b8ca67fd6618fa8b448d39442305cce471aea4382

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8ac51099d587d842cd681f73f2416f52

SHA1
6643eb0cd30afff76d58c06cefd4e40e09596c28

SHA256
451141c0a50da1cf485ed1f4e0cb48e4738cf87414cd3eabfcfbcc13600d3719

SHA512
9274e256617d65f43d3c344b197beff9e57f9deced19e7dea6b87142129f29a25fcd0e59464ee25296c9b1639fe3434f75b3d8a6461a7055bee2b7247fe3935e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3fd3dac4101c2e524251c5b68da22952

SHA1
4e94a0b6dbdf58955a5169091495c1dd899e5a7b

SHA256
6cc309f06d33d55bfc531f3f86c7d17e093b823f292e9bf0f048fd444bd5087b

SHA512
41ab0a57a1b62c825d18254989f76e37e74e148f078aca4d8eeab70166d7255a5568a7289b94d1148b50580ee5a19deae123ca3a85f05773a1778d8a4632de81

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
67b35c87e93d5cd196d9f8f068c1552e

SHA1
dd0c066ede4d67e65fcb5b03e8372aa0a9a073a3

SHA256
85ac6d86500fb929c6d031aeee64cc1a87588a9a882d6bdb7cf6d7ad28e90bb1

SHA512
7279b5a2974206331a1a65f83938291c84ca2a76a3cbd2d233df76b5555d5035c7b644355f6bb3156ccdfda4b858c47df04bb58aa154db6bb5cd2af5c20b8d5c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d12d5c62809f9442ed734323459c69cf

SHA1
42ca8d29758f83f9afc9d410e85fadc531c42996

SHA256
5c847e8531ec864dca106b1de199d64b3422060e088818ae242cdf3550ba95c6

SHA512
0310216de961e22cf12a0791014f4495585d5063658b7574508a27d195e41d1001b1220932ddce2a74633174dc1d673960434c37434cc070a27022a965fd2b54

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d5cb657ab57622040ef220d0be2cd163

SHA1
37c07d352e2520b0241a139d1d2264bc9732b090

SHA256
d0e4d9b2e99b2ab630f40d1d85affc48ee366ffb3e9d10ad69b994d7fe89231e

SHA512
369a7b196db33fa99f81f9616cea28705742e8ccb5182c026118e2ed1a3e2b94734dd4e976755fb3a27fa832c4cae69d4f871eebb8df6cb40258f0bc95735781

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
db0ea6df40026fd0f9fcab625aed9856

SHA1
ac6c1ec725c247051bcf885877e6388b2df6abb5

SHA256
426167d4b49e6ed8435068f24964452c774fd578a2de80ce918724cc3cdeb484

SHA512
18ba4660b5f9e3201c03db8b6df97767a04a3161201cb34f049579857329b2f31df07ca96a8d26a1320a68e1d457b0d5bf5e85e47a8772b7467c040538130842

Download Submit
memory/376-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/376-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/652-43-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/652-44-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/652-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/652-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/820-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/820-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/820-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/820-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1196-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1196-260-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1196-267-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1196-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1372-521-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1372-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1492-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1492-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1956-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1964-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1964-70-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1964-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1964-67-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/1964-59-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2144-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2344-272-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/2344-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2528-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2528-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2644-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2672-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2672-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2672-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2672-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2672-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2848-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2848-524-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3088-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3088-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3112-0-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3112-35-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3112-7-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/3112-2-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/3608-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3608-518-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4020-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4020-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4240-522-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4240-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4372-466-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4372-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4552-517-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4552-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4832-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4832-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5072-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download