62f9682b37f89b3613e555cf89a29a25e4c4f442ada91461d19cfcec25ffa496

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
Size

949KB
MD5

8a66b250f1382980ec69b32edb5ed160
SHA1

b50bd41795df365162e2484499fe62296ebb3b09
SHA256

62f9682b37f89b3613e555cf89a29a25e4c4f442ada91461d19cfcec25ffa496
SHA512

142e161052be70729088e70bcfde914df8b8122050b3717587184a1f37c3289a1c35837e1aa70aa17f53564801ff5b20d5f254c46927227462e068fb2a3aafe2
SSDEEP

24576:KhXiV6+BDQTYfCsSwuux3lPanAMSeJBa1QjtZRLb2DR05xu:KhX5+BlC/wj3lPanICcGjtZ9x

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2432	alg.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
4240	elevation_service.exe
736	elevation_service.exe
2560	maintenanceservice.exe
4572	OSE.EXE
4084	fxssvc.exe
1392	msdtc.exe
2016	PerceptionSimulationService.exe
4344	perfhost.exe
2236	locator.exe
2324	SensorDataService.exe
552	snmptrap.exe
720	spectrum.exe
1456	ssh-agent.exe
5116	TieringEngineService.exe
524	AgentService.exe
4820	vds.exe
5040	vssvc.exe
3356	wbengine.exe
2936	WmiApSrv.exe
4696	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f8c390ec4a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\OutProtect.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005670769ffdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077ced59ffdacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6cdf49ffdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c36bd39ffdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048e007a0fdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065d0b69ffdacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c16bf29ffdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b08f09ffdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1604	DiagnosticsHub.StandardCollector.Service.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
1604	DiagnosticsHub.StandardCollector.Service.exe
4240	elevation_service.exe
4240	elevation_service.exe
4240	elevation_service.exe
4240	elevation_service.exe
4240	elevation_service.exe
4240	elevation_service.exe
4240	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1272	8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
Token: SeDebugPrivilege	1604	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4240	elevation_service.exe
Token: SeAuditPrivilege	4084	fxssvc.exe
Token: SeRestorePrivilege	5116	TieringEngineService.exe
Token: SeManageVolumePrivilege	5116	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	524	AgentService.exe
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeBackupPrivilege	3356	wbengine.exe
Token: SeRestorePrivilege	3356	wbengine.exe
Token: SeSecurityPrivilege	3356	wbengine.exe
Token: 33	4696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4696	SearchIndexer.exe
Token: SeDebugPrivilege	4240	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4696 wrote to memory of 1000	4696	SearchIndexer.exe	SearchProtocolHost.exe
PID 4696 wrote to memory of 1000	4696	SearchIndexer.exe	SearchProtocolHost.exe
PID 4696 wrote to memory of 3520	4696	SearchIndexer.exe	SearchFilterHost.exe
PID 4696 wrote to memory of 3520	4696	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a66b250f1382980ec69b32edb5ed160_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:736

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1392

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1000

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ae230beef84db0702f9dec4ee0d80f1f

SHA1
e2b961fc3d93d9657418e9fab0794e98c709adfb

SHA256
f91fc9a68d3efcfa222f0161520c5e779c987466e8ca02608889034521b12ac5

SHA512
c2a2565cb35eb90c427023bfc70bd4d2e8dd35580c8020767129fbf023d9313b9ec8999cd3b5a66fcc91420586e1580d158090b78a91c521720e03a873d91982

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3830db1d262be230e898cbf5d4b1fbe6

SHA1
dbdc05cb68dc35945c8313bc2be743fd911290b8

SHA256
a0a40c4ac77986c6001006c23acb3fead1f7968d9056ba54a41ccda696336bda

SHA512
25170931feef2e6d0738c8b03b6624ad462c4ca051c5bc23942c88a85310a4745f65763f917bfd6d32189a28d3c6cbd9a777add7578379bb8a19dd12ffb33de6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2a64c707e2e26e495bae2e6563e990c9

SHA1
cfd54536744eb65934a35942ac9b83025a5e6b52

SHA256
22232d3ef1e312b260772f334af5b0de0f9e3b719cb500eccc5ad589b96b73f3

SHA512
fb0ff78b6cbd3d2b0ca6a0b37ced4d58ee841bc0b02236c58f92109d5307861a13ccae8979d871016d1f2288ce145b63357370cc35c8d3e710870baa95135c95

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f4ac99183dba4054000ac8699ac909f7

SHA1
b04efe1a71a820ffc3fbfb74e64c4a591556710e

SHA256
43636869cc2514123cc85bd90bf896241f4c7ba1e85db2c4f8d315d379c9418e

SHA512
dbb72f675339dd975dfee541079e8c83b321dc55f9ee28a3476f8eed947b4be9027387b0d78ad78e2aec92f2797e2da6434ebd016af414d1055f7b71c6f6288b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b07408f2b2e77a71567601b24998b5eb

SHA1
f0e3d1a5c6fdc9e393453a31d837bdb6c6894a96

SHA256
4a6ba86fafe1e088c7915da37e9628d05cf1941617eb889b524627cc669e887e

SHA512
a20ece07a16ce48f1ce9df332cab410e4bcff365f7d32a73bc73edf1a34f1a12f424be72e62ac8dbc98c6f4996b670a5a1dca017d7e331324571dbcafd26c2f4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6a15a2816934e6e1d17232178ae60388

SHA1
cbc4165887c8a1b043442713e78671cc1254dc84

SHA256
dcf326757ae397761a8ed1c0d319ee1f239d86251110cc81478f540b926f3cf8

SHA512
b083a1a83a63c706e65db45d09bb84c560cabfd303e1c1ecb9b4154d5a6ed220f797d8a910b0663d5d00249a8fad7b37ae57f4356f8def654327a7378777bea9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
691845421f5b0e1e2c6b58f7c3834a2f

SHA1
84ab448d044e2083fc8f0fbf5f1ade1bd23228e8

SHA256
343f2a19c536fcaab89788d66a0e35e430b1bc992548676fbd0a70fcab711ccd

SHA512
591f9cbc6b6cab3d340fc69fadc6dbae53d68cdf564df3935a802f33675c61c18585f49c0fa9f56bdd4bc31b409fc5c047c44c553d0f4d01f52a481b705f5348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d4f733d6eee042c745a9f5cbf1bb7cd7

SHA1
8742df8b0c64f7f7cf04bab2d32a5e628db25c45

SHA256
7d142c77b2ff335a642ea7336ea72ba6a41b420a37b2ee1e103aad04d275b220

SHA512
c45a87caf669444a5af4c816efca013f5c1f59c6729c47f12f3191bc9df3eb4940216c3a7afa97bcfce306fa483e5dff38107371a708b4099375a1be44f18e26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9836154ac326c2e582e9473cf18eefa0

SHA1
519a3649c85281a9bc993968a2e1c5ca7e453ccf

SHA256
0be3832ad5449e6210a6ebf5147d5d6caca32af67f3f0a2848e689818335b854

SHA512
77bcd4c61818ef1e0c7e8cd68892c29e374a7ff3eaa7216cd0f842ee6ba0c0f3b70b9eda5e6a4899c15978f7d7f49990c6a77508c7dc577ea18da67f2384ef2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0a5e595de1b56eaba9be68b05b1cb6ca

SHA1
3fc0f54bf28ad19bc7d7b1958c909d345add9276

SHA256
f4af7fccb41e112a5dc4cadf7db2c8145bf44f06e32d7a2dfa9bd9d8898edd83

SHA512
9c50a63aecdfcfa493631f54c27b532e80815cf6633423a485bc67cb46f3d5a4b8d94ae14c51c796b560bac9bc847059126a36a4c4aee8a0dab18e6aeb0c29a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
97105efe27efbd9630ecccf9add9be24

SHA1
e835111423d1e4348636e7c2b0382f972244ec2e

SHA256
78e04fd8ac89a6e07494d1354b61ec7ba30af67e40bc06006fd8dd281365d302

SHA512
d259df431f0c2b6eac0ad5cc4ec04156821fc1d9e57f6a2b21a9d1896b8e54d4d90dde67c530397c6d6879eee5dea5e5b252933f86b11ca5dcd23cffc4ddaf5b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
34083ee25091cf5c367f9fb7b7c117ac

SHA1
4201c24a2cfdf2490e6b8f040ae05eafe036dd9d

SHA256
df7399a1c5d4f8b95a7fa211ea66c467c95917beb32fce0009f6439acb9e0504

SHA512
5c1712a93a5fb477b00eb2d1dc1153446f808f66e4a7fe0700f8ecf8dba8cdb105eef789347a984b7fc33bc1f28fe2889f7fcdd37807fec68cf7e1c8fe96db80

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2a9bb80178c2949902762c099c66c0a8

SHA1
76911ce22696b25100f96922c04003bbd5bc201f

SHA256
344d9b0fb16b4f374de7158b7880651d0150eb9cefcbe7ab9c606ae89ca8afd9

SHA512
3378a449009529c57f826387e761aee8eb3f70cb45b89a20f30e7fb1100222b37ccc21ce20d50bc38c5425a01ff43c1c4adb005739ca0ea99e6bec809d4a5300

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f0cbf941c11048038274dbec7ca4a42f

SHA1
2c61175aa3874bc8cbc238fcca50b165353a8d29

SHA256
677649a457f1f701b89e30b9b6e5ac387f2acae1f8eb301000f6cb18c1db3031

SHA512
71584746212e88c5c99213f4bcd0b32051aeed6a8c5245bc6f368ea9d7a208ce145c9a57228d30cf59285148c25380a579b3065a096388298345304c9e404991

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5d41811293bb7c5d88b9cc0ec126f250

SHA1
c8761fded83f5c59d7592c2fe7c8d30de1a20496

SHA256
82e761330e1e9092d08e60d773821166b30395f01730de9ecd3163822648c6d8

SHA512
9857e47e3a445031b52ad58630b9dabbe1d61c4c0d693416b1129d3a2fd5ec08aa7ab199dc4e5b5f0ac21135900255e7de122eb0241e33c0704e341fd828d219

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a5a8c3d98f263dab5deae1d2ab5525e2

SHA1
075e11df6b7e0ed6bb9b08ae6b20a7aa97a48c4d

SHA256
dc4cfb58eba36957f660daee66b675ed156de4a6f20e83bfe05aa538562e149f

SHA512
73ac78ed740d222a68556979362ed2149e6418b9fae7fa6f1bb3252aee6a3ec344e7e206dbefc8e3775fd2f3dfaf6968e08c87e031fcd684c58f2be83a47de8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0e553d16e65248d1cd01a6c03391a435

SHA1
b73a3d4166e4ef0e3cfb9731731be7783548bb96

SHA256
79c058241ec7e35dc7b56cc77213d5c31b35c6e6bbc98c61aa11e8ec0a547554

SHA512
3c74027c6ca982e16c8fe0c6d2c47d020cd6904af78cbf448e499209bce5eaa1e2c463ce6f15b07e5f746fd0c7fc2fc5a2fd0001ab2b07f0990936d0bc8e57c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f3337a0c19f720dc4b14a7a2bbd6b0c9

SHA1
372672e4c2c41c7f8e53557099520199c1666fb3

SHA256
5dab66906c33cd44cce84b4169b318be9ecd7acd3f77f05c326136bd282f0b9f

SHA512
218890d173a0bfdc886d0b2623a0de7ca84eaf55e991c4fbf62b7a13d1865fc15b2a3cff9f9b9afdc9ce139867b3ced53efecaba3f83a720377410593372b647

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
08b27ab80d3c3f75198e750c7e7397df

SHA1
7fa41ce4289c2d5c92240ea0e3fc05f36ad9bf56

SHA256
15b9a62a9c05557e1e9126fdf1101f8d9a4dae94d320174bf3adf554d24adedd

SHA512
6923fc6f24d9398b136b4c17a0c850334617f748b3e3e4ea6284ca2e1d348f71383fa6dcaf4de6cee2ecc1d70d6579d1af7242d76ca1827a37b7d79c2d824767

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e14db488cda4fc93e84dcb146470fd2e

SHA1
15ea0e7d6f6f9ff11b8ba6805015b0231e15bc70

SHA256
d44cda7220f88ffc11d063d3cdd912f842abba65de32621a4171e528ae2f3f37

SHA512
10bdf3b1133a1ac440a6a2265fdbc7cbda7117dc3769e6647fb98717924a3349441bbbbec49533124c4d76f3461f01ceb15d19f14131295d7e926e05e76959ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
62f030e650483bb0720cbcaf46536412

SHA1
f50c37a48f6bd7a44761ebd7afafab5f6e6078ce

SHA256
affc55c39dc55b2b450ee30b8f02fe1815d5129260432ad9725e68473ac707ca

SHA512
4ea2c87630182828bf816496b4cded958236fa20eabf9f9dfb8bfe215eb098e20260cf37a095d089c800c640a3b66c66c4f4405948d95be5a622bf0c86e55a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bdfafbeb0950d67f207fc8156957c8d6

SHA1
68ade4787418fc385fb0cf226bf675211caa779a

SHA256
ad3d7448e7a3decb644f7d87f7deb2d0c7a2103b341138034eaf427e4f18fc72

SHA512
ee1777904ad55eae34a9c9372119054f07e52ed44d488967d55820405499a734ea81659a76a5ee2d9de7c3b73e50cdb8b495a97c1db7742768ca8f65d7f17154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b724e71ff537791631e2a13c160e2413

SHA1
ef32741f7a8c1086c3531528a9f9e6658cb3422a

SHA256
0f557ee03ddbfa6e89cb4dfaff9a448e9bb730c32a065798ad4bb395cc0ef50f

SHA512
01d71defb07f760ff2ea3f9b8b13c6eb334ce421c1babd7ea4a4ab98802c400f48ea1967489a7b1dc8e812a751274228b25aa46f95c492a5975aacc55b9cd8ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f5dc0b21bc9817039cb76f7fea7192da

SHA1
28c26f6ab24397c64304091e1b7c675c3d129ee3

SHA256
27fc3fe1a0c1b663e8dd66ee6a4643e2e72c863c3d878eaacfc9d7d70af2758d

SHA512
675afe996cfcca800a7cda39be16b852b79de9ebeaf955f360cfcfd55eae6046aeb30d87278ff488d8d3950a3a2ee97579fc9682c4e4140e560f0bb3bfdb571c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6f9b0ab647a5173a4ec6c768fde5489a

SHA1
6231941d576c06f305bb7d40db52cb78c8c58945

SHA256
88852e1a3136baf50c0f9a0cd1d9cdf7547fb9cb4620d13cb8a7f85ab7607e32

SHA512
4db5afc75cb6d2158b2d5da6fcb4a352492207f7de97d3ceab948f991f750beadbb16dcfab1a59b464de72f50ee2559168b72816c95d1fc6da7b59af12d03ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
900bf8c22998b159d806a45db983e088

SHA1
33905a70f31c188e847fde7b327bfd346f25f613

SHA256
88ada2200af875785d5376ff2908842f9bc7c463d4ff9f7ba3ded46059120ca0

SHA512
e90d4ba28cc967c5bf15a9c2052a9191c26e7a6cf7ab47ffec99a4da7ae1aaee56a5ea17c65a1711657624fbf16bb3b07ad9450ab45cf432d416694c8f8ae29c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ab14634374caef09b64d8a5a3864870c

SHA1
da25758e33e52639b638d5cadbab6acc197c8395

SHA256
f0f7ad745ebc5d11efbca37be52dd75c4f4922a28524ec5f5c2e47be7692d8a5

SHA512
86b37bc07cc23374db8e6d9c31909876104093957e36a2d79f85e132ea0cb27265278d2ce82334522605b39337eafcebe580177b3614875d89b694c9780f2dd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c6a72e64b27f634ec05afd056500fda7

SHA1
780632d8cbae25c0950124e7f61b5aeb6e9a04e6

SHA256
5b9af4f4b6cea1584684d210ae79df87dbb5fd9269fdf5817e64bc1e6bf397d3

SHA512
0b3e8dfa5a9e0276e458021da8b8d635226da808bf7cf253463d6d393ca0fb061ed234f10c515edbe07dafae9a4d35a9e5c4b3d9768c0aa3d22051d4fbd6fa78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
15003b20b3cffd1cf7800f7737f210a7

SHA1
f725b2eef670ea024330464bc9a29049725aa328

SHA256
16e27d4b44f8effc5324bb601146e0d305a28be530266fc4301f557a8fafe6d0

SHA512
9dd188d8d838fa2e90817d6c80a418888d342d9cb353aed01c4ea087b2e09a83a6257cf3cc7bc12f8c374f8ffc51cbabeb819f4c133e097cf994845f32702b94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c763618c7bd9253f980118a394769e2c

SHA1
f722c89696e3d785dff4e1e5d298ba19a0d2665d

SHA256
7061e00544b782daf34ddd9803f82a73fe397b4038cf20c3d161f2807ed1e70f

SHA512
237f04a328da9fbde4a0dbb9f254c5163433b2d6545a9cf81838055e8635cae6a824d757da2a3c1d595d06bc9b6033ed88d88ac1b408bd38b2c920e0397bf838

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fb7714810d14002267a08e31e9949cb9

SHA1
54e154a2e42e694bac5bf82b0035c4ae9a3554b5

SHA256
999222f5932aa68c19cef7ffb0bce4d04afc19a9a4fc0d71aa90a702d0b9cc84

SHA512
274b5e087e3ae48db3a3ea4219fc2d790a0b820009a30efad946bd6efbfc68b5942697b9512252a300ed190104ccfdc0c027fe121d503d394e24d811ab4268e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
12af79072c67abe0a97c1d6b5097bfa2

SHA1
125e2a963b2f91da2486c23533e7fe6add9ae0c1

SHA256
fc5726d7b9eaa339ad9347fc449a0580a4fad012aa15e2e7b326706ecdede9c2

SHA512
2329fb29493b4065ea1489dd1e2f81057eb73e1ac1ccfd991ba1ca6f8d7e024c714feed6df110b72e245cf81fa16b6569bd7c5a5fdf3321adb38dd0a8371d2a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f8b64dbff562372722ae78d736ecd0e7

SHA1
32e79aad9d076acdefccd302d0c9d58248aa8c70

SHA256
972a62039cc68a8bd804110a6fdeea9bcfebb3af62f162f6bacc90962d82e5ab

SHA512
1ed54ca054b857accf7b4e6b08e25212e5b8dd33cce83e888f49ad7251c048bab8f1c76231be4f6d515f3aac812660ef9ed4d266f866f2f0568a2be529c5cdd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a5a3c96f28530fcdf9cd6b067dc44148

SHA1
60c34a2733ccecf028eac87f2c87576ef7f3ed35

SHA256
21408aea89e2c8772eb077ff0aadb26cb48a9bde20b6c2f24039d999314058b0

SHA512
669e744a47d61368ab2fd50f51f2b8f54626c3d5dfb14ba773d7307b8502eeb381a5ec576492c95af266d1de82b491bde4502742a539d6b97612bb389e91fd1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e64e43b7ebcc4912874e72aa15e9d5de

SHA1
ac53c74d60771c1dc0de31d5fd1b026359599700

SHA256
98ab625ff638a2dc6cfe291624df0c88ed332f8927cf3c6298cc3125412f8b1e

SHA512
9920d35b124d51f67d0d02781ab58551f2c5d3b48c8a3d9fcecfe02e75854cbc9351a1fcdd27c2283273aba959c18720703f9f57e5e0c30af7075b17eabb9168

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e7ff6cb51c48262944a14b671fde21d1

SHA1
0a9f1e926cbb5c3e4786d7dbda03914311f99093

SHA256
c915e033a60484674a77b3ebbc5aa5c0b17de596eb98e804c972393f32f70946

SHA512
518ba9e45f9b927ff780235854d4782046d66d30a42bbdd68a46ce2cc643a381e04a16c955d517d34686d00877c9072ecedfef1bdc011eb5a4809791c79d510b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f3920523531f24a3d1572701abf8f281

SHA1
befb8d28f77ce5e9dd783c4f6e3e5bee2f5d2ca0

SHA256
da7181912851eb6be2c4e2eaac904a3412c0ee34fb4057a78c698793d49aee3d

SHA512
aa27fbf0d8db285dde773b86c29c0321917c1f647884c179f767c23ce9df84d018513c1b3278c7e39ab3305eea0ba745342b52a66d1979a605cd9ab98101bb30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
30d28735bdd2089236fa91541a643f99

SHA1
6c4b9fedd22ab4e9523f8714e54e4b2fe5e3b5a3

SHA256
5b7006cb93c70547fb548cda69dc87b5eb02528241dfe6513bbaecd1a05c0180

SHA512
a5ec4f660039e9efee08f09cdd877f69aaaf9fc87a81707186f5fe2aafdef5d91cce86520660dbef970517779d86b499064b937af9dda88e5dd07662985c32ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
01907e9509c07712e934eafe5c2c0335

SHA1
e4999626c8543d8880405f5e023db96da2cd93d1

SHA256
5e0215f689d3bf6b27d7a06fd90ab4cc6ad6ceca16980924958eb75c5babcd28

SHA512
714c3dbf80819738e773fd608a91849c283e3936ba43563b960b85dfbe3e9cb033b6b1f9015a8eaa4470bcf12ffead61dd9224da3ca3ec618de643581207742e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
50a3e462082db782c7ee06ef4ecd67b5

SHA1
820e4f86d0ac98847c51b6d4f3a8f58fac369879

SHA256
8002229a32af87495ce26a07254e2a982322f7155bb6187b7ab2f0ae309a9069

SHA512
25c071a794f1e7a6a71ae41f137ed1f48cf6c930cca32656b860de5fb2aac6abc2149f7844b8d38d3ab1d3f1accd809fdeacec4cd3175633ba5796a3d05f9ddb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3de05c78fd4d66980d818822a6c7452f

SHA1
ee91b4f5f76a1e7c1eb969efa36615a98d62dd42

SHA256
96e20f1c970addd8f44627c20177cffcc054dbe060ef61eda7742f6012cb7d10

SHA512
13d62b69d077547478d6be0bd175f2532c93a656cf584ad5743deabce023ca162792892d91bcf1a2f4fc672f2672887bfc4e22a429a5f9ccea37dbc05fb921ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
49e95a0ba94037abff452cfd9d4db003

SHA1
23504d61082215b77354589a166d9f9dc71de548

SHA256
b2fc2eb1a3384e3516416ded090be845adba6908869467883485e1cd5bc6e5d9

SHA512
21c2cbee162f50e41e559242b6480a11e5c764f3d055eb61ca6eb646666580bdf557ce70d40fcf6c25395c189658a1101771c3e8b63282ceeec25d0b0d778258

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5cc419927bfbe3636e581d211b230d33

SHA1
9507ccff844b00333ddc2807c2a2a56009b754c6

SHA256
a759456aa1bb39dd4954209037998ca61d3e86d2509ec85ca45481df43f51a59

SHA512
6257d9cdd90ddb0f8415c8088a3f84d3e1eba177c1dddc15bf20e7958079b2d413ca4b4f263c29302fba67000474cbed4234213d0c37604ec08984f2678175a2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f0dfa61d2cd5744b7eeab2bd9984c800

SHA1
5ab701ce9a972ae02963f5dfa4b480638c045be4

SHA256
f2e8f2cc1582a45affc3cdf1de6df412df9729d9cf37d182b407ee86b30423e1

SHA512
516377c246541e9c20741c1210b76b9869f09a640de6fd84f2798d180e00cf5d292acf44363c993ed5986a5c82a06a2b2d883016836cb9f52bef1d5dcd79b65b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f808238698f181bd72958322a865811e

SHA1
2e2b99a388bd8de0aabf2d710b0d933b70458f5a

SHA256
da0daf5fd74f6c63faacfa6bbe21937bbb5ce814c7ebc17dba8bda856546efd5

SHA512
6d66b2e6150afddc8c2bdb275f9983ecf10b275b43a6934de910e27162a6dff1ff461baecfa0d5b64e4a31c99864c487ae85d80c1c66085ef4b4d23754b05e00

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f1c24959692b6449a4b56b6f488694ae

SHA1
51bc6b31422ac06f6730cc3a0ccffedd2708fd10

SHA256
5c6e8a0407a38d7ba64f7707a70b36347018ed464bea0c17b9b59c7a9bf95170

SHA512
6330c9be05ba51686c9fe3702209501f5a1602711cb53c1ec09ec72769e010dfe1788c757c464688b8243850221ee8a03266d1ac41cd727db604ef5b4b34a747

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a6ab45b642eb53b5c83b98de28136f0d

SHA1
66490947229fa630250c4d79484ae80954706706

SHA256
ca0390f6a85e2c98ea2c80b0a79e1a04e7ab06cd3f0d5a296a0f2a61f2193d65

SHA512
c285d207caf6ccbd2e5b749d14f713c250a1e51a413e75dbf1e3edfdbbfd4fe0a66db98690f0a0b42a7e72e51e7b6dd81fa1dccfc3de7c6f89b462a64eca523b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d31acb30ca769205341a02dac497aa18

SHA1
3b26470d6ee2b244532e049ecea96fceb7bff824

SHA256
0767e9018c21da69478122b53bc43fcc79faa5507ed34265a2070ee0a8dbb7a4

SHA512
e707006da52e8a3d702a2764f03fd7334fe0dec76deaf504d4d07e6c9f90e46fb88f551ad8c2db8ed77f42d3878b66be703162ebb5146e9953271959a2883163

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e0aef18238d7580772f844e6d31efd60

SHA1
79013594853b86f35fc9bd34f59a47e94355c753

SHA256
ddbf0161413cbead02dfa48e7ccdc8527f4613eb2d9805ad13f9fac02b907321

SHA512
45a823701b87d8d99bfdd9b74a0986b6dda0199ee2a042f27a2dc125cd342986531c6ff9c8a690b6f163994271bfad0ccfd2cf1241f4d339566c45d1fe1455fd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
474f8cf8a0969bc76d12d39e4071a7a0

SHA1
74018564b0dbdcf04f9e38de180bdc35176da59f

SHA256
963fa350f6f904ec77fd9ac9383dc5365d09a6e61404e1b4ddb368737ea25dd5

SHA512
4f2ae41658a75ad969357621f31f6d6d2eff751a31b91c95749b82df48e8bcd2e4d556e9dc7272715a556a597f5ae100412773cc561f5a40d5479346c5152eb5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3fa1b602606895e69ace2f046e134c1c

SHA1
c3666c422eef94bc8706737411a97b9323f043da

SHA256
33af3b2c0ec23f365389ddffe0aea960ea046f11830609edd1522c797d103c69

SHA512
23f665522330f13456ffc04e1f34e98be8c55265bee76ccfdc719ca43678c3366efb6f4ab965758e3caf24a872e66c63842a44dd61a6c654907a39548943ccea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
10e43351422232279056841749f085bd

SHA1
4c856a861a2536686fd85d30eaa15300a54568e5

SHA256
a98121e5440e8028912d38e96722c1deb5720aa7cb1cd17312be85642396d554

SHA512
1952c306a19e15a5f3a86f05b4f3dc7584eaa7a6861277baa6a3246279d239d76716a7f1f17e5648ad8856b74e66623455bd3382ddca9dd4daf8e706641f2368

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe84355a11d4f68ca63b5fd819482e74

SHA1
00ee8bd2eb8579f4aeb29d86f963b96b87fd3073

SHA256
a6a7563418c651d34e2d8fbc2187e1ebb342de9e9374f6ca7472c999f291d8eb

SHA512
2db26adb8d6c3c0687c63e8a35a73e4b0fa2afee9ba155505ab2aa6419d54b6788d175d02a0bac2b7fcb517b1f3bd202e09013fb69aca9afea9d6cd5f7ae4830

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0d74f8fa906675ba4baf3e4645c9ca94

SHA1
c8669abbc3ed915fbca8894a5b7606f18e519aa7

SHA256
8d79c72b079ca6c2f7894429ffda5a0b7755589960cd87562863741d38eb9c10

SHA512
95e52b6356a68b6bd4975108cd26607603e1292bff8332e8e7cf0e1b3ebfcc72f146b22a8db842b2fbdee2d1e42ea8fd1a05515258eeaae087c82b8234f2663b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f6a70f2f6d890980d00cf39b7e2289fb

SHA1
fa12507b7e7ab9103e46bdeb732fa83225ad9dc4

SHA256
ffa41b2e2155c63459e898d1d9b55956471194d9591362a68944c4fb5870ed2b

SHA512
3b24ece093eef8a0f035a56dc5a81d9e2b6d3e9f3d82509e20936a455f958db6ea46427e57085b777e483344631904e735a350732f95d2eb1d6d929e4c03168b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
15176c3bd63b7797ffb7e1764f56c749

SHA1
cd70c4e7a52a6de8949548331aeb28f6e83e9ca5

SHA256
2d552fcf0edd48036bedb84ff9b723e1bbffef99db27cf18ffebe009f46c0341

SHA512
3c3e1740ff6cbfa798d7df2623ddbb53b7d68d82bda11ad0afc21a724836880f2d869362f7baa1c9c8d9fed9371a8d0741a4b9372659421a4d1bd5780241fabb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5c9040bb02f4ba8aea2f51dbc4e728c8

SHA1
ed76d1244ebf566f8f7022b0c4f2bc4f556b1097

SHA256
1ea40cafac0b5b623130bf505095b92a709d6699a1c4c5b11d482510126225da

SHA512
07b7dddbf5d093cfa5f0a6fbd6eca4af4ed19367adcb45c4a6abe0f8f659c643843de6660ac8697cbecd5b7d740a25b363bb252c15ed3d1115256369e33fafce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
aa6c766c02b158c65106021d89145b52

SHA1
b118b959571bfd16e42573f85eb6ca8048b320c5

SHA256
ecdf346edc044fd3626c1d21c3463e364c1cc2690fbee3d9192833014c98d4d2

SHA512
ab8b6457a31511c1e554ad53061fdae8de21a0db8147a0c0549c9da62896e9eead5bf96524bd55a0ff48f241f5224b011b3271d3669a1a90e02b5f4df3bd6249

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2ffce4f586260a7bf8cee69836ec55bf

SHA1
7e21844c49b2c114f24a15d03292d3559b9ab798

SHA256
3984df09418d2136d90746099e783d495feeda4807b1bad546507a50dcd6f1a1

SHA512
6c4d0e397205486cb1208700a3bfb5b2859ecb54b8ea584587aadffe3186f8865ead707a5763bd81c1fa3b57a9a5549b9982eae3f3ecb1905805972853f84b9b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cd5b9865099951eeae812c03e6a9b214

SHA1
70cf5c15136bfdff4c74c19d216db4ed2794083a

SHA256
23d250b9a7a7b0c5ef43964696b0b23077d79769a9ba7a336d92360b7758b713

SHA512
dcee55e048ce54c7d178fdffe35922276643850f18b1441d0dbe495b03282f25709ff34850cc4c18006fa5af9558df4615d4aeb346d3343d22decba2695c8942

Download Submit
memory/524-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/524-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-496-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/552-290-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/720-497-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/720-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/736-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/736-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/736-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/736-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1272-8-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1272-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1272-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1272-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1272-19-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/1392-323-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1392-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1456-313-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1456-498-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1604-29-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1604-21-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1604-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1604-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1604-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2016-327-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2016-260-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2016-266-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2016-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2236-284-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2324-499-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2432-239-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2432-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2560-70-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2560-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2560-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2560-63-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2560-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2936-506-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2936-336-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3356-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3356-505-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4084-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4240-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4240-41-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4240-35-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4240-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4344-274-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4344-331-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4344-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4572-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4572-245-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4572-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4572-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4696-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4696-508-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4820-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-503-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5040-504-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5040-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5116-500-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5116-316-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download