8b2e525160144b0e92ccd724bd1c61d3f7fbdda457396b0e1d1655157af1e43a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
Size

1.2MB
MD5

7f27750a1a8e8f80b72deafb53544a30
SHA1

0a3255aa956e20c302bfa07449fd481f9bee2229
SHA256

8b2e525160144b0e92ccd724bd1c61d3f7fbdda457396b0e1d1655157af1e43a
SHA512

ffb698a27edc7844eb46f7eb26aec334c7601e6389e4b4d752c99feb3faeee8b132b1180d7c587aa2ca0a8eac1d03679252c0b41eebceb2042b89d838bb5186a
SSDEEP

12288:tUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJz7:tUMj3C/Uvw3B8atQVpZJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1124	alg.exe
4992	elevation_service.exe
4448	elevation_service.exe
2780	maintenanceservice.exe
4556	OSE.EXE
968	fxssvc.exe
1984	msdtc.exe
4452	PerceptionSimulationService.exe
3304	perfhost.exe
4028	locator.exe
2740	SensorDataService.exe
4580	snmptrap.exe
4664	spectrum.exe
1556	ssh-agent.exe
4388	TieringEngineService.exe
4356	AgentService.exe
2180	vds.exe
4072	vssvc.exe
2012	wbengine.exe
4704	WmiApSrv.exe
2748	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exealg.exe7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\904a431db4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c4e9395beacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000644af095beacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0129895beacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000053a9f95beacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0129895beacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5454d96beacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3016	7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeTakeOwnershipPrivilege	4992	elevation_service.exe
Token: SeAuditPrivilege	968	fxssvc.exe
Token: SeRestorePrivilege	4388	TieringEngineService.exe
Token: SeManageVolumePrivilege	4388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4356	AgentService.exe
Token: SeBackupPrivilege	4072	vssvc.exe
Token: SeRestorePrivilege	4072	vssvc.exe
Token: SeAuditPrivilege	4072	vssvc.exe
Token: SeBackupPrivilege	2012	wbengine.exe
Token: SeRestorePrivilege	2012	wbengine.exe
Token: SeSecurityPrivilege	2012	wbengine.exe
Token: 33	2748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2748	SearchIndexer.exe
Token: SeDebugPrivilege	4992	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2748 wrote to memory of 2024	2748	SearchIndexer.exe	SearchProtocolHost.exe
PID 2748 wrote to memory of 2024	2748	SearchIndexer.exe	SearchProtocolHost.exe
PID 2748 wrote to memory of 436	2748	SearchIndexer.exe	SearchFilterHost.exe
PID 2748 wrote to memory of 436	2748	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7f27750a1a8e8f80b72deafb53544a30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2248

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1984

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2024

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5892e38def139d1e65ad73963f81cdb5

SHA1
f3aa30d9a55c013b3a6846d36e3c187bb53036a8

SHA256
4b2e3728c1c87b3c6172e988dad7612db3b672b9755ae4aaee10a8cbde061fd5

SHA512
ccd1251d5c381f3cce643437ecb6171acb89c29bc2f9db85ae945fe338cac64e1c3fd22e42426d2742588e02c8834265ad1ad59c39ddc5f8becd30a1ba03f02f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0795122dde678782e3ae2c012064757d

SHA1
a4da0ccef05dc95410e0c100542c5283c589b1a7

SHA256
b3990f037ef2b7d8e3a187ef43e0c72fe23e6edb6393102f3cf575545091e7a9

SHA512
e79557f806df79c39f131f1a9d8fddadc4079746435f6d2aa1f58ae2a0be6eb448858b938841c6f62f4fc0ee6616d4b1b08493ed35665d5fe71aa1ac2d98cf4d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4d5cb350bc328459d274f9214dcc532a

SHA1
1e1729909b8c61bdf1c0f386ebe1d7db3f7a968a

SHA256
bfce02f3af6937b585a68a604e379869ce295cd2b3ac07d8bcf0105444652e71

SHA512
e4db27dcc9188d4ed1f9d32d4b0294730a9fcb3e10b715f500549423a8738a96e8ecbba7ec2a8b835bdeb3d97f659820266bf8fd8b65098fad834aeca6a79723

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4022e506c7c264fb040c287ac89481e6

SHA1
a972a6380433b529395b738a55b2ec5090db2e98

SHA256
a55aa85588764b9159e44d68d92fee51cd41a9983c00dd95f2ebef1ab6539bb1

SHA512
a0c416761223ac2cecb2b771a1eae4d5952700742ced8e67e3e3256914ff79a9d3db9f625fa06c0203e5dce932505d86cf5fb66e1e7e97e9305d50d519bf5fdc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e60b30e5739a8770940d7e09167b241b

SHA1
58865e50389c7a609fdf3ce9642e4fc86376cca3

SHA256
8c4f3e988bb75b6c536c978ff8666d01d223863bf6d16afbd91123b1108594b3

SHA512
7e448d36c2f9243d2969bffda8fc3dd1caf357a87623f3df8c81ee5c51a711a320f874fa5f0ffc2cd9b15c5d10c0dd96caa2330be38230426294804649779d93

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
669cb4995ae0f24b180e83e3795ec93b

SHA1
c0a924020bfa742418f643d5624c0f6997a7306d

SHA256
8b01e8f75c016ee1dcfbf578e5f9a5d34a2f38932018f4f8ed81b9a918e7bf03

SHA512
5f4d9497e9184a87b3ab33c27ba9aed87f88a20190c4a82cdd1d739cd1f8de7913278761ecf8cd763d8d60106e34883d8055519e1beb608c8fef2c4cb28a83b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
04aa3e08b184bebb604d8d5b40ca6e52

SHA1
9967e14f27ceb87a56f779266aba2d994b2f2a07

SHA256
75619402a76b2a2ba5ddd92b89d7b09ea96b0ea2cf0efb591114a0d63df9457a

SHA512
9ccf394e74d7749543351b70c73b4b327d19358f45aebae8ab7e6538a84df927a41895f98257902bd4af41376fc9e13f9b81328fb263e782626f48fe969fca4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d0885ce01ef803268344a5234aa416f8

SHA1
bf21a1871859e9dc9bf340796686da6ac0ea931a

SHA256
6d489e9fa09265a5feac8b60598e597bfd8165b2509af35707a638125cf913f4

SHA512
59b66030c3f23505235a78d2ce2efd5e0d740c78f9a1dc3a0020354cd4f52d61c8929110baa2ca0880da2eefbc3c4dc0fc17751509366985dfc89222d104a5af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2dde2c4b27c320bb11fcf153511ea2a4

SHA1
9500b3fef9337621355d9ceea702f34b557e2320

SHA256
4d5109e34efc213981ea51ed3d4b587b7f3adedf7bd65491f709f815c8e8ecc6

SHA512
f820ac01063025fe6ec031eb52a8d777b86f63ea1d06983474a1f9c54bfdaeb8c66af1d92e5f24b624992c1736e391f989b22f92c3b16ff6bf86fdd0e1a6b3fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ac530a9eb655e0b4ef8607a2d36479c7

SHA1
50847c230289295da8d38a9220e73cd3c982fafb

SHA256
7963fd85c1f9d8a68990f8ade37c28dbfb9d4ebb52d05a38b1af44f7a134baba

SHA512
d68bfb8f2d0c80d3d91a2dd5abd8aaf035f20fb6d71107755189305e8e1704891f9e44292a6508590c997b960015c1154d1b973358ae0445f52fadbc55630a51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4479f0065295eb45bf7e23376f112741

SHA1
87f47121d02561656594f33b3c5872dc10f485f1

SHA256
07aea01e5034a5e5c4c3fadc99ed10f5d904efa88f9d9c512423f30c6547ee23

SHA512
35b8011d6cbb65d4a59a15024503a701713db5a0bc4e9001e51e39e37772feac9f3981fe43cd950253972151846e579ec3dba301fdc4a736260f87eecb74f364

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0a9c0ad4cb2071b3384983c7f9390a5c

SHA1
c849c0e8ea7b907881e6415a9309c095ea9f7dd3

SHA256
914ba2dbd9a74e16b33d23b0412d486f476d685cb3a32201d86e1d1ad3a88caa

SHA512
808ce7bcec5f4ecd6f97a48e19f92731e0854b5e934d0b047cac13721592c355c3f5bfc52050ad1909241626a7fdc86be9da98d8142127f5e8fd8afd19ef3841

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0b8a01bff7f57092a2456c54ac1dbcb9

SHA1
6368c871036cb1eeff2f0280d585b46f057d9a7f

SHA256
f1072aa379263d82b7b277b412f401c1ee6186a2d69cf768461524613629539c

SHA512
94f66e413ae0f26d220c38e783ba2198ada602b3da42d81769f3c93cb2925f397688d64f78a475f8317845e7b8b5d36bb71a37fc1e91b9bf3846a390ac7e0e76

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a345a6b8bb8a6baa7ffd10321aa8f8a4

SHA1
aab8dc6f9a84781f1353b5d1c32fefb90cc6a94b

SHA256
37deead884df816e7a56c8411e8c43482b099556d87aaf6805cc28ba587362b3

SHA512
e1e861f0d189022bb2025ebabff941948bbe6a28b1d18c00de9e8b9472ce7881c2c7d8372c04014194b9175f15808a089edc546e8bad09593df8eddc8a26a32c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0e6959087ede4e74470390e8b8b36dd4

SHA1
7361530fe55b03dd4cbf46a5b75f0f23e238b6d9

SHA256
2626006e2f4cf59e758285f866cb65abdeefa07e15bc2036b62644b0eb930255

SHA512
5111854ed64732674e4ee835c48f1d44ad9930b383908baa4f25c576ac88730589ffa6c398306a6c63762457767c2b7daeb655e1286ab84fbf908b3b8860c941

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5b5cd9c53415d7036171aee86d83f20b

SHA1
8decdfbba5b82f8f244c3140b28cc6774ff0c65d

SHA256
fb6ff1ce6d487e64467446f838d15de55c52085c37a6422dc9ba77ba1b8278d8

SHA512
e9e2d53f42a12a4d3e87143fa6beff081e2e6925eaf101367d154faaa2050894ab47ed39ca49a7565966304b49921c0f982916baefa5e940d1ef52582561721c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0ba25bf6f725c7d88109840db694eef9

SHA1
151b0305906a7be86a2e29624628cd6fa99db248

SHA256
10d4242e5c483a7f45d30dd1a2b1b653a61399d0279e17e020e86bca63a3d6cd

SHA512
a6c67f57a986d8e3b08126ea870b3bc2388b3899e6ed0c05b55ac088ebe7d404fea2ab18162df341c6382c36d8d493f851f4a74e08c5bc5b0ab2685c5b7cfcbf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6566f0b29769716144c3319f358adc33

SHA1
27fbd60562bf33f18a8e85e941ca96fe160a6b09

SHA256
bd768108cb97bf5e70b76fc191819749b331fd6be356e2a35f88612bdfdd947b

SHA512
f5f58c7f9a1b45c383030719de85c68bfe7beaa540e31cfd0bcda2f38fc5b711c9d0b747362653ab94b86e0c882be5fed0aa356e12f1cf7c2f4e0cdd760b5b45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b47b5a3e5fedcbbed51e3f996bb62163

SHA1
51fee7dab3108002b298d205020c827d68acb485

SHA256
b933a1d6d68f0a00b63dc8ae88bfd24fa92a23367f9844223ea486f58c1a6780

SHA512
18596b5339c65ea1fefca8b6d0a2ba59ab25a5f0cc372dfaf9664fdc31cab885ac06dd9ae050b4f1f7a8ac96dfe62cf5c50eac291c3c41176a75245c2f173d2c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
506390c9db9701e68d787a61a6833b52

SHA1
59084ba5ce44d14ba7cfceff3425ca9a62465857

SHA256
751711446d26ecc5368f44825bc557bc7b5ddbb83b1120b1ad116280b73163fe

SHA512
3eacd380a0f60d0ea65b9117776d57b212ce8a6728dd2a91762917fe58654a8350817c16445056e52442e00e847b57c0e1f009fbf7cb69654f6a199e999f41cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ebba326dbebb6a3c94a5c9a4af7b32e7

SHA1
a769898c83419415c7d90f0825e3d1ff87624f23

SHA256
ccd8b8967619eec184dbee483eefa2fa8e507ff3cb2563a55c20e2688c3889f4

SHA512
f8cae113abdb15289d8961f0268208dd7e89419a310bce863350bac2a99146ee5c8fbc2ed3379ce7b8801de22a1ca3ac4082c6f9c1d5ab15a697e4c80d21c627

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8537de2f0b3eb7137872de2160029229

SHA1
28e3948acc5ca10ad91819ec2d1e780c1f9affe5

SHA256
d845fbb18ce74b18a389acb2d5b13667c0cca42db10d56d311a366b3c4dab2a8

SHA512
91e0ad77934400ce679449c38ab641908d9fcda13f7eb1a7317c7198d539b768b519754cbb85e3599db4c63e78db76f3103bbe44f5ac92166a8067074ff58aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
44e56763284d89e79f22f261df28c471

SHA1
27e4eb4f9b830badfbd16dbefff74a41e65e1e86

SHA256
98e3bffeac1e3e0c04d6f728a91cafdd5cf9f704ca34a5a8aa4ecf1a25519fba

SHA512
5a5438d4a19a366895e0fc5635ded38dcbcb382c6e42dc677e4efe57413059211787e7b6f3f5bb35a49dcee2ab0dc140b08d3c90b171b37915b5899a85bb9d02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4578d967b6b469f03962072d68900530

SHA1
17e66ed5eb26a7572174bee4df09541a2451249e

SHA256
214b4b91db0c072e8fa95be16343ddc326b902a80dd2be3002230ab7193b1a29

SHA512
02bf92ea433e1c610fb3ac9e4ba4d9d7f61d0b213e4d92571af5d9cdeb12d60a09621e0e53a1434fb2eaaf6bf4e6e19c1dc10e2f831fd57a79b6e21c6a3d70b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5471fd4c4518e6a76e51ea348cd30c75

SHA1
5e3b4560aa48e39cd4d1ac62261b49a82f524879

SHA256
a05938b9246ea1fa0d462528a58bf1d0f0c5731b4641cf7ad5edac2786cd2c5c

SHA512
a8f3a60515755579f49d2eed13c85320a560e61d39a31c6a57957d65aaf28349c933fe8c9460c5049ef444c14a4be1d1ed6c2d20e0da91724fc54d4110f13fd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cd6f919f039d10cf47c0eb5e3129bd2e

SHA1
e524e5b40d54f58248851973895b179889c8d965

SHA256
05883a586556df07309c654afb203e3b29a92f5ef7698965eac190204201ba2c

SHA512
153d8e078089c58c49f6e90a95b8e741fe57d310a70a94092767fff3adf74a842f68f4c29c28626e5546713d4f5da96c7f3e1fe49a7e0dfed698ee9c3bb71247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
efa8b6c6b9c0c5430717d2dcfc9a8bf1

SHA1
e0e3ea1a6cd6a8e3805aa8485b5ead8d69547966

SHA256
2aa3aad9e21b8e7d5aafcd392175b805ec6c19caead21f7be0b31a1804731a82

SHA512
169a750a4cd6915778244626f1974f745f1e7dbd82f6a6d29f87435e4efbfb263fafa919cc7d0c590d263cae25bec8788466b5fc57c136a0b7b79fe0f6d987ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9ff9dc07b04e5ebb67f31f72a2b1be31

SHA1
8fe8e7f78127c227a79342f6b99a31976287b0e6

SHA256
3b54d28640c5c45a305e61f7575a885049d4c14d36a6b8f5a744cb526775f783

SHA512
2cee454d4af598ecbb65fb8128722fd3ca73893bfee3d97f232b3ffd633b6b899d0bf657aeb574a377b1b6edf681d950a3bbd141ab9e5ceb3fe00a8addf84874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7d768998e68ce117ef4a436a1caee49a

SHA1
ea113f1e8b63faed49d9a61df2a8aa45d9fc8830

SHA256
820f873cad6c5e6abc0240ab5fe8ccef0f6d66f460b05c1b04daad0e74b43631

SHA512
9e4030d9a0fc3087373da3102785beb7bcb9fe7d5de33e2c97ce4256127b1862206b8b9180bfbe4b8e83f14715f4a41b08f666dc4d992a917ae2b954fea42c15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
eb89ab1eb569d95963d432863e1aa321

SHA1
d1c250ac3b2f661f06e8a9f7cec9cd50f81a35b2

SHA256
02a224a49252c0c7040da4b9f6d007474faf7cc2d24ef09f416af32999872029

SHA512
c1f78094bf12bc8c93ab9dba06686b76541ba6868955a32cd9a6c66a169edeb0d0a60fdb6378960c28c1a11533a7a6173b82cae1fbca637c73dc27302bf6c310

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
13585cd7ba2c25b557d0035baac7e9fd

SHA1
4ec69811e314119422fd0c2be4f60b0660768a42

SHA256
cea8cc3fa5af1ff17d6bb24fa68b47ec1902562896352012b674e1153694d404

SHA512
dc1a582e1bfe0154440d6ecf45ddafff67717552f6feac398734c7e090a3a1d8236b0a245ca0dd3dda8c4709bc2384cc8024e21105eed05bfe3d50b765ad76d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a764a3d2b08e1d5062beb53ca71c08df

SHA1
d7e2ddf53c20f9cc59c50b13d8508efe9b94a814

SHA256
7a00a0d39bc357547301e6f14d3b537cddd1077f6e00160ac4b9909cfa66c3c3

SHA512
bcfd69165b9a6e2a06db7754bc0988c93e0023ba07f6998eb8ed979dfc30ff568074824fa6b46f3cf58e17f4eab3c39ac420d543b819f22963157672da08bbc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ee38868eb1e324e312c25aacfe18afc7

SHA1
6e2ac5e599b2c83c8c5f60d92f3d9f5ac55e7f87

SHA256
4f118cd8e996ec854d4d467d7c6d4340ef2c207ba2979df9a1df19f19420ab29

SHA512
a46370de26a46e4180112e5388188493881aaf248057c3546cbcc7db6f54ea4ee0775018487de5377447fee496d9020fa0a631814d850bef97d93dab778a2aa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a198546b41159b1a15cd07daa8d0e178

SHA1
076298f9b0081c3f631ea874ad7a0a3d694e20c1

SHA256
2d928b5fbd4d1d24b1878871803353f448459ad613243e6cea1ab661abc5047d

SHA512
ef3438ccf31ea857f56e7d88e27dd5ac71fd660cb08812b5b5d98ffac1ebe993a30c5f8880655908bbe768ce1011bbcea2fbfe3d7765724444c3ad4b1400cbd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
b02b8ae6cdbf3ebd0abaee9ffe1f323c

SHA1
b4dcbe89e5a3846dd84208836d03bbccda91ffd9

SHA256
d92674c45a764a1f1e006654e36c96de9e6fc5c07fd48efbab475f52ca0d616e

SHA512
7fd4842e9ea52f9d9a0100fd57932fdec11eb8bc3fde7b8009504f4bb984a8f5205c9aff30c06df6d61c725e698d568665a533aba06bb8a5419436b404d36be3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d095ebfeeaf539e8f94be4b4d3053a73

SHA1
2ff88b857f3e8240ce2fe06ebb494d7dbc0e73d5

SHA256
eaced257765126ffc9d467480e38dd116d0ad06684284142c80fdfc3aba49e59

SHA512
57b568b4df80de535617598bbdd1e1e2066f89f208ec37fdd1cc1ddcc402bda63b3b4da3dbe0a7cd2ea72d17e7b0b0f05282716211985754458bb671d1a10b62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ee9f31c8d644f5c5f820089152700ae8

SHA1
d9a631f66bb73140b67c2856773fe3f26e77f0cd

SHA256
01108ad29b8a4e5be7ffc2bdf62d7948ef6c25a64852c63fa22a6fb099889086

SHA512
106d3ed9da9c31baf7cb77af4caba864776da21913d3900b3f9ecf481e4f87d8ac330da8d19c3bdab5245d5ed512cfabbeb451a606b04c36705ac152424a0450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
6182376aa5b4d8e3337dae8ce3cd6dec

SHA1
ff62e4c7ef9d3d44e30329ab14a369ef752cd9bf

SHA256
1424281f6ed09b4883dbf84b42341db88247b683027eddfb051d7a1e05d9dc93

SHA512
e75bf89b78adcb30b8ef17f023114cd7391f8676d7eff27c1572941842624ba73ae17533f15f99d3e30436c01826cd9d02939722da86897ece40e4c9bbfe6eac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
741f07b2e3fe26f1401f146493f9af99

SHA1
2268371a7bab2c43febc8f8c011556813d4da3f5

SHA256
3f407d2c9a95115a77ab25e88d33744d9c0e8191a63779bdc108b8999775b9ef

SHA512
1c7c1b8c51372880f091ac8a5f4cb4085531eb0f867b6c8e6176f84d8b295273f5bc4d09ccd4aba05fda2cb08a4a45afe419f49cc5260ba8012547465c7d02d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
4ada04343f26a84ea8fedc7be071c657

SHA1
2b2758ab04a4309b3690c5c47ea0fecee37cec7a

SHA256
8b43d8012a74dfaddfc173183a6f7804b87d4d22004b03fe1febfcd88cf89f74

SHA512
be042246916c37b85e4468e67f63dd82841a5e28a86abc434892f5b3ff34280dd13e1504d0d2a1cb7abd9b1c98344aaac5ba47236a47bc398366cf0c9a0821b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
768b61e6a5ab978e500d3dccced59138

SHA1
2a338a5fe90e7934c2ed065b1684af5b801ebbbe

SHA256
f6d68df72d2896e745efea21f8a9173764ba990a294440de0fd47c9b9e5fedc4

SHA512
db1f17ec49dda389dccbeb7ca9742d3e74b399ea7b61c0af606d61547062ee132d6d2f59efadf1763b669f36f2cf572ccc632823e544064a83f1cdf78626692b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
b0717a0d41e1df5f7704486701a000c2

SHA1
837492ff0b5707606be9aac6b1824aa4f40f9042

SHA256
ffac2ec7639e1cb4111ff40ec2de143eb1e9e732da4f0b06a7b29037546a2786

SHA512
089f106090e9ce7819e04702759807b37bed1bf64fabbcf2af478bdbb013cfa05e5a498908fb54b6835f58c2049f4dbbdf2e30ed2f28b41c87ce278089e2c511

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
366883a16618678ce4d4555534dd51e1

SHA1
5a08d3baeffbdfa8326df8aa3b5d8feb4f6cf5a3

SHA256
395ae636b106081d5e67de80674549eb962882275b238d7f9e1bdaf25c04a4c6

SHA512
8eeb3253861863c8c73cf92b5321f3a861e85430ff7d0092a78954b7caf0b7a7352249acba7780f1e2955abb0b1d26a4aa009ed3b0ca738f1ae8961ee95f7322

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
72a503b5526bfbeb897eb47e05918364

SHA1
54e5666f1f2f4e795b1259a3dab0cd7af67e2922

SHA256
10cd2c3f8534ee5af27523aab5dbbcfb1046b65f05daf746b46fc18af02bc8b7

SHA512
b8f7bfc51776f31993b36cfdc4ff9c336eeb4ae21b2c2223eee3d4e8d54879988be044aa02bab135bcf7804c1a87b9154b6a75bb5a8408b262fec65e712da8d9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3fc16c2bee2488aa409f32bf473d42fb

SHA1
5ad8a24628bd2b434164a4f0cd521fed338ed17e

SHA256
2f330b8a7bcf00ead7ac463feecf2435d385b14b89c568ab9bde586108489396

SHA512
60c1ab3f9238c1029439d43e977c13da27e07c46b156e87a710b99bba16390c1456533e622b334114ddb7be49e416dbffacdf5cd687c74c87f249db622b13637

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
62c34dba372abb711bba9f5a9568eccb

SHA1
74cec81e26501aacf9cb8ae526b28e2a5aa6e0ff

SHA256
5d3b2335e4c13e55b14c0c2b3a359975f4bf81927d1559d910bd08e40d1cc462

SHA512
cb8c6335b1379e4d419ff024cfd3fa60590f7336d096373272b8d03a308140cde5ba4fb770f77b599189e2c350de077be15298c497cafb86361fa0a0a0db1603

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2f1f04a7298e5c2e4a4894df2ce6e65e

SHA1
78b77974a40331627e732def6f52a1cd21511e7d

SHA256
5913160ff5b95be78da9af6c6e3a7bddf4fa49ea258b1bab467ff17e888fbcdd

SHA512
737623f619f9c4a52e400602a39271ccaf25a23d1f3a5cbdf1d78fefa92da9eadbdc43748e3749852eaba070dfe60e482839a1eb162be76bb69377eabdb5196d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b402f5b0509126bc8957899b0e13f2fe

SHA1
7e1cda8323689a10d3d0ca32606e71904e1c6dd8

SHA256
d34c9336766eaae0fd9591060f019e8bbec9fa5597f732e36fb330b35af0dddf

SHA512
4fdbfd2900467eb92907cb4d29edcdd1b453689530f26e660d4c8ccf0d772d46731e109f94680a73a66d6c21eed4f1a7256660fb1d4b2aef16ee7cb496116428

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b067be6c4fea192e83a8918dd0fe9bc9

SHA1
3d548d9ae7d462a77ecbe16e609b5295e3af3ff7

SHA256
e0111059618001bfec7e92b2a421f44cc6ee3352f7f3a3ee457491522e4943b2

SHA512
82704694c9fe7e441261c24e66a734754a64d33030bac5184e84a29f169575e332f532f58ef61f396feef3fc517b22fc154bd0e9c06ae065494d8c9b183c5fc3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
76673fbde8f2ad8220d5f07ea7347105

SHA1
577f00db3fca4b89ec15ffd1a5c4e42bc1d1f4e6

SHA256
303dbd8bce1f5cd85e32f0ba5f092e5586907fa43b3ed8dda633216be9f9d189

SHA512
ee83fe32c8d64fbb961606811891439371d242492e2984e67f3ad78b6841793d2ff1cce655efbdaed077f99dc71b569f32e7b020a508763d02b288eb254a2fdf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
18df73bd010817dcd6d746ad95e88274

SHA1
f64f6eb9b946ec10144b1e6620a344f3e065f39e

SHA256
8144409a680a3ad1415502e78f93889b4f041525c5fdb37b0b36e13a5c135ae8

SHA512
f9324ae7bedd0618162b18d764b68004f923b21b8e90a295301f16f41794cee3cbe3c70de890099a5ad8e59ea643b212455e5eaba04d492a5a3ea596f55c4df8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
10398be4f84e6718738d053cb3e127c8

SHA1
a06150d9059833d020fc2dec140302ef4de0b87c

SHA256
5ff5c9142f826ab514e18b507ef1621567454b7c62553a96207dd85b7de85b1d

SHA512
011513d0cc9090518c9cd86fc7ef36485339aa8c09dc53a8f7f21834aedeca4c40b7c3d65709d1daaba8ac0425f3a8df41af28a0a46a5dd10ca6d3b96b331b1a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4521551ea6bd77fecb4d84111f6a83ce

SHA1
6c80f0acf360880b7d8e08ceeaa17b74cad3e4ee

SHA256
f9e6bc241c90ae4e1d806b24c8f28373367fb732f5ff7d013e75270f47f44fe1

SHA512
7142e4ac4ba2b752f876f2cb9cdd6d61a90fd0a60f3ab308c7efb8c257f2190055f36ba0e189b7b0d005f9fbbb0246b814eae49af809d269294d77f89ea67cb3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
11600184be72c9bda6763ddaffa3e419

SHA1
c66348fb5633c2d05800136c17f7f65b589d0563

SHA256
ed6211d4aeefff231c310dab253681bee3a9449274e06357d5fcae6237b1c181

SHA512
2b2dc6b594dfe7a46a49b6a507148210406a8264976054952315b9c8aeecf3877641162ff663b0c414653c8252bd1528da6c3c704f5155086aaae7262036a97a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e0fcb24e9048da14c542f89080087da6

SHA1
57f5d70da7c22421a8dbcc8c09d115ceba0f11ba

SHA256
0d61937734814849a9e44f4ea98bf2f7bf2e137c3560fb0de9517f51c971e56b

SHA512
6ecbcda834b43ddcbca536f60617835907aa8a063e26de660ab1cc5c1768bf228d98424ae30308854a4104ecad95f595a92f90ad01e3d54c2ab2d621d1bd98a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f747d6c3ac04ae317bf6bc73055efde7

SHA1
cbacf8eded1012040ac1ff0a77dfab4873ce4b54

SHA256
f6b441861f17e115ed5235f403c426bfe6bb2bdbc2a424109426e60930a79628

SHA512
ba30e86593d913357b33d6c134cb1231886bbd3576c512b17f876b676da0658affb8867a5471b29b9fd80b809cec9b5f0ac864384d6888b415798ea8e8e7e6e4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d15d814b18828f6330fb18684d753b85

SHA1
f4018fbefe6f312d5b2f9122f44cecfe0eea884a

SHA256
def82ebb6b7c1f3383eefd2693534f7129cc1c23d863b319f64821ec85f3d632

SHA512
fb2f49711fdd4801e52fd8374d1b73ada7fad29af48e8f929ea1ed62245dd5cfba5c7a380f0a1b0195feb6a21576a33b86d73c0ac042b7c591daa0ce2262f6c1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a0d2205aba12cd8b7ce3e71ecff8ba3

SHA1
c9382975e2f28a8d501a62a4e9f3e3ea8129be26

SHA256
b3b9de9148797320fc1a66f186616691137ac203d99b4aae76336406a12f9908

SHA512
bb567e55f6dbebb1aeef51fd937e5ac772e9184de62c3e24b9bf2f89da8d43ec8052f4a5fb48f33196469d25e2f0aad09521bd763b5f8127fa9d3c8c1dbfba1d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
38ecdde657e8e3af83a34b4f303303db

SHA1
29ae8af592ad0428ae961c2777ba69552419de70

SHA256
7893f06eda7b3180540c24d81675ac52ece4934667cb7d0698ffafa0ac4fa102

SHA512
c392e6bd1ade0fae9aaf48ec485b993a7934acb1ea86b99d55ad38324b9c4c0610a7d139b18a45f3cb49b1e0594503606fa88f94f73d02fa9bc6e0d9df86a529

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a23ebceee2b66ea49c10d249e25a9fc4

SHA1
188be0a5c9807178e2a131a6dba789f5281beeb9

SHA256
cd8b3ccb2b9fd66b793bb149db5882e84113423b44fb5f8278a08b0a001e1679

SHA512
0db4e95fdd3061b0cbf0ed5800f7df2dea7f175677c55e0977b0453140476562507d864973bb1cd1645bfd055d60cdc1ed04bcb02f9df724e71a08996ddb3f4f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3f8a51c7602a9643c5f780bbb56529cc

SHA1
9ae0e4dbcae6e5960f5d3a7a00a3d3b6068de31a

SHA256
a052f113ed3f0a3c1526fe23151d86264815109337facb43d6e64bf16bec2403

SHA512
1d157c0942c200ab879c120215dcabf7b5ea754ebb051c371f27f48c1f4b9dda0c3f2b730508fa844e3ed45526a756ba2b433ffb2bf215db7c150504f8d3cc9f

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9001bff541ee4b499991450fbec40ae0

SHA1
3631f2db5e06cf37b9c6a30fa8fcadd4ccc269be

SHA256
bb1502ad878f9f6d7cf19328ee1c56856a912d551ede5446da1c34614adc0cba

SHA512
f59ac06d05222fff3037116c42dc1b50e80ba22667fe94cc63d49531b5d874d43723504fdc32aedf5dbc0253c9cf139ef3afda69b2987f04db84dcc348640fa0

Download Submit
memory/968-245-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/968-244-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/968-251-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/968-257-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/968-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1124-235-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1124-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1124-19-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1124-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1556-342-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1556-623-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1984-370-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1984-256-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1984-260-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2012-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2012-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2180-627-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2180-371-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2740-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2740-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2740-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2748-428-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2748-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2780-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2780-75-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2780-62-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2780-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2780-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3016-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/3016-0-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3016-27-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3016-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/3304-285-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3304-394-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4028-288-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4028-406-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4072-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4072-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4356-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4356-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4388-353-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4388-624-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4448-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4448-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4448-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4448-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4452-279-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4452-382-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4556-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4556-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4556-76-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4556-240-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4580-520-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4580-315-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4664-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-622-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4704-630-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4704-407-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4992-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4992-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4992-30-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/4992-39-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download