2999c160e8d8854eadc4291f9288af441caf0a9356ac216c3061dee5d63b776d

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
Size

659KB
MD5

34799d65e439e526b4a5109415efb840
SHA1

3f5963f04972600f0d6f893541f4b7f40f82610a
SHA256

2999c160e8d8854eadc4291f9288af441caf0a9356ac216c3061dee5d63b776d
SHA512

4bbe918e9c671a7b792532dd52668fbcb70c3ca040d873972e582e54b781ffda3621821aae48d1b90b77cea59ae054906764147befe5645a1243b1cd7bb0f134
SSDEEP

12288:6vsgfF9q56QfzRNKVNyK6EJVKaNFqYi5Oqn6NQUVfgyCdp+gcHWMT6hqsm:CBq5J9NwyKpJhLi57YSjc2M+5m

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
864	alg.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
1536	elevation_service.exe
1288	elevation_service.exe
404	maintenanceservice.exe
4820	OSE.EXE
1780	fxssvc.exe
1516	msdtc.exe
5020	PerceptionSimulationService.exe
4052	perfhost.exe
2064	locator.exe
1448	SensorDataService.exe
720	snmptrap.exe
2688	spectrum.exe
452	ssh-agent.exe
3960	TieringEngineService.exe
2956	AgentService.exe
3192	vds.exe
4508	vssvc.exe
3540	wbengine.exe
1464	WmiApSrv.exe
4356	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exemsdtc.exe34799d65e439e526b4a5109415efb840_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a37b432fbb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\SaveSuspend.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000548a964387acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ee0ea4287acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a91fb4287acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000992d184387acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f41d6d4487acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e06114387acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056a22d4387acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2532	DiagnosticsHub.StandardCollector.Service.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
2532	DiagnosticsHub.StandardCollector.Service.exe
1536	elevation_service.exe
1536	elevation_service.exe
1536	elevation_service.exe
1536	elevation_service.exe
1536	elevation_service.exe
1536	elevation_service.exe
1536	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

34799d65e439e526b4a5109415efb840_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1376	34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
Token: SeDebugPrivilege	2532	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1536	elevation_service.exe
Token: SeAuditPrivilege	1780	fxssvc.exe
Token: SeRestorePrivilege	3960	TieringEngineService.exe
Token: SeManageVolumePrivilege	3960	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2956	AgentService.exe
Token: SeBackupPrivilege	3540	wbengine.exe
Token: SeRestorePrivilege	3540	wbengine.exe
Token: SeSecurityPrivilege	3540	wbengine.exe
Token: 33	4356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeDebugPrivilege	1536	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4356 wrote to memory of 4336	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 4336	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 2948	4356	SearchIndexer.exe	SearchFilterHost.exe
PID 4356 wrote to memory of 2948	4356	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34799d65e439e526b4a5109415efb840_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:404

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3928

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1448

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4336

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
39d9fed281e06a7517c4c3fea500a26b

SHA1
24d2b0d84a4f59a78d0321defad3b12b3f02a10d

SHA256
2490cebacf28193680356ef86da1ad045e3899fa52506d02a511ac011d033a94

SHA512
71ff9f01f392496955164546563f0eb6206de201e5c89543694184df3cc03f35cd5e4dbb0f3955f0c3c54d3be7946111d079520a922be18b32065f30810b8a68

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
96c65eacab3eca00871fe2352bc9c55f

SHA1
6f148f58defe83e98798a5d8a8b8659faf8ff3b9

SHA256
985311ec213f2b85d3d7eb6a37313f5d773ca9bdd1c60489d6f3ed8ca0406af6

SHA512
2ae387bba32f150d50bd6eda7541255a99497c551ca14e4aea45a47c5dfdec724b0a8b150065033b36fc329914250354fb6bf6f3e40214aa54dba59fbe23d99b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f62f74b6c9dcc67656d4fe945fff3574

SHA1
6e696c96e97a426d4a0d06acf7329898dc66ce16

SHA256
e38b80526269d1a1ddb4ed40a74fddf0882a74a4de40a5ae9cb0e6f15a3eab96

SHA512
4226c649b305efd6401292a4571baba8910d39e3eb21635aabaa7ace676c63f21a0517753132af2df3f972e921f6e3810bf3ac4a0266f66851137f324d4cd3d4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2daee27e15a4f676838fad4bd530bc9b

SHA1
c45614a9b64942e2def782a784d0b8a48a4f7b2f

SHA256
c20ac6b45494d5c2e9ec7f9e23b3fd55ee5039e6a88d4b235c09658d0f6cd871

SHA512
90fd278bf4d22d6b0c776c7608f56c92386de4312b3de14e895cf731a98ce372595e364fb7d3f82e5bdc04f6cd95162672845dc57ba50b563dae6e2d67b92056

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8565feb0eea73d8c97fb99faba5388fb

SHA1
5f05d07bc889608635d1306ec1cf9045e5bf3819

SHA256
fe10c738e34dfbcc009d9c61b2a63fd6d87ac3284c84742de6510c2c7af26561

SHA512
000fdadf3a9c0f2df6b863526a73d415d53c79f58d9ca9c937b819dc62ea2b6165023cc0d603ba1ed8d5c04fb594f5888f88d7302efee1b7db2f568b01fbdb22

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ecdd2a6f6feccf9ec114ecdd5c0a11f8

SHA1
f8c048bbdacc23aa0df8de2d5216ad00deda696d

SHA256
7e4def6fbee5c48908d9a0869e11568d0a8137fea33f6f0a8d67dae92f17dcd0

SHA512
c951e4c6e0cab541ab3d5d5f6bae9bab23be6770b394968ef5ea046c5ec713eb019a27187f64a750c02b75c285c562c9fb9f0114e8bc730e9e28c7d1cfe2349e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
264b1b18793036dac9994af27a9335bd

SHA1
99f969c6f4f228439831df6ef861b064e317a2c4

SHA256
37302d129e827d523bf8fa88c94c730298d016798c1d8fb4e6418df385f998ce

SHA512
8b303e1b12b6ba2d7bb092c3eb0a700126daac72bc83f9e289bda8f6eba3e302846be1430cd8429389c6e726dea8b0628ae8c3d9bbf0a07d2a15f79016757719

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
46bf5c39cf65b2512e6df19a8c9c3cb9

SHA1
0ed7b3382a32ea51757db6205ece15dcbfd3abfc

SHA256
d35ed4bcc7fa81b7f18d64573505bd52edde2db6bb471a375a3559ecaf0d91a3

SHA512
287bb65571fdc3fab128905162b6efaba7ee844c018c3e1f7b24b1caf35e6fe39e9bdf7eaae05c2816e24c3fb3c15ffc5fe706ba79136c9e2761a8cc36e9b22e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
75d602bb090586f419ba8d79d45f554b

SHA1
b251a7132b6ddba6ac4fa680e18911169d61e832

SHA256
9080068634a9805fcb5ac829fe8185e18906ef2aa14c279805619f5327c2d119

SHA512
9876a0d4ebd596f1239c1a449dcf9b00cea21abc5cc16fb3df56d650745e918aaca7ce17136a54d505fa207539ff466d062ab9230e9e6c84afd5cc0a8aad3560

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
929e284ab492e7c87d427df477d6a618

SHA1
3e74d3986042aa40f42763b8179bfdb11ebc01f7

SHA256
59c087407e6e767952aa2826ebe4c96eaa97f2ad291254394bba538f5920e7a8

SHA512
904dc5dd7faf949d34b1c446d5fbdf527591ce213da009fb0d84016fb808ecb28d9433382ae867c6d7ec675fd9ef0b35703aa62be1463440b387eaf89bcb5603

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2d8311c2c22c37072fe2e8d96f6be369

SHA1
d551b618ebb8dc9fb1532935b01f9814b86ce756

SHA256
d4613dba28f52560feee138cb45a0a880c391abd577821a831ea699eb20a8739

SHA512
83b6c8c8c71898db28c6fe30d77d114e5e25ed6ca73bd19ca377cdecd4a6b6612c9d0da78eaec970ab26dffa16b34d699ad27f376d26a5d8b2e67cab384cabfd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b70089b48a2fd9933ae9c26f27a57a0b

SHA1
6736ff1cff4fe146e7f23b087e7c4c7ab1cbbcb3

SHA256
247efce3cfd25ef79ca3a0b3b3f09d8d3b0d9aaa158273f737d19d485ca64cc4

SHA512
74d84c655d5765f536cf0579c68fe087020c71c2824fca50a716fe343f488d6c7c74e101700135a7c5cdeb54d730bd06cb60c9122a00dce78b84e71eed481181

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e8d98a1c4b314817369c3db7345e126d

SHA1
803cbedac040bf2e002d3d5e027253a1618b90b8

SHA256
b2f2370d9366e443a9b42af6502b7eba353caee992e95e8867f662a9fd29050a

SHA512
e904802eb358de05861351cafffc8b8ce611ee5850266cd5ab7ece8d1a7e6d78ab8f8f66a699faf0d7735c2810f36f4002a8d8d9329779a1d497e3341638a82e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
57165aff71fa979892f54f1cde91da63

SHA1
355323fb3b4b390f342b83a317c84c1e5259862f

SHA256
0d8a6a31f5e1a89028733b8a18b731ac352375847b11971818499c7058ab5799

SHA512
06a7fa7c8b608c21dd8a56754d47464bd4804f2a4c7e0b421a724d677f384f035ed4327cf49196171f1e5828584aa4afe2c2a820e5449bddc4d190073e706434

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e64acc83f2bccbdd359d66f04c8bf867

SHA1
0f864fab090f82a39380f1e3751617c4f8df7643

SHA256
457f2af585fabfdf87596111496befefd5ed2892f6a5d224191cd6c3a6f4f864

SHA512
895beca5f2562f152be90984fcb7db4c09a39a0fd892014377b57b8e4c201f9b8ab6e120ef80238802af90cc7630918b58954a304acbac86faab05796ccbddf3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
418dfb74f782724bbf13b5224e635c66

SHA1
32c6ee005281048d37124443fa87e110d7c5a4c7

SHA256
8aefc6cc041f9ac63d6a10f352e2276e98845f293d256f62f6e883b86610618f

SHA512
e4011e1b05f400c6530ee7e582934574f9fdc6ff65d9fc0697aa91dc0fb4d93deced06c8d5949b462b3dc7a1e22a4e1c80230253570cb040721e564dcd4737d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3d16e195b5b13b2394d592f7999ed8e7

SHA1
8e2113e4f627c85fcf546f9ea763f72b3dc062c1

SHA256
6a2852f38adf98cccc614056c142771ea3ad55771b1b7453b7438e10b23d0e20

SHA512
2e443d6ee43121f36a39f82823efe569c728ac4eb69fe70d58f5f293262c753b9a923e7e6d4117b4de700526f6bdb3b771963461927e55b06aba2b911edb564b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7698e11872fcaf391638ff3483e2574a

SHA1
f60915e2f17d88d43ecca70e0ccbc9e5aadf427a

SHA256
d4215882e140c909d53e70c23206880a2dc9fe1234cac6fd08cfaf581490fc3d

SHA512
282037a40174ed2327f82ed6c985cc70f89b36c654195de5011fb9ad1562db8008d77979b17e8f33301ad2bad293c39c9c7344993eb4e2e3a7aa94bbca13a210

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1258ccfcdd708dd271ec3fa406ef95be

SHA1
eeae67aa2f6e9e5f14acdc68a03974713a9b77d6

SHA256
3ffd6739a04a8eb737fcc26962d4b7f01610fd903c613490df317ab42bf5dc32

SHA512
aa87f267a01baa24b5a0ee7bc06ad7abce33fafb48097d864a9f0620470f3513a0e488da9123c34b7a7a1d739fac61450d60ae183c9f44a4bef424613fb2ac65

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9137297332eb4e04dccb38ebf96a6874

SHA1
1c4d507a31b4b6abc1954c7076d57208a52a5364

SHA256
d8f911a8bc12256f7d3638d26c71d2534eb3130855a1e56cc245a57ea868b128

SHA512
18f3cfb0ba5c30cd179d2f3b94a210a067ff45f5e71461b566d1dec8b1eb3f8ae7241cad479e39a8bf108f278d40adac1a008368f75f8468ca290322d4e04128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f704299e4ecb06e11aa23f5a89093581

SHA1
418059701faffe0a4167f6727ae7949bfe101d51

SHA256
8783d1f8d99223929304abda48f865366ad4b0908cc9a195dcaf55ab3e3095e4

SHA512
85aec47cb315472471aedc90324cb71ddd1ffbddc8e9db48281b1ceea3b8a3ebeb376afab2fb478558e8392b7211de294d3bbbb7b4f2b84f0fbdaccc09fe66d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7814b6f3b07127c931696b81be35f6f7

SHA1
12f06259d56d0511fdee42f87d30ea60932af118

SHA256
6dd532168e5754a7fa7eeccbf208afb54dd0684bd5b72dcfdbc9bbdd01793320

SHA512
45a620f89107c5f77e7b2365bcc227b466dcaef63b2e0656dbbaee9ac6f3a036e13065ad45fc28f1ac78899f978147ece3b9b1eac7c1153437ef8dde3836f4ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3dd511f0fa3f1f6e3bcd4533b494c103

SHA1
d4e5e92c6f174b0747a5a739a0ac93e38a08834c

SHA256
2e2ba14bbcad38fda64fba59b06e7822a7499eef3e2181c585358bde3efcc875

SHA512
4ad9601089fe17d4bfc7b6f6d2acaf5f80e735531c1037723637d3d91ce9b9060f36ed7df7473061bdb9cd0e9005d73cbdf169691e62798daf2b589a27eff22b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7ae6bbcab6ef772d78b519ff16ddce8c

SHA1
7d63e80fd0580d6bc9c52add79aee2048b93afa4

SHA256
9e82be9f7905c83658d1c35463d860253331d166d2c0efb341442fd1ae9f4d51

SHA512
8429c761078b85d660489300589e166d5ae6c6ef975d9ea2ec52efcea992b504189e6aaa902a71f8be56fe1af27e469b4294d013b096fbc93fdf69abc55b01b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d3f93abca7f08494992ba7282f12795d

SHA1
176c43cdf988c49fa302332e88b8a0c53f0e4376

SHA256
33d03d0f85ae87fba94aba81e39a3bc9ec8a3e4657a6a584ae68289324468364

SHA512
5dc5409395f4d083add5bdb75853112a61b1bc4954745b5591e20b909efd9508db4e460c6b7b4b18899ac9ab5cab16f9e1e1df01093021231e132b3bd23cf998

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
03f2af87d854018f878c9c67a17f3633

SHA1
bc53530051e8ecc96a96cf464ee0383aa28b80ba

SHA256
32a25b053d276dc1f4d933c47e149cd712ab85e3871bf119033fde2bf4389e31

SHA512
0c528c891e6b6da6598d3f0f2547637dde119e8415171bdac9e8532720b6d9da2b79cbe62fc9ec0ed8fd17d313127d15aace168b4d3af071329a4c007a9c5eb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1fbc140cc91f9e4210b73566cc2fe121

SHA1
2e28b517d848009a46aa94ec60336f5dfc73f62f

SHA256
83e23c84000534685fb1521dba07cbde0c983ce8532b23e19db13d3ad7857441

SHA512
c69696ac4f259816438b7b2b5359b6a9f615de2126652f795ea6c44a9360b9b0a8480bb1998deb9b1d2c0af43c44507cdbe30de5bef4302b956bfb9ae85d3178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
efb2420aa11a5e2c663b66d80c39e55d

SHA1
0963d7d698a7e1bf2d1b395a264e1ef57ff2cf13

SHA256
9a15063ace865a82fb22818131a58a81dbe877e7edc7792ede462a88342a1ee3

SHA512
91699b5cbc9b791a39f5632cbfc92ef92f44e695deecd9bfada91ec5e278988330d60032b72d59043ffbd691886eed35dcf98efc0745c3da1394c51289ee7d53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
bc1759577cfb25bcb5d7aaad06dc5908

SHA1
12403d15d95b215084802c80812e0db852ff249e

SHA256
619e6ad8187a7a46433998adb8095c13af4938220d19a5b5f79c45b43be0479d

SHA512
130b69c17cd4c50fc5df1a793a83a1bc7cee2f146f462fbcd43c08fbf9d6f313f512074a95b40ec99cb2a607d61fdd9878465915c1656e6ec73fdd6f57e998b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
31ecfa2ee218924973125f99c63481b8

SHA1
42bf1a9d0443a58ddbe6b12c4bed5c9cb0170f0f

SHA256
412161ea469ca32f8e8de02c16354245ac5e89bb2f6e29a3310d89d166f2611b

SHA512
9d46be663c384a3b231e3bc0d0aa5e3bdd3b564e899a6968cd6c3a08e2c9ee9dad0d619eea88b5e453a2dbd7dafaaf9c8e36d82f106eb1b3a007d0e3397caf36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ec41c4060b94498559df9f201cc0a2c8

SHA1
b6dfe4e388c9ab26ef145ec3d0ac4c1c5e9ea7b6

SHA256
1444963258d3af8827ffdd308eb1d5ed696ac3239465593192721d448d39c371

SHA512
beb357a455aeba4779bc5ef790a17b5e0f3df6d4d67e9129cdd7ad794ffd3d9af00665241b467bd8b6158adc0fc5785208e065fdcc49b4c9fec194aec87066aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
170eadb9e952c08fbd5e2211d5a1b963

SHA1
27fad6b9a28aa58682bd3a87a11ed2af9e2a93df

SHA256
5f26e5875aac3f5879b165aaf0d7c23cb02838578f68b710c0ddd17dc6cd5a09

SHA512
a242ba946f9ba3c9c27131720b5ec8d189a01b28af41f527e14c2e0cc9c10ad616c19e591a5b800711aed472cdfb8f35b8a14bc95052ed86c6ce9035d688d4f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
025087c871cc38fc02cc6b005939ee86

SHA1
9c6a25244c0a5aa886b20ae3d9a6149f620d7bf0

SHA256
3e8a242cf8c2851bc673f9952268ae1c94e07d74a8891e099962e888407e318b

SHA512
bed22e612350a8b0e767d3e1c10cd368db3b6c4f221186382988993ad3cd1da563fa3d2a506f2ec804c955f53f4f6893c9e6d4bedb1dd3ef22b98bd139733f2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f9cb203d6978b333e067d99055d3d005

SHA1
68846015acffca5c8bebedba40e6496c61804340

SHA256
6efae086e7c42eaa823474ce8bdd6235ff6448e77006db178328192878bba292

SHA512
db7a491ae4ee1e09cd94d6f1da4ce90d159fb434ee7a094a25d0b2025c2317e89fef0d0ac03100dbcbcb9f063144f9bb3fc40c736bd3f51555e398a63b1901c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4f4d4c27c78a2d9c6a524c19a78d0858

SHA1
169951ebd07c7c249682c4a58ef988a1124289ea

SHA256
4ef40010caa7a251689f7b3da6f127a6cb45ecb3ed27818a54a622c4c4b009ca

SHA512
8a7b646a522652d28f767740860608aa9ddb446b8392f78427a9a1fe80f0614f23650296cc90a3a8b64e1454bc84268d36fee8e18d474c04d802221950e09e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c0d403d995114729532887795d3fbce8

SHA1
65f7041524e9616113d961eb2d4f66190a280e70

SHA256
2fbd5f86e812f6721ce53f97e1be5959e1a2436fe5daf4c385ca9c404d135e73

SHA512
0a23573a906ba7e65227303fd5f6b299c823847496b5fa63b29a10d41f3b66192d8d3db4b8193c52261811bfac8d6c75297befab75f6d6d31862d641986a4d5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e29fb5e189c2d031db4ccf0cda2dcdc6

SHA1
5cf8145c1ae9ca763f75e421ef572e97090bf50f

SHA256
6e0055142c0e445c0db5b64d71d30f6c54f19198a639197745cff9f1b53c8018

SHA512
70b3036f0b16b4ab17c4c23916b81e64532cfd0e9edd1900eeabf13401c9407ea5d1e53e9bf5aeff2ee69b7b45602aa02336402907c67099f10aadd889db76e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4a0f21d77186b3f21e123b9a257edd95

SHA1
a4ab95cc64c64aeb29d199402f79a91fd00f19ca

SHA256
6ab4e2deeaf752edb486d6ee9f28bdb034ad7543cc826b854742bffdcc63f440

SHA512
cff6a357cd5c8d3d7cc8735f78248813c875761365b93a19350f09ca16d1668366fc1c44688dd531ca9992f4c049e931bb140ebc7fcbffe877b09855c34f3501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
9b5e5ce75452cb51269bc4580653f49b

SHA1
c22495e5b4e6f37916c6b7ec4cd482564dfcc8d3

SHA256
c32cfa38fb7173cf41398bb0f805e64565812c497735d308023cd7211ac0ec5e

SHA512
5b3e659220e656e1ff30b02aca8595f73c79588cf5a3f6961f2d125b4fc1678ef8e7953b9c3ec18ac0c60ac27206599e48657a8b0821f45b8b9f38390c645156

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
418de35778729ff2caa622aa9f9aeae0

SHA1
7e1f8decc86610fd185e944cde371e3cf3e52747

SHA256
0db5df946450f55371b013d7fae60896bccba93573df513993edd56a13871fc7

SHA512
2f73bfd1ebe7ddce10e53bd1cfc2be6e49b7401236fd0775dcd70b2649097d53fd559c85c3e76b78c05907bf77c64ccbccc083aacecf6108d79c72c479ac69a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
00dcab7980bbaf328e3b19522f213a6e

SHA1
e6cef49be042bd03e86476967df291b35c3a7ad3

SHA256
4f949781f15a68d583f39a3049930affbf4a7f41f1de52dc971f4e8156c2cae6

SHA512
9ece95fc9d84af0af1788eca1877eb96b04ce5237a8ac29f2fd508ae1f7fcfe28057e91a2899b70df1b3ec9dd0179dabf2657cbf19b8ba690c9e800a5985d6da

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
22f066833fca317a96411774add3a6a6

SHA1
f23cb313f89484ace0c6dc229cf0597d623f3ea2

SHA256
588cc8ffbce32c4e748a75fea6a8820dc536f0d37ed05f78665b56814182de87

SHA512
929dbad6d81d1d81f3f9bac39de19cefe00e3fd41c93cd1c29973e59dcb6cb15f47e6fde24bfe8221f49be71db0d573003d354a9df67642b86784ac0ea00c85f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
32350d3eb015a063ba51751baaf45dbf

SHA1
addfc7f9ced8c213b484b64f056bd05984db6bed

SHA256
2fe287bcc35bd340f15b08f4f98bd95f2dc765d4afb6a0095a2f0c6fb5c8b907

SHA512
d080c4679f0c149332fd3f9c2dc8c0d4f6666fd21a4cf9bda0f7db1fc92955d21ba827cb592863b390adb5a2f2cc6920f8e9ce6fd966e14405ee2155808e7588

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ee1ae5e1d6f2ec0f0d4fd4c0de8be03c

SHA1
1260db6018856ad93a7445a96558469050e31a3a

SHA256
8c82c953cc56db787d2ca6d5d5832594fb972c2a0930a9818c15696ba0d14832

SHA512
8d037bd939133896a0925db9b2cb7e01ec44d4f7b9c54045cbcf61fdfcbbae76ff0d95a70450b1f65a04bf15f44baa525c058f456e9eeb95c50f67adfd402905

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dd1e91d30c76c13cfb03403c63b71477

SHA1
5350bf990339157457646cfb4d0f78a465d1c30a

SHA256
33058f692d2ad14e2dd42c9a171fa94f0d9f7cfe2c219dea03a7efedee0f03bb

SHA512
23d98222bc43948776e1cf7eeeabb967e26ef74912bc9e0c7a931a495480f9910bf5165ceb9548df55c35b00563e4b54cbc20ef5d3c6c273217353e25734924c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9e6b0a6db640e3f9cef18ff0f33ee924

SHA1
5b9d0259b2bbe3edbd6f6036fcc3e43b92af512a

SHA256
68d3a7a82f38aa58b3ff79069d23efa0725a01c453f452eb1a713c591846da42

SHA512
e09f188e15996e6c200feb03a72d4c733c8b1b8030e7b74160e399f2f01b9f4fbf69c7da1ff81636c604a8dd74f3712893195172845315283c4879cfdcf0cda5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e80ea0496d35ebc56bfff28a18dc372a

SHA1
2d4630b66964ee04650aacbbb3c29dbf26301d48

SHA256
17732847e751f199539bd64c8ce6ee65e061445510e25e7ac7f6fd8121a6176d

SHA512
e9606a126ad72d1a0fcdabf67db476dcdcbda31cf3b91729fa312d93f2a5dcebcf5ef58d40d68e34f30ce660c6ab7f35a82c99eeead7c3c6dd068450ec3bab40

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c071eaa4da8fd10a9f311f3bf3790f0d

SHA1
6ee3716ce9bdeb81c855c94bcba49c9ec43bc38a

SHA256
54915376e0f1e906777f78f8c50f5bb6da75f433bbe4af6d127f97d69ea6d24b

SHA512
1918d0f05b034cde0f843adce8ba0307058649754a7f0b324f52a8ec2c194a7cd7bc32a288d5ecfd99238c871e0faea5976bd31b31ee3fc262b0a07bde5c2fc3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4157ba2f0a4240a3074224e03639cda0

SHA1
8c928059f7ef080dffd878d7a8e8337ecc0cb836

SHA256
51d56a580602771b3eab2c5fa84722d250eebdb2b5f56bc096659d5f1d1b0228

SHA512
4528d918b4b6a607f04bc03adff9ffef265732af1d0f2821acd299ec681c745ffc29ba2bd7d0333bfc9ec1913c22aa2d88ff3744ae239024d3d969188235ac95

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cc7dddc83aadefbf80a7cda96f84798e

SHA1
e72b326772058cb33cd4c851d0ce622224405656

SHA256
3d217cf07076c45eb2c022c4ab2ef3c2948cee53ef323114a10fded68fdf4876

SHA512
ac75449903533e1523621e3196b853c27079226633e23092656404aeee9a5983c266ead6f49a37c94833efeb5140e37d67619c4d544991f8e0a0ed05fbdd96d9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d9a7f44e4d3f1ad66f99c1d97b7c0ff6

SHA1
4b8216b5fd02c63b09080111e886f09440eba02a

SHA256
f3f68c0543d49aa777dc9f7e769bd1e168988ca612d9ad3778232b60f4485c9f

SHA512
480ab3ca3caa26e9da30f749bcad7a5d4d3f9d7456c1efb037fad03f807a7b4821bf506b8a9bed68f357ee00dacc55b87d9182ca10120b5737f4ecf2dd548f41

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ef8c5e29df38db5bed3587103f70032a

SHA1
86c9a9167c8b1ef733854b73285ea149ae214074

SHA256
86b1d5adc31dd054b257a3f29edb9ac0c0dccc41005370336c406ad83b498931

SHA512
ecef4021dfec998bf4fa092a19945322a5a9583b2bfcd47f120e843f9e41220aa28974442facbc887c7b4e81fc6851758fee9edbc726c82f3ea88536dd2bbb0c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
015f041022a1eba21799bbfdaa019fa9

SHA1
cd1cf11f4629228cd435ad959f3c2d4c5e3fe6b7

SHA256
7d7614933a92f644849b9f32b2c17ef96ec0d8c8aeeca51f4596f86b94972f0c

SHA512
b3781d48c66a76d5001bc0502982174d43bdb3a1272cbdd7d094389e87f6499c1d26088f3e13fe1ba3ba2aeec29d5cda027c41715bfdd94cf71b2f5dc8cf46bc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4ddf198563b6eb180d04ee8e87d70422

SHA1
fec55f9b225545da621cefe33a64bcf1cbb2d51f

SHA256
d3f90f19b8e29491b718a809a513c50e40ac385d9389d5bfb3d3d43f2bc76d3a

SHA512
052f2db475fbfcd08ff6e1cd8d1e9d37666ab4e47340b67aa6d71d03a27a24c5af77efee661bb5dc969aaaa6bea0221f0617c103f2e65016e4abc58d52c495b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a5061e559a063ed87286af22dde491e9

SHA1
cc98e24679909f4e5bf9b3aea2d4105f729e8652

SHA256
c281899ee16e1d09786c3278f7100e2c527f9ea3f1227441e3122a745a7ce597

SHA512
08c6b148d84cc1369a32d50f2ddace6b80824599905acf227dc7bd7f8148f0c5b1b4024741f7a4fde121ce1318338748670a1931f23385f92c3d67c49cad5b88

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
17304d8ddc6df24854c1b3315a6cf42b

SHA1
17b806750218be6098e216ae81274025e6859dae

SHA256
633168fe65bc4e7e1b3ba51abd1478e39653ee91cf1072422894c693bbb4ff7a

SHA512
f42dae84cd524167bd6cf9f18e3362d178b95bf55ab8f8ce88bbdd8a0d0356c005b96bd9c76711388adcb229c6452de46e066505df3b7a94be24322d27935ca8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d1f76714ca4929e071a850059db20aa5

SHA1
3773b300ea4fbe9c1b0a9e9395a7a87344ed3d46

SHA256
64cfd8e8cab2ca3912a6e78db18b56e9ef335755d5ffe68902c88c8b236d9859

SHA512
5dab3af004f8edeec19865631a68f89d1409073488530cb6f6e17d187d5347ab847aa1023d5c10864fac278afc02f0018b880b694cbfa08ddeb2f2728f4073f3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
75ba101de3b101850ef1286904ee47ac

SHA1
3542f2a7938d15395df34d34f8e0c9a72d9eb683

SHA256
76f53db69966eb18436c5bd0129a57a911abc2a060193ef34e74cf329bd363e8

SHA512
401fbb8a63e8428d88b44aad12a0a705fa5c2be56549ab79425b569029657908654364123bd7ee04a4b2dfde08127ab1cfe51b1acc33736638e52d81da2599c5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c033363e4564cd59e5f431474855527a

SHA1
19212160f863a3aee27e494e8ccfa15ad957fad4

SHA256
d6a69d0c40119d6b4d7c168169bd57120b00ea7e5443094c4cc9cdb4a49f17a1

SHA512
f965d70f8838e3b538ffe12f2934bfb46fbc0435c9afeef52cac5b4f6ba88ebf66720c43495527c291fddafffb7cf9f4b96069990023b0a5788cca832c13a4fb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f441ae6bd31001d8b15110b2230bd7fc

SHA1
12e737c0753a976389ed83a8303e80e41a368b69

SHA256
aba6df25c7df3abc094148514e85fb628ebfe75d22900a75644bae634346120c

SHA512
b3d4f219fc15807c9ee41630f20d2c74a66151f472b2e31b280ca5cdbacea13facc187165d91c963256a46b6ab3bf12c7517c447d9c99ff9c51017486dfd3a4e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1af07418163c7434384771448725a7dc

SHA1
7d6d0885fae18b1316d89c4c87f7ef773dd6364a

SHA256
097c31e0e72f510ad0023a067132528d15b85c3f090aa1cd8d55d8f8d0ab0e82

SHA512
e52b99166fbd22f5240346499544c01ebb043293479616c2687a49c85944e9932d013dda89b02332af4ff588fbd65e188892fb8f65842ed3689bec50e82e6976

Download Submit
memory/404-56-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/404-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/404-67-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/404-62-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/404-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/452-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/452-535-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/720-462-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/720-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/864-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/864-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1288-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1288-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1288-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1288-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1376-0-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1376-1-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/1376-6-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/1376-17-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1448-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1448-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1448-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-544-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1464-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1516-320-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1516-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1536-41-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1536-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1536-32-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1536-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1780-247-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1780-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2064-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2064-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2532-19-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2532-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2532-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2532-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2688-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2688-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2956-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2956-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3192-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3540-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3540-543-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3960-538-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3960-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4052-328-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4052-270-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4052-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4356-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4356-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4508-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4508-542-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4820-69-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4820-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4820-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4820-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5020-324-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5020-266-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/5020-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5020-260-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download