c4a2f6128dcd42cc9d79b0b2b01efaa12642ba082576f09ada525b5404ca2d2d

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
Size

1.2MB
MD5

ea6a4b140a392e0652eb296a65f718e0
SHA1

d01aac3ea3b3743b168c400d21da212978f80104
SHA256

c4a2f6128dcd42cc9d79b0b2b01efaa12642ba082576f09ada525b5404ca2d2d
SHA512

8b9838ea4a399c3bd35033c090395ff5a7f772b0a0f29c1e4d1eb9accf61f8b6839703bfbf5331204415810752e802eb898b644a7d992bf3f43e77e98c4d7f61
SSDEEP

12288:Q2F+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:dFUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4516	alg.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
1864	fxssvc.exe
2084	elevation_service.exe
3980	elevation_service.exe
3196	maintenanceservice.exe
372	msdtc.exe
1520	OSE.EXE
2300	PerceptionSimulationService.exe
3540	perfhost.exe
4780	locator.exe
3984	SensorDataService.exe
60	snmptrap.exe
2744	spectrum.exe
4852	ssh-agent.exe
1408	TieringEngineService.exe
4744	AgentService.exe
3308	vds.exe
3752	vssvc.exe
1852	wbengine.exe
4548	WmiApSrv.exe
4420	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca9311b8beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7583c754ca8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1b8c56e4ca8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec9337754ca8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0c6ae6d4ca8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fcdb96e4ca8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe
2036	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4496	ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1864	fxssvc.exe
Token: SeRestorePrivilege	1408	TieringEngineService.exe
Token: SeManageVolumePrivilege	1408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4744	AgentService.exe
Token: SeBackupPrivilege	3752	vssvc.exe
Token: SeRestorePrivilege	3752	vssvc.exe
Token: SeAuditPrivilege	3752	vssvc.exe
Token: SeBackupPrivilege	1852	wbengine.exe
Token: SeRestorePrivilege	1852	wbengine.exe
Token: SeSecurityPrivilege	1852	wbengine.exe
Token: 33	4420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	2036	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 540	4420	SearchIndexer.exe	116
PID 4420 wrote to memory of 540	4420	SearchIndexer.exe	116
PID 4420 wrote to memory of 3252	4420	SearchIndexer.exe	117
PID 4420 wrote to memory of 3252	4420	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ea6a4b140a392e0652eb296a65f718e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:372

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2744

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:540
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
15113d25c982cd5178b621739e4733f8

SHA1
617148cc8544ea32fc0b9d67fd3e76c6af3e0f02

SHA256
0b3b4f21976e080594d0187a536a2acfe863237d47a4835a9caffe7db83d98e1

SHA512
085fc26490bb5c855fb2d0cf67456894f4fecac5bc6fa69fc344121a6e379ba6a3a9e32693b0262c652a4a6f6f9c4683e818d5e1884f1f511be0e5316538b7b5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b6abebe0e63718e0f8c6d55bbad975dd

SHA1
8218377b8ef9cd0bce0b979bed952cc0baba774c

SHA256
23819e70a4813e368c66d8c3d8aaeebd3456f48fd94fdb59d919717ca11778b0

SHA512
5f75fa3612932cbda2c85ce562ac738543af89b29eaffce49b17a1294831392beca2a60b655a3cc08e84f185226d7e7402005e0f27a80ac8bbc5d6be7490e489

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a5149169b7c281a0ea530076a98a2470

SHA1
7ec326195e80f7823e1097eaf2a0228126543503

SHA256
dcebfdd0cdacd30d866ff01c346db85197d4e9e0d88f250fa88ce6be1d66f436

SHA512
0fe7a247ab2560ad1ca8928eda5e76c61eed06324f4437b82e47adfe383bedbc5697d4d61125578b6c527226d31b32ab2ce1fceac6fbf8eef1f758f9bbabc54d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d14f4cbd034b57c2e827bd5831e8144

SHA1
38ae5614cce264f0fa08518dd595523e27a926bd

SHA256
1a79a88d685925344353cbae62c2ea59177b4740ec27baa5ddda125348cd9036

SHA512
a781b079b5950edecb1d1a1b5e9dea8b1761c3b045aa93933af2d9459f844e5aa0e12a25d47bc2caa289789a7ea1cfde731780be50bfd302b096f104bc2c434f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c3fe6e1e59564b5d816ddd1d1afe02e2

SHA1
51c80c77ce6b2054282408659c498467649f4b2c

SHA256
1a6bf9af78bc6c41cecf2c2f0ea64786d04a30a1435898a1cea0631397d28b5a

SHA512
1c971f5e2e0d10a4d93736e8ee0f0593009fff23dce25af6df36b629cd61ce4f29e9864f7e7e4d3156a9d68b2864443720b5df9d007ac6a4e1c430cd95260499

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7c251c846f5e687e49fb78fef0e432ec

SHA1
9d133a8faf93b3181c402091ef051f4aedbbebfb

SHA256
a632305dfbdc2da2b77dffdb8d3cf6ababb620a2ca4af40cb1070b76169b7bda

SHA512
8a2f6db136a1fb01b17dfc8bc8996534e3ecfd9203f575de59df9359638da1f61d3494795f69636395a18324e30bcde23e0e7e6189cc728b410ef8278ff07ace

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3f86997ec924f37a42a32ab604a91b17

SHA1
957c07646a91f11c34dc1b1e993e993684ee7156

SHA256
04ddb0e834afc9776655f62033a5d299be7b4e166829d2f4f37718b5ecea04b6

SHA512
6c25ef007c7a2614806d7b537e56ca3ab6481208dcdc1bbeffc72a1e705bba8c7b9414cfa7aefe248bfba7c4f9c745e312d77b4288290019d133941a13854ef6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e31a3a8404101c634351ea3668f6a9a4

SHA1
bc92ce757df50ac2e3ec9c52f7203153dcbd8008

SHA256
24dfa265de2f4be0e2bc7236136ec62362fb643df4f6773f24699a33e4625c52

SHA512
759b57631153081f42454aeb14f82a5d9bc1e0949511f401f7c0900e35d0cf882aab5d4328487085531ef41a599430a7656c8e676c78d115b38d06a974942085

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9cbe8309e4bed6643d9aff9b63fd70a0

SHA1
485939691c13b11f892a773d7c2efd05747d1773

SHA256
2c960cf40c5acb8a6dfdc155ae0d019d66d4fda6e311600899e2a9657d7dee22

SHA512
07f950b8f3a08788db47d171ce4b94c42461a949c4b9374e0172733c2114c7bdb46196f1800d93343103e3dd0f1dcc1ff61b6083aa0ad07321fb451aaf376f9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d4c5a2fcf8d5ab43ed3f8318ce14e012

SHA1
ce6f9147d04b24f9c4367a5309ac30bdf7053be5

SHA256
7d880a47d0007ff2dd334e848b9e520e14a8491712e97a2bad1d868d00c41468

SHA512
95747e873663ab54e4489ecaddbdc821bbd43a80f9a7c45fb28ddb48a7c2acaad4bb2305544d8bf9da26339bad6070ae900ed899cb7c9de037d8c6823531da50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0e2579d5c8e5a11251e27dbd8c19172c

SHA1
948cabf7d7ef2fa9be0bf20fb245af57aa3a3a0e

SHA256
14bf09094b3486808d86eb6ae1cc1ad11006ae11fcc39216ae577c49a2beb6d4

SHA512
c802d590b8aedc5cc244349bfb57aa26fbf1e7b93b190932e8e5051165b2bb1fee65d34b53456da5242b01987888625bd1958843c0598e12938972d954980392

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
229356de9107744ff818f0eafc179532

SHA1
e97f161a0abd29adceeb76f490c95b9c386c4802

SHA256
da7e64ae5ca143c56fe0f72bf640421cbbcaa5492b8f6d607e2e5e9a40271462

SHA512
d5d7eeba73b15980b750e9cda406fa92863a87e060a3a9b751c458d16f5828bb1f9f469387f73dddc8ba9dc7eb5d6236d47af411b99c8d6b98f2a5fef19290ab

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2cbabf5db2ed94aaba058c2872d0c4f6

SHA1
af8139c92345cecf1a7b1542ae710ca642a00e25

SHA256
d4a142616039580331da22c109e37f7650d4796496ada5d628e35b012c0846d2

SHA512
5c6bf18058092aa06e732b00691443a90b26b7ec8df7eb84b7d59f387b414b78e24808b12bf5f2ba59da8eeddd092b4ea5c848cec446a894539b9e7cefa417ee

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0118d9b5f1dbb9eac1084aadbbde188c

SHA1
c42618dc67a06c03dde1086a62e7c3376a3c9418

SHA256
b58f8774e2358f419490e635ed8004895bf7b505561ad8b1fb8251194d2b80dd

SHA512
81f8978519ce376b7a19881a13a9bb0586b046fd4c998836efb59b113e660aa5832177b70d6854637a38105e98a873f0570250275849e66bdb19516572df5267

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
603b33bfe9aa891fc51478d1b4879f9c

SHA1
1531bf9333a94c72c740dbccbf599df6950681fd

SHA256
32f6ebeded9f0f832e35df46ae82ba2e8bd67ebb2c6cfdb80d46212a6449d1d5

SHA512
a301f0f10911918503629d2a3f97977ab25cfe88b550a998328c344eb2bb61e4689cee8099169619155068ddf6e3e8cfb0f848f849d5428f4ce84d2668aa9f95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0c5bddc61fdfe9156797b6aeeec96544

SHA1
4fbc5732c409f0a40a7f9743763ab18c800693b2

SHA256
47e24f14105fd79afdc70584b8224ce6ea64dc0eb567ff53ec98462e39343d72

SHA512
83a622ab5ca7d7cb2f429564208b7257f68cfff1cf294414f36a5a554d48293c17c64c872e6c807a047191db72b1b603e5be7a9f31812e3065fef02d08052062

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
826b09315e10f9cdce4e38d284814060

SHA1
01fb384a7fb6df438981cab895737466bab19ecf

SHA256
066d6cd4bbb9fbdd770731a089381dd3ed0e8b3df52b7960e1ac9a0019aa8625

SHA512
864b44d7c32eed0a13cefe2c20b31899c55bb4f1c182c4d15690ec3ea6b7eba51e0b6ce464f2994064dbf90f557eb99aa1eeb0550ac40dba38e930983071ee3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d07a7fc625c61a6f74cf12e9122c2ebd

SHA1
a05f7f07fa1636f7cf4f8788cca3aee7d58ece96

SHA256
41230f615cf28f672b7ce28bdf4d51839b9e79c9a0667048b59153136949b257

SHA512
673e36f8561212ba7d4e139b9d607b323a01e854d00c016a83dd35f8f02c119e335ff92734a1c2a2ec4e0da4ea7926070dcf9160e226a74ff5bc4ed85977cb64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d50c895c3a080d04a00550782fd20594

SHA1
c581df6b021983930a6d78320e2e010948c04d2b

SHA256
220355b7b0aff70a6151f069cb4e8727118cfae7caba70df849e0adf67b7dbc4

SHA512
9a1be3bf4827e28e0daa817d628bf395800029139d62a363fec7ad98c3ed8b0dea39c8f2d960c0dfd6fdba4d14c03c67164f590c086dd0551a0b6e8e7cbae8bb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
903548d8fd3c022730cbcdc8e0f9a0d6

SHA1
8961a966ba0c05ec3618cd119bc4d07c27be57eb

SHA256
6a0b1491b3d07a0011308e0b81ff5145a3c9d647dbe608062d815da586dea776

SHA512
d68056cfc30b0379400b40dca0c190feeadb34019625150dabacf2d8eca84ba520dee3172ff3bf96e6f9906edd6656f4a6b851689de6e058156c4cb913983df6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1cbe0d976d946c9d247391bbf46b9434

SHA1
28793a2dac550a7fc9dd960a6a26f77736383e51

SHA256
d62cddf4c1f607b4f646ab01357b9d64ef99a133f012078badc90af12b225a8a

SHA512
4ae002a916817b004581474829eab2fbe62f176dfd21d56f3033d251b89e2db636f37ca3831657bd353548277abecc64f9002f8c93af464dfa5e0d63498c5a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9730587fa8853579d67b36eecbb7eddb

SHA1
5cab079812404de60988686d25f7d36f56d98f9e

SHA256
3b399ffce82181999cdda579ca49723c4854f5296a13e4928bc4c7adf6e6e590

SHA512
6ef9fbc802b26d751b671e11c075e269f43ec8b3488b3145883a833a696f3967cedb19b3e5164c3a04d238c05b6de60af748ea38114db78ddf315fa135261c41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
98f3d239b7fc9f7ca83be3a3bcc1f17a

SHA1
c1e3bff74a968a89d26905de782e1c224af5be51

SHA256
48d9d149846b3b2bafa0e1fee7c3388b79cb444548b855ed7f61de5c5ceaa5f0

SHA512
30e837326df4af9ec43ce3514cfa7fee6a12efd6595ea6506786a0ec2ec354619077d4b051fd2bbae4406df8ff98b3c42962549a748cd09559ced6ba6f1ad05e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2d4074602752d4a69a484c3c12929d86

SHA1
249cd352e55f173788e055ca04f07a966c1f5767

SHA256
53eeafd21edda928f1bcf4335ce5f9ff429bb26334115e3637d05f752900d1d0

SHA512
ad8e1c8f2247bf490191e33f3edd8572f539810c886c249b5451556252ebda9a3aa2498c73c2e3a5b4c70ebdd4c1e5cef46665d5c793f06c138b37969f72fe7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d13790e9931a88ea27dccedbd5acffaa

SHA1
9cdbe097ec8b4baf1fd13e2987d496bc02ebfbc5

SHA256
1527a317d256e363ee6cb0e66acf58f40b1dc1dea975be6a6317b8c07e04037d

SHA512
697d86937130e34d22ba039a0a2444bf24921f440d0a2e736453f99d5b8304a90a1784fe957315d565dfedd83266bf8ce7a9b781b3a20a1c402dc97f7bfb33f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ea5000158339076f285d76a4157599ad

SHA1
280af36705b015b8a52a0a872b95f91912e0a712

SHA256
31bca62b4de8e6789377c97b7104045fc6878c5eeeffb7012c3024cfbfa131e5

SHA512
4b9a058ccab82057d0fd28ede69b55468bceee438432e39a89c3b203dcae2475f828c0a72770ecce3a4294b09b502a8922a696dddc829560d6c35973686cccd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
9844dddacfa31a22287533d546bd5fe5

SHA1
6130c497966bccabdc8d2c858b65db35a3955307

SHA256
e4a8e5db06118815f6b7e1865c5c81209cf97a9af370ff657fa82d9c98f5104c

SHA512
e2ba1d289111ddcda79c5c3309eaa657cc2cdc0bcf813cf14daa7b4ac25dbf07806e4dfbe0b54fa39b1de0ce97278c1adbb56cd42546b061a3f1c755ac6e2b2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
eec39c62c821c78c4b291130e6932394

SHA1
796c00698b32253dab4c440ec28178639b78664d

SHA256
e952eeb6508a339962a9374bf7bc8b167aa34d383495d057ffde66a3d769d9d2

SHA512
a0cfabd5359923902ab6fd487fad01da85c7688ac216f710ace6e174779bf210e4e68a36e45c83e5a469dc8c5e9ec779c09cde88de88d983c27274ebe6c98e17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4f917167652bed40637acad94fa22c1d

SHA1
7b10dc29d37636fb6440c1fefd5bb422b2a542bc

SHA256
33947025e8c7ccdf712371ee9c4a37badb991286fc9d1d00bd66a3c7c4af1be7

SHA512
81e220f60d5f9256ac039b94ea78fa7356be5d63a6b5f7cc7f53ea33c22de3a1e1642f9a55751a78fc84019cef35a83aff6003c1ebfda8e9331632570dafb18f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fe0dae564ecf20c1463076ca8bbba907

SHA1
c03121b199dac097ca3985cc1608b981bb7195fc

SHA256
00baee8962fd077b281286828a0c6e88a36d02a14fbade93f1f598b77aab37c4

SHA512
800d0724a3ffe78291ea9d2d598badc9a9a2b8b88a3f9803243b456501684d13db301f7d9c115ae7b4fc09dcd424ba7c14eaa87d32561c58070236950bfe4dbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c53a2589944cdad3fd08a15701204a4d

SHA1
5d579109f26514470117907305c717b1b406be94

SHA256
0774953dbc9c19f13f7d2aeadc3611600c2cd65ffb905cab3a49050655ebbf74

SHA512
3c02e1fb3ed7d765f85a1be0d5ff362a38b4b26593aadda89f7b457d00c2964905946f13303ebbdf510e0c3c6f43f815ff9e724fb84c50009bbf92260f0dad29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9d8f058ef1de53df93a4f0617026cb40

SHA1
2910938cbc18203d8b981c37852cf4d10b753373

SHA256
b819b44d9590878bb35cc64a6cb5d038d119b015ab025dd94abe434b9d53bf68

SHA512
7e33a6c3d2104791def1f5fc3c068a46cc26d3bad00ee5b7c1f6afe41513411b14791369f6da9c3eb2f95512cd05670935743ec555949320956496a1353ca504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a4e6307ac0090c4c4618170364d3d22a

SHA1
67e9f5b464f996dad5e2c1bf785d223d7120817d

SHA256
28bfb57701682ee1a3469621ab0ac0ca97f74dc2330e3915bd8a95cb9cf697e6

SHA512
360ed223bb2cec7626f054cac146ee54f5107d7f87fa2d343eca83fa752a7ae8ce4366d037c926c5cce3cf7e57beeec39fe0c39712a8608ccc80aac2c4120a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4e9fd5e18f16c6b5d614b456508aa3de

SHA1
4f34f475bcdaea49f77368da34dd23ad821841f6

SHA256
ea3a2e4ad231ebb09b2b33c42dc0bdef0e118a3b31890750e7b8140a370b98ca

SHA512
05f52a80a14d20ac7e1621d0ca1103b45e38c31111da92b5aa0055467eca388f46c2e170e606d685bf2ed79fc108ceb06b016ac31d3018cc474113feb4423470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
e7038a0477766af0acf8d8e3044fbeac

SHA1
fe6fbedc460eecc6b6b3bf40af5f416abdff656f

SHA256
4448c46882f426c2b6410232a092938539a528f4783ddc78d19224f0c51972b0

SHA512
d145dc1763312af540b33e2069db8f3529aefb96efbc172783606b6bcf4033044aa8fbde299f9858a2616e5bffd4c313a1dd172c6afe428a7cceb8805c16807f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7a549f9e1908be66a6d5eab3880ed0d3

SHA1
b686acad701d37c68eae6f4b97d8069ed0404455

SHA256
062ae4e0c2eb2e0748d2282e731ff7cdda0a853f24943f6e3abe458bd83a536f

SHA512
1253f610120790b6b47c2fe2f67c5798d05b821cb8a32ac2da60252072ebf17dc34f04eb0ffb30693acfcb272371818ac40ed7b6b8a64a4c48a7ab15c44ff7c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d6022c8923d0a73a90e849734c0cbda1

SHA1
d8c61cd0609a61408fd42b20a68c13e33d5ce849

SHA256
640caf9ed45fc7e186bc4ef48ccaac314cd8ac677621753a597c59c87f01f0b6

SHA512
ce3f657c060e46e8629329d73bb2954ad4013b20d296a197b51cde150b6c1d4966ea44b4ed00c9c5cb2e9082a9ed7063376884565c9880de81f4344d36226e47

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a42e3449d55fe8fec4772245688cad31

SHA1
07dc060290be7a112ed333243041f62322c404e9

SHA256
723401c24f4ba16f8505f4fb7bcebdf31cb362947f63a705a126bf3a5cf44317

SHA512
64178e88baf68617d724da9b74ce57b187406d58ea1d6fcf1d21683700a83f31ed7cb931c5a50c8cc165101ca57aac6ec62006f95854fa1ed16487b61f45485d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
10cd2ff791d37fe56413c140ecda67ec

SHA1
f4629704d2b413b5359f3818afd2cde6fc00f072

SHA256
aaa863e1e7cb3cdb09ea3fd64e1a3188ee53dbd2efb5f5866acd66ed1981eb40

SHA512
0ca923d273d9496316ff8284fdc15811480d5a34432e4ee06801d54646295d346f103262cb0ce806ed031fc0d4e618eaa04a4271ab9bcc67abb09a4a5dca950c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9f4a94c3a068eb97d5525f74865d2766

SHA1
5192ffe96cddb3af3f5da4b112e773ed625a0526

SHA256
f860eb831d7004c31a38fdf0ad7747253af2cc468602f5130b8b27cd00199a57

SHA512
2f9ba1ac2396a9397bdd8e2f7e14e617bb60c82ff167e21c194074e88f623e0b9fac697f00778d828318f38e0d27613020ff13e7743c714d6bd94ca416b27bb5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f4f8304f503dee2a50af3a947368d9ac

SHA1
8ea7eba902c2d23504e9c380c8d13dc0a8aa5e0e

SHA256
f51c98afdd69f99a874ac477c059927349cda5baaedfc210b4a0dc2c6c03b3ec

SHA512
6c0d1716bc5e9e6edb5a61fa28619d3fd34dbeaf9a5af679919d4e9b1a688ef107488de2693dc52413d0a527dc52b287be6f2805a749f25b726bc0a38ee3b29e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
58b3723b482ce2a2c4421ed40ed704ee

SHA1
ad904ee7eee770f940e82465b30df5121d372884

SHA256
4eacfa13b9825f6583c6c2d83d093f9d611c7d0f75d9982fe50855d89c5b4193

SHA512
3e7b9f5c8e3f5b2b4539018f1b5b6863bd219403088400fec49bbfd0bb3756a3cb399fa705ad91298669a243d32f59f4a8bba3e4324840a60a4242eaa53ab0c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e126afc722bd1669068ff4c3a4c75a59

SHA1
53df90697adf3f8dd9047a174a7e45c1393d7423

SHA256
4b0549341ad9a849ef4852daad71145753e99677a3d0e7baf34f408806d9ead6

SHA512
4b7241f3448d341fc8a0e5acfe9dc364b6f7caf2670e2fe78f3d9e2dc668b4bf0eca04f67fc4438dfcbb1e62aeab17ac05f757281d53c56eb14f49bc082aac6b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
91071f42a362364ce3510b07fb732f47

SHA1
60fba5aff8d41f0a24a44326a4b6cea5c83eca60

SHA256
575de7ebb252364e9a19e4c15b5aeb069f7fb40362e7ddff79b6d6313c5af997

SHA512
5d15f9d497c3f5b35adcedcfc34544c12c02de9185aab7f97cd07e5a1f82b765779b717c0695f6188f36ce43b4490ca4246eaa42b723b3f2079ea1e6fe011702

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1201bc4fd73943323df9c8a0fe39b5c6

SHA1
e680f01c47f5c475af5486b3f1202326c93533da

SHA256
10b569de620d8f65297943330be661cb817a61e0bbaecd8668aa59f95df9460f

SHA512
07741978a992f1ce1ff7a041cce34c4d23753156ba8e6ab4891db5c37910272411e1e8a8c3d33c36af5444c3bcd9f0e337974a6b446c97e09a432d16bc0935d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0a45374fb9b3ba44cd5e1ca6d8df943d

SHA1
34dd08ba6bd99a6cc136616388cc3b844a5d9d70

SHA256
e7666b96b15344af92246de1c79a7450e5c90a06d582c4a3b3783004fd3e8c2d

SHA512
b1fd9f5dba988f9efeae50d79cd99399a615fe8fa025d238e9e7eef0c1ab3cf7d3400d8937952504d387e3011d746e9308d3277364929c2f0fa21822ad7109bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
598689b3ba01f41117cdc4493ac1e897

SHA1
48f0c5c22d3ab4b09ca4edaeb5a05a273567584d

SHA256
4ee1aa8913c8cd46130abda1872e0d25f36746eecdd9aae8c4fd35787c915354

SHA512
51502e76fef26786b9df603c41180cd15864687ab9f214539e26b9cc52ca1742606890debc9c21d9b502da806aa133af8aafcffc7e24041de65aaf210c91713c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bbb8c6481a7c1032183ebc8c3c9b90ae

SHA1
102f22ec944fb4f788d98e1482beb4b2e3e04fc2

SHA256
50b73daf73458a7e8eaf1f77dbf751be2dbae64d58d55cbc64c0e7a4f5c30b5f

SHA512
71e6cb0c1e9046ed7d32f2e84cb02faa3e13c09f9d9b7bc05d4cb3cd5fcdacdb21970898acbe4c185a5fa451d084ec9635593366d162f09bd28c083172e0dd5f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
df1811fcb53a24b2f438d938addb173c

SHA1
65fb846195be353c62a6b150b2c28b6f4039fcdc

SHA256
03fc0f7ff0fcd7f27c344f39de8331443b85c867299f6ccf74b84af214dce2fb

SHA512
e218b24e18f1bbe761ebdc0907f54250423f0d4bb84518b65e6974b17f43277cd9af3065df094b2ac385dc2425cebef706668f3a8ecd70326b6e558cbe65fcd6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
52cf3a1190950231dc79b3e84000cd9c

SHA1
f30620e7b9a84634197871b27a80ca90fc055d3c

SHA256
3f9c0c5ee6ef783dadd443a44083abdc5cc308a3da6a233d24932af273960dd2

SHA512
5c1356f9342193b6752affbdb521cc32cc43849987b50751b9fdaa566c5fce2e9acb450d7c4863cd30addc5c373d147ce3c8e56ed78b03686405011b0c7e7afe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
adf956664753607f6cb75a71c9b0cba7

SHA1
b569493d726e12d503f8cce90edbb8cbf6e36a7a

SHA256
db3a1e9818cac6f7e5db216fc042815a44e5f18ef0e95ba09c6f1e303d128536

SHA512
e47e97e62f0e7d57c0b0f706cfb2e206fc0509ea2cef8eeab12ecf96913458d3b495531c1f28026ad52c8973ac6d1e19bfa5d6e03f9d0e94419a316c3cfbe697

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8928e58d73fa67cd63ef91f2fa9a8d34

SHA1
5bab05fa4d6bed384e328c3f4799aaca3d62080d

SHA256
8020978a71b59cb5a1bdc9e93faf21725f651f119d3184b19308e58dce5f2edb

SHA512
798b27b91ea00392a7e8bb9b39265c51878425f09b3d6f7ceaf65937d9d2cf47129e5c081f7efb9c8968ca27dbc9c7ff0d2e2db5ef6622df5dfc3c1d64b876b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6a50455d1c433a4bc72a4e7e95d73d34

SHA1
4570a7b8ab1173292260d77d4c697a86c4041051

SHA256
d1bc7aad32a4fc99e9b3972f781bbfea11426965b37f745988b46267d8cda2ff

SHA512
6922afca71ae9352659f3fdf8698fc0a1b5c84c81dd680f525c9e2288808216f4146d5e1c37b17999e459e50f2ab385bfc24ffa30769230ba830b7599b89e9af

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6f587662bb0d0a73f17c6021e83c6b4d

SHA1
84ae95949ae294a3cfa444d17fe5a12f249af210

SHA256
286908c2734da570a003710c890a3fc79da08c6657bd40d00d18ec16bdb088b7

SHA512
c2cb89940904ac919d93c283a6ee673804b5629e2719e7bffc92ef302a355dd87c2bf842d280929eb09b03e684f66c48591a812a3374ab2c3542cdc4ba5c9a27

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
57b5acc27fbe787ca9e4d84b9abfabcf

SHA1
5d4ef6ff3a3622f35db7668eed10bd5099a2ceb6

SHA256
464a9a6450cc34690777332cadb587d9929a1829d600539c1791d35d66854c6a

SHA512
7f6961912df52312651bd0113241e8fb25740cebccc7ceb24e93dcc914e350e2a2ae60bf54e5d6f7b5e461e30ec3d1a828768bb8b5dd94be671addb6b73f2f4a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
612ab202f5c6796141b1b84df3f7d3a3

SHA1
3774f97fb9b96a5f7d8030c84d040c491bee2de6

SHA256
84427168a1c527ba6e047dbcd47df09e0e2c69dbd7f0761b9869379f18676839

SHA512
004350c912fc0d76235001a74974d01afe4fd660e262ad14824bbd0b870d37c8825ab271fa55849473fc418f481060da576af37f08ce4406d2510532b7c9bfbe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0aa631671c1b8e39ae89b31a41f6e2c5

SHA1
1a85c30a4623caa9d35433a9818ae49d63789af1

SHA256
a7ce9e40b42f9df1fc3b01a26a0ab4567f1e2a05c50616ddb58d782aa7f4cab2

SHA512
660cd18bc66c5ae07feddf54dfd3f5ae4e479152ab9e534cf1b8899dabedae20ca8d9654738f088069bf735dac7d83cfc6e011a01529ca8e52eb40280e62e20d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1d3d1b9291fa4284d2018f798b50f655

SHA1
63624c5a688e5ec054875db39e2b3f19fb709e07

SHA256
a60ee3dec8fe462773ac3c2421e6abc28c893e3051fa7b2805c87616b931d5f7

SHA512
0aadc8b8eada42407061bbb10ff2c59e1c3d59307b4949a167f26df522f57244e39f17006e3053999d19d005c5c52fa084ab8c1a8f558e4b1f690d63619c9d64

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
9635a194fe9657ef7665ef88174a8ea8

SHA1
99edff2331a5d2fa811bbc375e5a8725830c664f

SHA256
dba57c6d7b08787cbe64fe9a0d2b19bf9095770442f6cc92d9f2de961873ec54

SHA512
f0c4e34bf78675024ca6b73db98dc4e6e5572adf5ef145528924f9025d2e964bbca2ddac286b46137e1eada73870987257d9a8a3161bd15a7fdc258b2e05155a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
2149432d10ba90e6f5773d3861d006d3

SHA1
baa9461d58d07920b887f360115805f7060559f8

SHA256
69681a44350e92453f3492f8fe97d5c7e53efba965be135caf4fc5ab90c1a93a

SHA512
2e836260dd2043e428478af8c849a15d4fe611f107f2a959453e6775e771a701b6f9c533acc41c9d377fe15c4f861ece237c38b853abb112191431fba98ca9df

Download Submit
memory/60-172-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/60-439-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/372-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/372-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/372-90-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1408-545-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1408-205-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1520-233-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1520-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1852-582-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1852-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1864-63-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1864-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1864-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1864-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1864-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2036-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2036-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2036-136-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2036-35-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2084-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2084-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2084-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2084-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2300-237-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2300-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2744-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2744-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3196-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3196-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3196-85-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3196-75-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3196-82-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3308-578-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3308-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3540-137-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3540-249-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3752-579-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3752-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3980-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3980-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3980-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3980-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3984-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4420-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4420-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4496-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4496-387-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4496-102-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/4516-128-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4516-18-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4516-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4516-19-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4516-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4548-270-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4548-583-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4744-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4780-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4780-261-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4852-196-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4852-544-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download