10b718a73010ed878fb6198529bb2f6c3cd8ba7b6d15e04b8468eb728a86271d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe
Size

3.3MB
MD5

cc0d9dfe9d3eb25b65cf11ca5bc0af60
SHA1

67fe7ab7800e319548c1375e5b59724efbc0a41b
SHA256

10b718a73010ed878fb6198529bb2f6c3cd8ba7b6d15e04b8468eb728a86271d
SHA512

fb352b78f3d6fcc55c79d44886b9ef79201ca9c9bbf5afa57f060437f0ff33f5da2896f69c0c78f77e3bec73b8151f42180975b436829035cbe37f105414ce43
SSDEEP

49152:P3BKBUvdWJTy4nia5w32OvfZcvkuRdLHkJEANmsvHHu3ts7YSLTQYWkK2/:qni+w32+QDENms26J3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4008	alg.exe
1980	elevation_service.exe
4940	elevation_service.exe
2532	maintenanceservice.exe
4464	OSE.EXE
1340	DiagnosticsHub.StandardCollector.Service.exe
4844	fxssvc.exe
440	msdtc.exe
1148	PerceptionSimulationService.exe
4716	perfhost.exe
856	locator.exe
1036	SensorDataService.exe
1524	snmptrap.exe
1676	spectrum.exe
2432	ssh-agent.exe
1236	TieringEngineService.exe
4904	AgentService.exe
4932	vds.exe
3240	vssvc.exe
2364	wbengine.exe
1896	WmiApSrv.exe
1336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.execc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\683546fde703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c2e1e90d2acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bad0091d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006487da90d2acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000471a4990d2acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000facf8391d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cecea291d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003689bb90d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1980	elevation_service.exe
1980	elevation_service.exe
1980	elevation_service.exe
1980	elevation_service.exe
1980	elevation_service.exe
1980	elevation_service.exe
1980	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	216	cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeDebugPrivilege	4008	alg.exe
Token: SeTakeOwnershipPrivilege	1980	elevation_service.exe
Token: SeAuditPrivilege	4844	fxssvc.exe
Token: SeRestorePrivilege	1236	TieringEngineService.exe
Token: SeManageVolumePrivilege	1236	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4904	AgentService.exe
Token: SeBackupPrivilege	3240	vssvc.exe
Token: SeRestorePrivilege	3240	vssvc.exe
Token: SeAuditPrivilege	3240	vssvc.exe
Token: SeBackupPrivilege	2364	wbengine.exe
Token: SeRestorePrivilege	2364	wbengine.exe
Token: SeSecurityPrivilege	2364	wbengine.exe
Token: 33	1336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1336	SearchIndexer.exe
Token: SeDebugPrivilege	1980	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1336 wrote to memory of 744	1336	SearchIndexer.exe	SearchProtocolHost.exe
PID 1336 wrote to memory of 744	1336	SearchIndexer.exe	SearchProtocolHost.exe
PID 1336 wrote to memory of 1528	1336	SearchIndexer.exe	SearchFilterHost.exe
PID 1336 wrote to memory of 1528	1336	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cc0d9dfe9d3eb25b65cf11ca5bc0af60_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:744

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c36b14abc05a68c663b9309772099b26

SHA1
dc99c83fb60abf21ec1c11cfa7d78adceca03beb

SHA256
93d6de400f6f1dadcc8def401ff1c226acb336bbe968c17b4da9146e9e5e298a

SHA512
6e0f76eebfdf36376b5c034b2b5d15f3002a3ce8b3238063b0c915212e897e11807aa55f98927bd0ffe08c8a8ced06630e704ca815fc50ddb524f4ec916c9615

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
fdc85a330ae3e8d73e41a550b651f669

SHA1
9460aeb32400932c870d4da5b6bdcc7995fd23d9

SHA256
902cb35a96f4c14d358dc781376698664120d25265f0587f0f892726069357ab

SHA512
04f0655dea4eab3ba69e33d005edc34fff60b8a5e792f51204fb593d397eb8c6c7b97eb961db7b4b9a1ebbe7e37fbc26d555d1ae20fac7b14b8011eaf0fa6fb2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
c591e3d27a14ac0fd8242d9326654f89

SHA1
fc4418142992f8778a3c7753b6650af80ab7f5a5

SHA256
cc01771a7efdf7e19e56eca748d45acb4073d6308835be61a94652b13771691f

SHA512
eab4ea8f1109e6a5192e560813ea6da35d0850ee572311842239541f840f093555f82818327528a63ce439421ec04cafdb3a5e2d4a252fe9b5a0aeafdd0013a0

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3056a47fe647d072675aaa346fd9c2c0

SHA1
a8e38dd525fb209aec79e35ac1e4b876b6697ee1

SHA256
4df8224cc65e45ea48c38838dfcb2d5260aa8f0fba5b35cc6622e7ff26a39aa4

SHA512
64ea54f52f792c7df67fdeb81cc69bdbe32deba3cf121df3ef110ded7eb0d8b4b0ea570ff332af24b24d90c77c7522b0312902102348b7bda397c82fbc43e372

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f98d2506cc92002110afb57c43aec45e

SHA1
c7ecc7e7bb64d4c3612673494c0a30eebfc7737e

SHA256
790e2527b2f56242a3c1320a63debc0d73dd5c652bce67dce0d7020ad1df249c

SHA512
3505ac91d577873102e73ba9265d63cd3fe101dd63b25bdefc3fd0c7592fe8a675e9d55db1183daabfbe648cc34a8e64ff6250c0389a1fd36a06ced600f44b6a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
d93b68a34b9b8fba440cf5fedf74d266

SHA1
6fcd2bb4aad67f5dc92f2d380bf3a93138e16d53

SHA256
b8c0b7513bb44fb98b66626c937513f96308b6fb6aa5f7acb90e3593fcf30869

SHA512
4f36791c9ad5161beb07f821eadd14ac409489d1d386dd7bccc8e6157040f1dc888b7d3e598d36316b8d96d5918947f7ab3bd66c57f99b96f0ceadfb621ce5a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
1008028ca483b7fce177c67ec8b6d753

SHA1
0de9962b8ee0742fdb760eab92349139f6287c3d

SHA256
9cdf869a2ca0f73c8d490276d3e4083f003774120dd9614ef55dc1fcce320bf6

SHA512
2119aedd922e395ae1e0549814cead85675a628517f274a4afbaf5d85e42bdc4f49b900be3fdba5376e5761e5f6bebc95faa01bdd73805287a4c0436461cf350

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
261d15cf17e8053ffac1bd2d33b494e0

SHA1
778aed911df8e0f67c3527854fe43b04bf236e26

SHA256
8e8af83896b630fbfd764fc0628434c24aefbfdb44aef7f53ea7418fd0d0f1a6

SHA512
e302ad2d147e0a46044442669ce85457b1acc1d566d9b92857c585bd17da7b6aa3baff5a9d791d0ab69fcf74af9c1d6a734354f94cdc8b095074bd5a713a4c83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
dec5bf10f5b15ce0548b7e066daf1772

SHA1
2cfca62d66e25b79acf0e16f86a70d612c47ae45

SHA256
848b9abf9c1fd58971e622c7a02bec37831364ddd810675ec0bcc9e93aae018e

SHA512
9108f8a9d98440eef36d3f7ab7d1d2c8a68f7224805e63f2542a9108f5c3255cf48d2b9bdc4ef980f0e8224a7ec6d005ef4eeff8871dfcefc495bd79fd30a163

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
d545f6f226df3c9d568f6be199f5aac8

SHA1
e63bd49d5adf16edaf72963038f1c5db7fadee0f

SHA256
2d9728caa1c53a3600c2ab04c8ba5defa9c8925c81ebcd4b90e4a48ce163bb16

SHA512
b11cb8ada4a81d748cba199d01377438b5587e9d07834f25705a95c4aed10ff7ec9ea7ba20c3d3b92f0ac3c6a22d16a1e70f5f11dc74237ef2c0a801a91453c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a7f7c1fecf9b1ba3d5ba90442de37e2e

SHA1
3502cd0577c7cb84328195e3c451118c869943c2

SHA256
cce2bbafd417fae6529b5ea35c2f7f0b7609ed8941f76b5cc96f30fea5c68a5f

SHA512
ff82d16edf9941def31b6d00428a530ac8b5914a1fd8d9eb0a4389e2862725f2049007a8d1eb6ad12e0577d2e3a78815a636f1362b06a10652e29d98248e7040

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
462b33062e728a939e2dfbf7696663c4

SHA1
7247aff965f7b67ebea7aaa9fd4307c47403fcfc

SHA256
cdc34b1b8f63269e112d00c8f66b17165d3d51de088e23603f53008de7bc22bd

SHA512
c9342fd5bfae19fc18ce17e68f3ad677087bd63d0dd0c3ad96290c3102f8c34620b2e6e98713533ea2445fea44fa95cfa60738d7d528df7115bfeb3a4b94e1e1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
669a6d4855fe1506eb54461cafe04728

SHA1
6d41a9c39e75f052837a8e32d6d62753d6088218

SHA256
526555926bbf4662a93bd341492b297eda861deb70308135d057ecc4c56ceede

SHA512
2085692d01d73781809180968b3588d71a3ce847911bb72e0aaf88270c3fced6bb66f5c46418b096979f0a2d15a9d1dbdf9893f45665e9959b20954abd67e454

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
80dbf7260b00754d41c2847c96fc7cd8

SHA1
fb588013590fc7ccd92c2188cb2ccbbf95cdda32

SHA256
32ef9e7393dc39fee8ad5cae5a43a615d4e31822663b5c4a68a306ab1f1a5155

SHA512
96eb555c018c622a944297d19daec6b253c7d0a8f701b89b950d5fb4b98e49eb72d015ef6a7fdc2510c940e664157b40bd083b317730611fd336dc5ac72418c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
68e656998159989444af45011c6e8563

SHA1
f49da2badd75279b83c41f715e32fde27d95acf6

SHA256
671954283c298494dc296853365a1e79743bd0bb95ed3cac453bdc6a56788c15

SHA512
a4a65dadaf5492baba58e9b5b209d07ebfd163382872b860ca016b769be6c55c384a962f52d62b3e91662052379554fc94a9f1781cd7c3cd2710329b70bc088d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
f055bdbb3dd8dd75821d933b25a7f47e

SHA1
ebd0a018e764ff1d49bcb54a1ee4ad92650993e5

SHA256
c33982222f8ef5082741570ce23ea2615696c4031d3f40a106eaa5a4f454bf57

SHA512
d0608cc1499c36dea3c8078b3d7a15755be72105f562129ef34428e0e05e001eba1252f9d1e1325a16be5a38a1fe93c3ec1715e7d28c9bc8ddb6f96e2782f1da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
cfd2943c470775020f1f47bb57cb59f9

SHA1
34bd28cd2f918349beb275cf18db4bf100e71e25

SHA256
47700bdea404b37285b5308238b0b62be5c35fcda977eb42a923c0aadd05f9c5

SHA512
6aec51036f72265cd95e42c7b14704a7dae1c171dd117252f52c37bf34eee81a2eee8c13102311a81578e7a052ea5a1007aa035d00f9b9f03480abb615870a5c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5e8774e7f4007ef79081cd73c1d27d5b

SHA1
c916f973c04e01f62a43fae5b27b7f9727da0e10

SHA256
9e88b54e1c819811fa6894035f422aedcb4fe31d114ce48e755253b2d21d28e2

SHA512
8b42a43d55f15b30149d575d3e57d50795c01b3b928e7c23e1b50b7db5f23d57aab74b1e59a2a44fe32c6f21a7d3ad0904c9a139e9e8a5aa2486e742315d6fc4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f8fcdc03020f0519b6a72d86a30b73fa

SHA1
a06ac05ea76912fb0074cd48ecbd5f1780aea319

SHA256
4a655a175cb47b52c1f22223467208fe5f65545a950b8cfd97e56494f5a933ad

SHA512
b40c724dcbf85474e96aa66a7cf703036f0626a56f88ab72cb03c8d5409c61f0df92af9bbd6d57fa1b2fa7e73ebc8b0f7f7857cf3bba479a0b3582333547c7aa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
feeb1bdb2526c9bafd85487edcf0ed21

SHA1
58d28221c2bafcd484488afbd6832ebb81720ed5

SHA256
4bda43b2899a23ec5fbf5cce18391e05d5078dc6025679dce88eb1b102882753

SHA512
2c6109a98f397b86032afacc2c78cc98dbad98873ada52828e55efd0225da38486c680d31f95851999211057245ef08b6afacf3462bda9d427975b63356a1f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
a2ed764a38bf2f89e8f209c1aa2a5105

SHA1
5964e1b93ce268124080b78162615b44916e94c4

SHA256
41cd66bbb58f01da9b449e69140dbf275d09b5e76523ef72c3dd1dffdd77a35e

SHA512
68cf54fc0d857709247359e52a072d79823e3683e3bc02a6eba5806de8e3a69596b0feab580ba4f6330c1022b7d08d96d7653cc3784bdd326cb8af615f6b2ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
bb9f4d871bbc96d39b7afa3e34521a81

SHA1
1babae4290d48a6919268079fe68bf0c8ef8023d

SHA256
1a9138308632ca7b1c73c7689f00a2d0f8f630c402dd0041cc82ec203055ce74

SHA512
b137c6cbba612a40ce9b6f757f047021bbf3ad0de5108a1d9f8166311265067250c5ff98e77735c1b0495c1b7cf257c52acb3e22c9218749d73dc1028c107ce1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
8de1ed68cb31b37c858129914959a87c

SHA1
625c2c6938905b5f8f8f9828cbf98bc5a3049403

SHA256
53ebd8d8168e7cd0b181c19e928c60bc76553d2852f37c6f6bb15da3599d3280

SHA512
05a10ac03bbf8001a1a0acf759e672654fd13b640218b881ece79954a5906351e89205fac777c5fe27a8b3280fad64ff8ff3203d9831e95ab80d97bbb746279e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
93074836042016de693f7e34fd9580bf

SHA1
35cb895450ec9f1060a35b0d97a8336dfa193644

SHA256
542c2398f82853828cee7597b712170a24feaec1489d30c874b8aa28dc608734

SHA512
10d4f203d917080ccb4cea4564a8ac2068815ef1ff948b1b05d28d404faaa8600cf9a75dfed5d9eb2bb8c4be48247ac7eb3cee6836aa07f3b1d923361e548e8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
24345a5ba5ba0bdf51467a88334f9eca

SHA1
1e6d03eaff112012121a415b87f93a1ada3e70d2

SHA256
d257122525dc2bb75d8d524939fca947bdf7b03611d044d90f6fbd2f160328e4

SHA512
8fb1bba97587c21d7a423fff2bf1dad9a1f2c4bd5d7c43597723d258e254d2c2c72281b169ead0005d20dda3442cf2667ecbfbd3afcb4da957c541f8cb80b48a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
3995994e215bc052e711eb1dbfb41e49

SHA1
17347cface386c47c3719c73d1476e0b93c80665

SHA256
fab780387896adbb815f89aa7e35cca327b3c5367b7092e6a7fd0177888a5b7b

SHA512
26418ac2d41b4d96eca36de1116e049b9fcc85dbbf58851579d303991cb98ddc172d43debefe2e4d84350459979651639669db038b9ccbf031ace36fa9a767ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
b545dcf0f35b05d9f62a4e917660a956

SHA1
0243aa82d6115aba9cef1424babd848cad8dbd82

SHA256
b9aac2eeaf47182475f5005f1c9933da97b8685838deb737dab2ca55cf7938d5

SHA512
4823f5ea955107a547090da9ef52ca9a88cbe3c564cf5420777602dc95615deb4d3a6934c9b0aaf367dabf2d36732176e47c68cfdaf8d5223456179714be08d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
2fecb0d1fb3873f35a2248ab2b4f83b6

SHA1
91bca97f901878c66e4f94721d94d2432d86be0d

SHA256
6bbb7e2e8c7b142526c163b1a8d7fc78dce23b88605f313b485b38fa48b37321

SHA512
b7a4943f3589810bb606503bf0fe549235dfe4e8787146ad56603c1d47b5dcb3d932e90cd7e2d842634e5d05b707082cc9b7d58ecdfc094006dd4201aae615ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
b8f2b8f0956cd5d6773b6446ac018863

SHA1
5775ccbdaa796aca3b5731dc3147525df6cfdf99

SHA256
725b809fec76835c0ce4addbe6e2a082d785feb26018791bf07ec18f84455bf6

SHA512
13ea77675b867a55af574df3204d4359a75c46bc88483d4bd23baa2cee62d890b5944892820dc24cbec9ea929965cd15bce14d037eda453c277584a2cfbf0cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
d178ec5369fae1441d304c74348bb9c0

SHA1
95590653e184ff26504b8456cb16ca8324adb6cb

SHA256
4097767b9407ccce033e9ed2f981c1f13817a4d8339d8e3fec93ff52f8f5facc

SHA512
20ecc77c279d79266ffae2d9979b61b168d25caca9f5ddc811653e792f3922d42b17fcab5ee278a690d5a4ae6db5ec858b4a172999e8665e211814ccac1996eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
fec5370b31de86c3abbe4b8a185bacf7

SHA1
1f1aa330888e9b79947a55763ee2988eeaa94c4f

SHA256
76c3387f309d3405035f4a66499fb6b6b20bf5c308e6232a30677891f983958c

SHA512
9c0493a76270f66ad16a106d25b7987bff108542b7675435820efa68076372a5e60b740c19cef023a071263fe9478723142b7aee0e73607290f89d8a49d6a5fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
dbe04fadaa15ce57289834cf0fc112c1

SHA1
21be1793e22a4de72a2b55a3d2689053fa22e748

SHA256
74dcb2a91c27414aa8e5c6fb5ffa689638004dd93a75f1e6e9622cdc0ac4efe6

SHA512
d2e3661e21c80195cda495317442f580e301de8646ea57febfd8aa5f1178bf00b2963d7bac3768ce1b74a4e7ae3db6081a0de1f5f5474bbdfcc4eae6734681c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
d42d75aaf58465101a166b909aaef72f

SHA1
213ea163565e5e58b4f2d54596e75e5eb4c4b201

SHA256
cf0f81346176f391fdcda052c568e3df585fcb0657c9c3a8b46049729e37b808

SHA512
2081da1581e4a0481e563de192d8fcca1efdf7a68f40b362baa105f002b09393201b658390a4d26eeb2bed0efd8c07febc0707606755cb609a8e7076126259d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
7005c362cda7d9b90f76718ad582a4af

SHA1
115a99b4d9950d07f18fc37d73b35e4047670d38

SHA256
740283d1c3ed82dbe29ad7deb23dd8a85652d493a7c1732a265d6ae245f399b0

SHA512
1dc739e85e343da2f066973ea455856146bb04d34df6ca0fe11720a19aec85b0fa8e863326d8c75520b6fd3a76fe2cc8bf48312f8777710f3c0157dcd061f9ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
121e1133d6b6baa1ee2b7c3261203bc8

SHA1
58f28a50133fc03016f8e9a342ddbee15d80ffb3

SHA256
e5c472703a8f34e08d70d5eab468f7d3c98ee0619261ae0b724c0323dceb58e7

SHA512
bcca1c66c79a0d699397ad99bd5b77009b41e53a77418a805398b9b830772fd38ef887dc0730a41701b78b104d70dbefc9da6ba6dc4bbe9e8a1b32a49233db50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
2e9cd9e633f6816dcfe9df543898e659

SHA1
61a299b9e1a8ab3755046aa798e3b594c757ad13

SHA256
de221a27f8b2bd6acb30f46e53afe60a6a440dd775fca75de3bd713477bf9c05

SHA512
cd9ce46d75282402de71378bbcbab6d8c6cb1ca2da5d8a7f5a534e8ce0e093f4c42dc0be5e4c6fefd29543ee6fa843064e2f2e84a71d0bbf1b6f959aa95f9d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
9067d72064a562eac06404213bb36dbe

SHA1
5db1b7707de93ba503a6fa0ba638d1888184c616

SHA256
351295405a5daae58a7279d0994c83e1c95f55addda70912bf6727e7c31c70af

SHA512
f65f26326628aa89e10d2d2cee1b590cf94fcfbde09e54949c4f87e2abb90d9cc08603b0e161dd7f12d0a1477fbb29741bae964daece178bebd22bf36bea215a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
24e1a076f7b0a7a1c56da76c2e0fb4c7

SHA1
f486c966721761435a6097cfbabb4b35bc19a5f0

SHA256
87a147d284968e6b51d78350e2e3b6fb046e0a5533be61843e508d40591ca953

SHA512
e05ec7a88c55c14548ac06518afa66f9a5a3e59a0ebea1d2570b9ab25beeff19c5fd6d01ead96d12a42123dc258f7434e25c9b7cc2894f42e2a73f5871a726cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
3183fe2175b9d276e9b6afad355e8af0

SHA1
26e276d90a2dda90d52be48dc7d0965d0b32bef3

SHA256
01110d0a80357a4be43e893cdfb0fb67a7d864ce5b508e35e2765af22e6feef8

SHA512
fa75337dde5106b1df8fc18a2316a4da08ab7182298fc9c4a61f8d27907bf8aeb45a2b1198cf07b9d98673d3460a707b614be1a841e078bef3f8ae995e6c4728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
0154d8fe3076a4af5f022fa90efc7f36

SHA1
f05f917986a4d75b17c073d49ce66277804c7db1

SHA256
77b632615ec77299152c032021c72b6fccbe0f508aa48e3af4393fa2a428b6a2

SHA512
581733eaa1290d87b09c4c0a624c8450e6c9341b6494e541b383c11c149e276ad60addca11b1ae04b5ab9ff57120c063993cee39a54a9673d54e9c373bcad5ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
bf90d3be97ebe7d7678d784296d1ab60

SHA1
abe5e9a7d4700affd1857a63e45416de5655c0f9

SHA256
45a5dea2c43d58be2ad4c412289a9f82c537f93afad2cb1fcaea70063764482a

SHA512
7472abc4d9fe2be8e35ea558bbfc9e95bd275dc8ab9c9c37d375e08d5eee79252bb2e0a989d9c2e66a75c5d6c050655a3d0c19be214ea810b9665ad91446ef0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
a33abd3e02943094a71bf0b622fcb717

SHA1
8dd6da379e9c845e160fa2264d15ad2685ba391e

SHA256
175236d2f8efd5d1b079666b7c3350aa34144fab4d499fd9d3c2ebf0ba835b21

SHA512
98dd9a3ad38ed55d85a76d978ef63f8f801ce2c44da747b5749817ea444e6e65ea3774ac7d52538138f2b771f6138999c8e3a1471cab2ba0291d65de12a53e49

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
359971791aca882f9b733ea2d243ae83

SHA1
bc350cc6f08e7256d0bda6f889a54f7f85f81751

SHA256
85a0546bca869c1d24fc58caf60eb21362864981fd69ecb0fe4b1592b7b0e6a5

SHA512
6e7125a0ef016cb00c238dce565088bf900d2153db1466ac12e446973082174cc92f94d8e16aab91c67f6d512212fe74d6569b0ec2858a909baef88c5ab1c0e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
c1491dad918a43b7428d30fc4c1b3f00

SHA1
865c0fce3c7121dcaed3114513d209211c61ea06

SHA256
07b164fd0fcc12fdfc395fa5cd0d0d955f3ba3d3595e88f0e1c9324d39837d95

SHA512
03dd1785190135355900e96c3967391750b37a4625003d043297ff3532b6f5068346781dd06ecdb9a8771f4eb53f5475dc4876823dd7bb320b92acd09105fa12

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cd32b93711939edf082124d0ecc3a6d4

SHA1
1eca8fbe26c6b5ba5c891f4551d84c55a7e1e1a5

SHA256
a158d837a8ec0b711f8e7ce946e8dee3b3e1b8659423ac6050ce68db63cc511f

SHA512
fd82f7233c4e14a00322b01c3d9a8c17d33108db8d1dea2ef1675abec08d197df69045fca2217370b74d9fd6db2b4cb0200db687e58b9d3dbe661f1e206a1729

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
2928a01a0fa157e9bf690afcd52ee0c7

SHA1
e14467cefd5a564bd44a87a58c63d70711ff6689

SHA256
dfd0da17c6140f99047688e675ec169bdc7ae34273390b757fb35c393b50b6a1

SHA512
9ba5e10357973e9c6bc500e64e31677fdaeab36963a93c696933aa2efd2de093a01c7823223c276ffdbf6ec0606010a908d7d9b408c18d81eb75295b9a003904

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
45bb7e3a9f7f0276c7d223fd17fce7ef

SHA1
20f8c7dd1be199e21d3f55d95425cea658cdaabd

SHA256
ad62dd4a1104def33f16eec4adf7f9c63a1786167baaddbc41cf40bd58ce6a15

SHA512
7b708ab21f42eb9026228ddbca22809ee8b3a4ee187d7953e2ea103461888b7ce39b77164b2c96c96a0c8d56d687cd331347d1187bd651815a2f6b8c6863b208

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
9adaaf75a5fd574f9c2208a131980100

SHA1
14213e85e986b35eb0f95b6f87f6c2f5670dd1b2

SHA256
5d1420ecde755da9e0bf1a2ef946864d5e94d8ec902cfc131cf47ac1da490fa2

SHA512
f9331a0718eea8421ebc022b0a822878c3069f1b549fd65ca07057f264bcdbe389102bc1cdbe850b1fc5f7a14d9984e6aecae745327701ce1b9f311704a75721

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
956ea80f9f7f8bdb29a1b5e87a71ce45

SHA1
4a355219e823581cd20bc065acec27a479e71b47

SHA256
dd472973496d620fafd3ab8f81814eabfa1d82e8cc5fb12dba7276a7546d2009

SHA512
1f968f982ce35c9d87bf46762b802139159a6b130e2085ebb20ccd4082819ad931a91a3923fb3bf6a576bbf62838268a9e7feeb069d43626ef92625cf4d1f9fa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
3dddc2f4054ce42fac8c32e39dd91b9e

SHA1
93fa26ee80e67b1d17bf93aba8fe57c31fb7d4ae

SHA256
fb2f36c39556d3758deede27038ad93ef8466a40f8901cd5afc17871a6bef2f2

SHA512
a7c167c64917a4fcb93c23ca3865a3a984083e7480e872ba27322a037a56215afcede3a33c4f37decaca788a2ff12b15683089d5ec9d68dc1ddc7f8029bdd979

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7bf1f23e0e515b22b7eda54204a45e7f

SHA1
9c46b727ddff9f6f27a48688019ca9c573a9ac64

SHA256
28a5fdc012d1c837f5766ba49e2a2e3de1db3011d7a5a857be20c2cb5f980afe

SHA512
6fe5211ca0fe76f5e910042a000d1daad3369b36ba641c466395c674e70431c8a39dd6ad095b693c91ebd48e9cc9051adeb81c7b8056288f80d06365cc34e86e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0699b6a5efa56bdfdb355ce6ca12e435

SHA1
15edce75aa6472ad64f10ed1984b25011871bd3c

SHA256
b1331a869b312324a4ec81e71906633419c53c360b3c07250ce6a38ada3f1c30

SHA512
56b245fa15c5fe2b6bd0b6d38004e517de7435a39fc13915df8193fa82d2bdf117f91e4cfd2f8772487f22b5c6de2207b074592039a4416adce522f6a5f3b18e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
97a800399a8e8f98d18da1054037d98a

SHA1
66e2a013fbc954a4205b5478a1fb6ffb41f32f4e

SHA256
333d7bc3095821f374fa00fea1df0b0ad2585260fd5d921524ae073949aa3eec

SHA512
73c95a25808bb6e148096a5508a4258274832f637fd08603c5d3e95801e753caefa8d408280aadc06f5d788ac7e0edb4167db58460f9047314f5620528097a1e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
a79097dd36d909d61a7d17ff9211a4ac

SHA1
38eb31af076d53d5128bdeb5016e6149f09af7cc

SHA256
d9281c7b72475ef0951f228267d27331734726b1e4c584261595d0bec5926b8e

SHA512
785164db1ec590066e7e44faafbfc84e02d141af0da2a6d360d3c151ce57d3a44263a6cc9eb5a90948b5f36d37e1ff68b466f84c2fc007c1d72cf4c05b545486

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
2c818b1649adf86ce09aa091a651c84a

SHA1
106f32bd70fc92d24290f051967ae2d0152ce373

SHA256
b5c7d4c4012a6e022261178c69a0a54fb303029d3ef012b562916126cb2bf31b

SHA512
bc66d0398caa61894fdc50766a76f27a772c14612552b75f0e154c1976e82ee9168f7be62fd2861bf04cb69468afa2637c327d5d31333ba07abde73049770195

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
0d4114c46a6819450b7d68b28948eaa2

SHA1
e73c9c681fe67d12798ca53633ce9b7f1a384ea9

SHA256
3ba6741d8f7249bead6c64a4d053f202a04b9687d149ee0ee76f70db30835dae

SHA512
1929ecae394991e3fba3622e39b335df16bdee163216380379c4a1faf214ed8cc047b2a0af6604a7b61851f510e90c67e122d98b3fdabfe935ae3b43424e5215

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
8b31bd82410628ae4b6196f501ee5241

SHA1
727577bda3eab2f7510f267da1b3d2c9a5f006cb

SHA256
6b527b941f163a0b674f7d30e7ba5f329db95e8c1b7516da790ee6ec80fe13ff

SHA512
54d1f161487eed389900a25cc25f3a1471347440b07f1b2d58836e0fbcfbc96450a3c3c5a22019e31eb5d10dcd72af15699909da59fc4f7a3d91ee4646034791

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
1623c8c87623769241b960c38b8b026c

SHA1
4b9cfe7ba6870df8af2ae94291f852d9ec2ef3e7

SHA256
7dfbe5d099886f8ba1f8fdd307328c8cc35ece873b834644cd6308dc1dc1e0bc

SHA512
9686e8d998e10a4ca43c6d13d3602c8273a3e0904a7f2b8121531d91d33a2b25125d6f36e10395ae0ab7dcd8faf11d0fee0db1968c9dc2ea6c1f74f075fae3dd

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5bf76622074619f3856ff2247aca0468

SHA1
e250c46a41d3fc8e3f9b6fce3ed4bf4aee8485c1

SHA256
c7d58f5a5b1dce85be95beba18292e306dfcfd42100f6f3cebc4cc945c2c8b0c

SHA512
bcb779616f2099dbbd6e5d52931cc57fbef3a8eca96a9267a3dd235f41279f20347311d97d4264a4e2a948ad98ca9e24eff3612546126022d7d69d53add2203e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
bbf0883136542b6b94dc8364cf96045f

SHA1
eeee074b584da3ac6a94dd8041cb7bce3bd4c58c

SHA256
7f5369c7a2b9c4df44a1e5d44d378a5b78b47aa4f41af7c70d819c39277e553e

SHA512
0f57b4b96e7fdd75669f67a46e2c826de4aa0a0720aa8db98f4177db10e6ab67e99e5049b394d8a7970209bc875cb7921b8a57fe1f35dbd22fe9dc44ae5c2d19

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
14d55fa4962affd31684450df3a14e9c

SHA1
0b1dc87459a809c77c7c34c274e95e378383a7a4

SHA256
2b464bbd4325f3f05883435ac1edcbf9a63b897d4a83b6f304e0dea04244b02f

SHA512
5e509072d9db1d1d9959102362a9156480be047a8b9ef5d344d160683bc424be8ba3871f7a77982a2e4e9f7c8cb56fde60fb2c5583049653c84cf70e19b7e918

Download Submit
memory/216-22-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/216-0-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/216-1-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/216-8-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/440-388-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/440-269-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/856-424-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-305-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1036-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1036-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1036-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1148-400-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1148-281-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1236-531-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1236-371-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1336-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1336-539-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1340-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1340-362-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1340-243-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1340-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1524-336-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1524-522-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1676-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1676-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1896-431-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1896-538-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1980-28-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1980-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1980-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1980-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2364-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2364-536-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2432-529-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2432-351-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2532-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-64-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2532-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2532-54-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3240-535-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3240-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4008-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4008-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4008-23-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4008-233-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4464-72-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4464-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4464-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4464-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4716-295-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4716-412-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4844-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-255-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4904-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4904-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4932-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4932-534-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4940-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4940-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4940-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4940-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download