1826fdda8566e5d04d1e90ca9fa94124a0a1e534eaa84a3dfcfa3a31f9dbc7a9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exe
Size

951KB
MD5

704fd1218fa3791ccbe6e21124d39050
SHA1

9296f970dd1d8a423749ae8606c99ec292f79605
SHA256

1826fdda8566e5d04d1e90ca9fa94124a0a1e534eaa84a3dfcfa3a31f9dbc7a9
SHA512

867c08ea9aaa5809f7e177f2ce7e8b7dd41189959bc786a4fc0458556f5a10be795ac1b3f511a69a28a0d1b54615bb13b3c2756727cb1c0811cba28611fc563f
SSDEEP

24576:IKGpZk1Yj1Hofe3y1sInB2COzRq8DvFqt:I7Pk1YFP4suIRbDv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4072	alg.exe
1068	elevation_service.exe
1508	elevation_service.exe
3356	maintenanceservice.exe
3800	OSE.EXE
4396	DiagnosticsHub.StandardCollector.Service.exe
1128	fxssvc.exe
2968	msdtc.exe
1824	PerceptionSimulationService.exe
3924	perfhost.exe
1408	locator.exe
644	SensorDataService.exe
2368	snmptrap.exe
4468	spectrum.exe
2200	ssh-agent.exe
1852	TieringEngineService.exe
2168	AgentService.exe
1012	vds.exe
1872	vssvc.exe
1084	wbengine.exe
680	WmiApSrv.exe
2688	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9fd7d5d3e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f4cbb0cf2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee24b40cf2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003987b60cf2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007597ad0ef2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009eff8d0cf2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006322980ef2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4e9b80cf2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1068	elevation_service.exe
1068	elevation_service.exe
1068	elevation_service.exe
1068	elevation_service.exe
1068	elevation_service.exe
1068	elevation_service.exe
1068	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3112	704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exe
Token: SeDebugPrivilege	4072	alg.exe
Token: SeDebugPrivilege	4072	alg.exe
Token: SeDebugPrivilege	4072	alg.exe
Token: SeTakeOwnershipPrivilege	1068	elevation_service.exe
Token: SeAuditPrivilege	1128	fxssvc.exe
Token: SeRestorePrivilege	1852	TieringEngineService.exe
Token: SeManageVolumePrivilege	1852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2168	AgentService.exe
Token: SeBackupPrivilege	1872	vssvc.exe
Token: SeRestorePrivilege	1872	vssvc.exe
Token: SeAuditPrivilege	1872	vssvc.exe
Token: SeBackupPrivilege	1084	wbengine.exe
Token: SeRestorePrivilege	1084	wbengine.exe
Token: SeSecurityPrivilege	1084	wbengine.exe
Token: 33	2688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeDebugPrivilege	1068	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2688 wrote to memory of 3012	2688	SearchIndexer.exe	SearchProtocolHost.exe
PID 2688 wrote to memory of 3012	2688	SearchIndexer.exe	SearchProtocolHost.exe
PID 2688 wrote to memory of 3116	2688	SearchIndexer.exe	SearchFilterHost.exe
PID 2688 wrote to memory of 3116	2688	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\704fd1218fa3791ccbe6e21124d39050_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3012

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
40bbf76200c47b3e4b5213c4634e4d60

SHA1
011c5dbbafe72ce704ead7334bab00bf4fd9042c

SHA256
dfb2e7dcc4ceaca15f7e6cb3adb4f34543b170d663e6157d71de0d6ad9a335d8

SHA512
47966236c2d8964614271204d77eb6bbf35c07f5b4f3fc84e4e60ad0515881e7201330a9e59d7ad3e3e5754d21dc85b2252a48ba0e3463108513d8ce20dd98af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
4f7a8d991da6741c2be845f0cceab0de

SHA1
c690e803a6cd907ff45d7d351a69ac94a03bdf27

SHA256
98c63e64b0faa4871cb6d0ef62c0cf26a976141b5e93f35f34e773c0287c08c0

SHA512
ce31278fb0b67f0ec5befc0c6e82604ce84d8f7511aed8346c696214f6c0542f379789287aa01d1c1ca768ea75c896b510620fc4db876f2846ec2d41bf26781f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
9f0dc3ab6a2aafd947ecae6f74f6fb79

SHA1
10e7434b75b773e35e60c27749ba197d8e297439

SHA256
97130823ee4c443c4b06f2165db30f522317d38330a45e1fbe69b9c56c92e148

SHA512
d60da31ca41f9638f37916e78715f60bd5b833cb6b15fe76bedd4fd12d2d00f2cff4077f2f916bb43ba3a542e41669872d4e6ec8fc8e448bcb3013f7c0f08eae

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
1e6538c65533664f2834c38d4cbf2424

SHA1
6e6ae0113224ccf4d4f0929530db5b5327d564b6

SHA256
442d0bba4e79c48af6d88925c6248213d3402c0e68547b490d0ac1088242a633

SHA512
8ab9ff4affa04480dc3be223f320c02ced53213d40c140163d54e18128e47a48f7e10a17e26e50a71d098f9ac1e43fe2142b52c0d25ba0b8ea3a4facb14cd6e0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6025ce382e3aced6b0520d359804abce

SHA1
c5f87b0253c467bd6a390a79ac99cb1d397bbb4d

SHA256
07d27c544776e493d88cf3f9944ef5f2cb24983f7dcd3e27e252806caee6a41e

SHA512
4c1b2624f434eb5c06e88bce0fd6b379b5137c4ed44d46713d7d057a3e16b8a43217e6340064c47225537ce0cb5f229dfd211f10b3e75582bb5c093d7f7a0091

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
e2f4039a6c241fc43152fc7c6a5a9920

SHA1
7887dbb4c7c417eb5ca6525bb3a25be823b73595

SHA256
acf963d3ef476981698688cee9808843528afc03b62e54305b595aafd8d541eb

SHA512
93bfae1aba953ccc5a3a4bb0b9ba64e5cb7fdaa1831811b7ec6612cc91890f8a0df5d8dfb4ba372963936c378f63e8446ce4ef498def417dd73021fc7e219b8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
084c4a429b802d9a5265e1681d2e8993

SHA1
5e134c4bf48977163933bf05b4aabaefa6c6eb7d

SHA256
3d7dfaf1c62971d012fe5cac946af14f7ed47d762b5e896a51aab5c23ecb5393

SHA512
8aab86f149f4afd22db9bea2a30160d3a1e277a896c51063fbc797acbaf33dd77dfa9654448672fa2e9674725133dc22e47fb973aa309da81c7b5b16cc6298b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
04ad7130a3bdfc8365935e0fb5365c02

SHA1
960d633cb8ab2e2d4ccd56c81b57cdd1d725003f

SHA256
be64ac56e54710e5af6f8a63005bfd1ecb20c890f0516242fd63810b2ee60424

SHA512
acb09b64b9c5a5b84c5cb56e33f7941fe4b03805b00a219b984b4c16f08547d15b5625dce3fbcfac8f661dbffbe728b62f918155432ad6ddb7d1f14c1b935ab8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
0f69292578d6f53c414baf005920d9cf

SHA1
a2daabea334ed9270fb9132fae1867cf8800f48d

SHA256
8d20392494784688a26ca6d67fc0d8f6939da80885795938d6657db3942dfd17

SHA512
62ea33aa64e7964c65cda74d6d4d77744cd66eddd050d3ddb400a195d7c9c4063447c683d9b107d482de6972ed6670301019187ba71e285a564f6ca598562d57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
19ee0b69f64299c7f9bef22915bf0b15

SHA1
08806508a4203ed6dca8ad9d459d70496f1313e2

SHA256
2aa248aec7533590bceb4f27cdf9b0e4acd258178d1ad070dc929eb0a91c9679

SHA512
3c21ed2ee01ea14df2f133d11c55665a14576f867fb41143ed7b766e383cd907f69c85f22820326843682249d1328e98747c03e680e619675f7c6fcde7d331f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
87de9d7e636dc8dea3a1b87057f79542

SHA1
5cd150ed7e529e4a471e13162b3f1deb41876025

SHA256
fdc821ef320d59577948c0474cd93b316bbf936f6ef93b57bc1dc01c8ff67816

SHA512
ce7e15c9735b86ec332829d65cf373a3b9097b909d12efc6cadae81378f64950812f48758953bb0ca4a1e78120f2247ca5694cfb2b1f8c47ccaf302efb089aad

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
559eb278a0dfc4fa35a13f95ad2ce347

SHA1
8d7e18e3b6ae24a6d3ffbbedfdd2d8760bb752b2

SHA256
3966e1fd072605eb91e4673dc8b76dfa862836250b1ac3c7dec501457aad36ae

SHA512
eaa0318aa9c6adf200e056387ceab4106350d3c4ef74af042e58039ce32f364077828881fdf2824348666cab0a425a35e31c4ca6c3c15d18fe99af8fad722966

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
9b76acdab425177e348b26cede973967

SHA1
6f1ce999ede12b94eb7ef3817259bc26ca3d50d8

SHA256
f362e1fbe52eda3a770538deaccd9c59b32521075ccb871e1fc0326d62f902d1

SHA512
23a6387c4510a51052efc605b5fda39cf8f1397a0531fc9ff752287ac6f6562534854b01bf703d08aa192f9d823416f1fb30e77654634b623c1ab0244ea59da0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
57965a86e17c65496bd60551d4ec5ce5

SHA1
6a2a9efad0f79fb7505e1ba47fc532a9f373af95

SHA256
53e9f069cfa0cfb4e1feba4b79d7fa57c82d085dde95fe58d79dc45c8a39ba58

SHA512
9deb3ad2b6cb92eb5534b59804d995f5449d7e1104e944a35b3419b01673575cc56f2c5865db2d79acd0482ba14f0dfe79600da16d311e486e70216066d92b9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f1d806ba96900534f4aaf3947715489f

SHA1
0710d702fc338b8f87c32749dcb486c3bb345ca7

SHA256
ccb6582f138a7607d7619a88cb72214657cf1792c13ba30a1c58ca8c677a8415

SHA512
db13b7f71411a39aefa254564cbe822ac7b6c472b0997a1907b5df9bf6635a3ebedd280333a2abe3d90e13d3533bce5b5c7ca0c09a2991e52ab07481ec420925

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
684bebaac186f57c7ed9466d6a7c4849

SHA1
f5df549848dcd1c01f2492d5a64934d11b6cf1c9

SHA256
bc948b6964f70f21e8b24c49a706b094c06b2854f51ecfdd41650cf98e671958

SHA512
9cd3e1b7c9aa8da623a0b7944e97c8c0cdf0e5b9cf846ce8521ce1bcb9c5ab6cbd46ba04dde85395cd436c65cc34dc30831cd6c33d79c598f526fe99cba0e357

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
88172a907362c51e60c72765e0715af5

SHA1
521978e1a899ef48f4bf029ead15c670cbc0321e

SHA256
d360a8d076b300c460a5fb8301664bd351d38b8773b3f2cb9c8c97092b8492f4

SHA512
60ce6e9c657509f3fc9ff1db912867d2783414d5187a2516852ab9c1db566777aa3bdc34425f1d0b990f3a565331cc06b3f3187bea031294f7706e039f092e8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ce36de20bd92a7fb26cd94657d12ec7c

SHA1
c39a545503fec7414721839cd9384c0a6a9205c3

SHA256
401a5e62e3c187d4cf0c2c7c62109c531afb1aa7e257f2679685647e890cecb7

SHA512
053e4c307224d311a7ff3fb4b925501dabdc8618501f909f9e1fdbd771af2fc973afbe5e4da6197432679d3920234dd8fa0645459762c01e7716be6f3c71e78a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
446151c0dcc6d668260363d69d5dd623

SHA1
70dfbba93fe935c412458bec21b679f23042486a

SHA256
cbccd84b5c36c0e8417d533cec5878a91da07c022f9cdadd68ca5ded4a1ed304

SHA512
fb3d614c3acd47b604fd47ce7392319e34f958d5de62b184c621b642326788147457994d2be1c790cdf095f925ab7ad8bc84b6f4fd04a7e11468ac7d9feda883

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
0bde54f1a546708c42c19d9a636476ef

SHA1
b511e257fe1a65a8a832319525506a614bc78912

SHA256
068a98abbd1a3fd0f77b6b1b5a4479eeee34c6989da7ee2fc43c4d4daef2cf18

SHA512
963838b39db782678339680ba108e18d3b9ac23528c2e68b2ab2f9d330da6b30dc506bda9e8a9dbb009852719a71b4fa32a5b80b5e10755ecb37f0310463a9f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
d3cbaf1b6135478e4807220bcc5de269

SHA1
9c4e3b6741f264124cc25a8b19cb333dfa4f0bd9

SHA256
d5f8cd0afeeef9797189a4734d68d9ce77844ca043216f6b787180348d5abe2b

SHA512
7bbbb30a535bbe14112a5ac5a357c9b380ef96e0a40f1191a4f28d3f40d7c201991d64e7b90b7958c601e6439051846f8123cf01ff08a1a868c4fdb40b86bf88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
c129c32d8eb63f2df84e66a5823dede1

SHA1
17468871af776641a672fbe11f041c166955fdb2

SHA256
a10170641be51520372a377b0a92d9941f4e6faac08670860697373149209c73

SHA512
72318433a4d97d659959c436e249678e4f10516dc3d016bee510bde40c5b23af6199906c76a977f4cf6c57320750c27779bcf595512f75c36fcdc08ff1467cf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
0d65758a44c9bc64b00da2409bc3f5b7

SHA1
3ba02ff04822aecd2118fb6c945ef6413991700b

SHA256
ffbe34edb007b2acd59345f1a1a36e2fa2b422f1e62377cf365b2f28ad810043

SHA512
6d4f1ea4d3f27a7b393fb14912d0f3b182c3e96d2c7901a60e65c7ad58882a66e63475416c2eeee9807bd492ff276222aa61fb5a65b4745d47e99e593a35009e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
b7f530a64d05f847985a2f31148e8ba4

SHA1
f070d0c96902f5d8d18d567b7b953b0e9c2f1867

SHA256
0436a95e509edbddf87a14521d56318e92093b572a40732359da1bcbad50d886

SHA512
c8d8509e1e48be409354e2d028cf5b47adaa5cbfb25b5244c428b4f98205e1e14a08d20226a107a44a93ecfe9205a2b525aefaa7113ed8817d55e54c8d630d0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
55fc58f8bdce8fb0a3d573c9da9a3ad4

SHA1
290d65b77f2918c10361a93f209192ba27b7f4f3

SHA256
e1e68365d04bc01957c4759f04b23c28ca2961c041bc0799afb1c0f8cf6bc45f

SHA512
d6905693ed6fda2820102a5996888d27bfe6ad3c3ba53bcf9c7d70fac9a2b41a68086792fc6a930334fe5b4b7ce5bab1790753af5452a4f9cfe7049dcd3c171a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
b08ba90abac8521063c22d919be7d3a3

SHA1
7b033c84f642affa6aea9f6dc786f9ce25af3824

SHA256
225161354584b7eb7bee67a32930e07106167b67e3bfba778fd05656ea047130

SHA512
559c3469cff6f5e97ddaea21d062f0be5d89d0173220627fb1f63b1586891d3604bb00f9a20c053f18567255b35525403ee63580feeab7313c1a9ba54aa5685f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
4e2c574a94d9a6dfd3b97d9cd42d7d98

SHA1
db9af6ec49896d9ffa48e90f17c750796526f618

SHA256
54b592b667770677965f32a5ca5a17c7993211c92ac00fa2e79d08200f4c0726

SHA512
81b6c51738458534337f30adaf2b38da9802e0110268e8ebab7ddbbe52d8cea488a0183355a3aa8dc3cfccfa5dae3b23ec27dccbec06ca27fdeb98387b796d94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
bcab3aa0ae0f4da9657aa3acb4f43221

SHA1
2bbe0ec6fa0a1de4c05fd038f18638d8a0f27e26

SHA256
05680fb4e965f9f98ce74667fc3cff09cb1c86485fafc62bcf78afcb1b4481b1

SHA512
d3e637ef3d6a011f5f8ae410c3f748f191e846905e8e2efb40f69f485b64d518adff18aa8ab5ce72754c4b962db3988d644489d4f0e83c04f57a41a76131e7cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d4f4131f72e282815ebc003161168f36

SHA1
6a6000724a98c377679bce4722b5ca26f21524e5

SHA256
7edbd4d4c4273a0306967ae8d7d33ff8ff5d26e93e8dd2712735b1fb9ebd6482

SHA512
5ad11dafe6059033f39fe4b0faa376203ad17f59bdce1d8d0c9cd7abe061c6bb0c1273bb5ab906800853cf26b72265590479a62f0412693b3e388145f58664a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
f16276c74bbc8a4cd2129b9d56a127c2

SHA1
38e6fef4099148403fc1769a40ec846a1ec06001

SHA256
cd4d7d0da51973e2f49b237109b165c9e7bb75667e28c40d49bf8eb4d4ba8022

SHA512
299ae1bd1bf0f02644fd0be7e2522cff7c63e9acbd7b050139ee1cdba2b6b0859d7ba60e2b134b406eb524e5ac2bbb653acf9750dcc87105eaba64bb9f5e79c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1232ae335e7939a8d4580283418a025b

SHA1
3d40d0d5694333f735eefa3a68393fa02d0b5417

SHA256
42ce339c915c9d27ab04c1bde423ec22a667afe3d968ca0d4fc8e0a9a293f18e

SHA512
0ec68b111db388805a4dcd2ddaafc514a857deae3ccb0f52ca3d0d7c8bc7695ae4f287328bb888ec24aa56199b5d56b9bd5703ca8b1f3d99c721fdcfac1ac09c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
95cdfda760b158c0a3c3f2cf4710d2f5

SHA1
dbf53409426a3c0c8d5beab292e1d2943793aef5

SHA256
bbe42946c85939ddab3954ac33ef6329f6edf65915ad615a398be2b5f91b91ab

SHA512
57e5c91740f5b3ff4a6508cd10fbd991deaaf5454c2c865b600aa7d0ac5152742fd71e814d06439bb9b45bcf8252538b0e6daf8dfe776653bc4a0f8bdc36883d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b39b109481da9e0a34ef541f3c8de852

SHA1
84b09e5b0a7422480202bd964898d6b534e3050d

SHA256
47d4719c681b57899a11c92eed1770d04b845c62cdaf6b16b0abc4cd58a0f22a

SHA512
53a2d8ebe4d805820c9f06551a40053d7dce9a704aba834bebd2604864a054a5d7ff8ca9caca3699765327617a8fff3a28235d2b06df01b6021d23eb26d5e0c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
86698953175cfc2085e392e9c394438c

SHA1
cfffb70a16f92bb21ddda5b6f7312c149c2a676a

SHA256
28e2aaee3a45ed38e24f66fb6c8c6ded3281930ff9cae2846613cdfad29d8556

SHA512
16b3f03bfcb52ee4d337b2292968b9e3ba90eb9350069f5d19f9d065a981e852076fc91ef58a9dc7bf75477c39edb1677e7215850fd1403cec31ca7d0e191740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
4446db6d98bcee15d37a20dde2fd6461

SHA1
4d33cc08934469883a59b29626f731fc26fe2787

SHA256
6095790b626dd2f4717a85d892e433a71b07c45894d65033d576d16cf78d5c93

SHA512
2cef15743a0741f87d0e27e96edc3b618599f997ff8d7658f7fc23b8a6079731fd376bb6ee54b7c0c141e4494dc6945d92b278ce071546d92193c9c4ed113615

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
5bef4dd51b3b92052c0604fd890750ad

SHA1
f660b739e8bbeeb2d7fb348ed7c25a17ebe3164d

SHA256
db540ac6828d5c0584df05e1cf858866f247f22065c37194a651d102205787e3

SHA512
449213e6d19f32c0e6ee3daf95bc23a3f2419728c38a1d124a046ac5faa228412df9d4dbf2c924ea1a58f1922d093f573e23f82f28044af236e338978d5cf313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
3a4a2e35a49283ecde67d71ad69c3524

SHA1
abe80fea51d312323a1a3817ae1f992910b642ed

SHA256
9a02a190586c9d570724a83d8ebe9ac358d530087a1dade58b3e57ecc48f3f8b

SHA512
4f2a5bdeeab447a979979e35319ecc4f7633d4b4032012a072dea7bdd27666f4bf1f58ef3bd87a12183cb524cb4b5ad81a8f07682e29767032a13d00d3b36d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
d0c74c44946767c67163c1b6032ec114

SHA1
848ab0ab351d188efcef6759f523683485b3b218

SHA256
43e50a5dc75c262f1c9c76eae2a31f9b6b9ea0ef630f396612f58f4d17ab107d

SHA512
2bc264ee11ea6250d642512c860fd982614177bc79ab52b3500a76c4253ed4c61ab12d64d0bc54c1b0a056ef68a6e7ff776b377eb29c6f8e478be1fc8c6a4c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
ef92a60f041576acefcd9456752ec654

SHA1
a9fce853ec1a3c80b2ef078de70a63ae0bf5e2bd

SHA256
69e214b6d07746d6324262552f00ad5679fcc1894e82ed345188d44955955ab4

SHA512
147bab84928b17af7b524781bf36a0f7dc67d16ca49addd9dfea9e53ab5512ed287a99d7094ad68342af30eb24be130c4e811ee0f2a1e652de12b4b01a77bec0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
2783689aa060c1f7931c51d6137b160e

SHA1
3bec43273b4df061f2abe8a8f17d0617c171e9e9

SHA256
ba9ed09f87ad83f9b7528f7127213b609decd8c2e320e852bea33a2c9d84f1b1

SHA512
a7825c0d4ab372c4ecc1bcef2c64cfebaa503ff0d655801ef67c3a11525278cbe57aa1e5a79acbda540eb67e1a5924cf7d29e9c1ca595da17ebaec17c448d6a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
5e789620329f2ebff052cfc94c925694

SHA1
23dfcd065a1b5f41547ab718b184ac53d848eaaa

SHA256
8a4765908c4338a92659e332eb576e1a09f8cfc015059b1eda0aa676e809037d

SHA512
0bb71a9850c2969614b8af205286e10d354cbfeef56e35f23cc24f811efa1d6390132bfc8d0d4156491c548dc5cc3137d014349bb7050162101fa44056644724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
3f4494857d3d2e8ecc311fdc38ca0600

SHA1
02f04e029f6ec79242d48f4a51face134c5a9362

SHA256
f9d7f51da4b08468f4c0956cd5d05959859dc1160b6504eae46c32c4859b0100

SHA512
6dcd2bcfb0bf86237de5e177e82987443d7cb363acfbc22b9856a3a8c1040f0a0342209851287ee83b22d0a9186e5fbeafafd3e2f1a99d68ddc45ca853457b5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
47b950eaa31bd51992e6a83d8846f22a

SHA1
710efed7cb98de06219a43766255a8319a8b6cdb

SHA256
d952d6116092f1f26d9c5d5bfef629637f18c21c92d2c2e9b90f013a39e956cc

SHA512
3f4a6955919faf303ed3666af8cec7624b1443c96c0f5292012405e45ce0ed6b39267de9bb234c15d90ece107fa0b6aa232dc967b824913a23ef7baa86376ac0

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
9b219b9ed0630f826eccacd1aa1ed3c9

SHA1
659b8f8261a8c2e1e50eaf8e0f2beb7ef3f03e96

SHA256
4ce42c0927bacab86fff3ed5a5a137a1427c6f5d0a82d5a4452f17191a7e9f36

SHA512
db1ff0078f50bd10ccf17428875db325472b7dc3919ea96b503183e5f772556d0fa846f7447e12877180f7dc534e744c68714f3bac7f2f6d6eb5554dd5d3b440

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
0f72345d294fec606338c73b94f0fbf6

SHA1
be8dfbbb33dde8fc173bb04c07d7d19e7021ff5c

SHA256
525f92ae437bdd24e9d110a54d2af43b00b92e6f3d92cc926d4b538909827380

SHA512
166218696080849644b770b5f0c683c21416b58411ada5e6388dc91970145046f72dc159987306331db0967f5a72b8d03ecaa32bf3cd6a0af03af687fe4c6848

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c9ae71b2ca9014a693974959a2c45d1f

SHA1
95e961bd3f40ed8be415253ca113d48bd9ba3384

SHA256
e7ca65a4cba56b1cc79e37dde78f7676f9b3a0da5f8c156cf418e200bc67ee9f

SHA512
a6a15d49b6a207a7e2b36c6f9df4a5eb055e8af483162310205a5e5d2d81c7e142f24d28a75dc059f0503ed1d35049333827e632d8343f156395c2a0812a44f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
045a9a30c7c29cabee85805865ca7fdd

SHA1
bd700697606f9adf0b7b3c8fe47f3811224070bb

SHA256
e9acf7e9d7ef9c80bc32b6d5e56886eadd134e998245a788ddb899cfc743d4c0

SHA512
4113d7997e95e8727233ab340c21661fa3e947bb1e3aed0d622f77d8b28864fef5f0ed7e47e7eb1dfc8beb492146230b634c6f9480b476786948fec3b60859b9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
eb055b80bae6113835132e45428d1d8d

SHA1
60036b6142dca07ca2be9b57cde09fea63917b9e

SHA256
1c06c45a2e2658e88a598d266b5bf804e9e1de7159d2c894038db8d9896d23c6

SHA512
d6303a2b7864e51e90c820eb4aa843eca4320bc9a9d84799d224eedb6d8b7851f474e41226b60174dc750981d741916474db91b1b67d9bad193593ea96f19070

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
87e3b0afb033b63431b4c396c561092f

SHA1
0c57688fb61345df38a3e2d7274eeef8cd0e67a1

SHA256
dc3b5915c949316cab96d8e22c25e67bb931ed612ce0fb4ae2bc586f9532ef0d

SHA512
273b16e01f72614de4a75b1dcb1edde9914645a74dcd39de0b303700929eff8bdbe1b043c41718d120ee648795820fc25247b54ba29c8618b46fd5c3c44a9273

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9c9b7d956d767dea6539dee4025d2cc9

SHA1
577f72321302fcae393b0d9b8caf377634442be1

SHA256
2f4a6f55c35206e223eee4fcd9ebf4d9dc054e365e6098ba1c084989ec38da98

SHA512
9885c7bc293999c60d832ca8ea5dbddd8fa8be6239b49394f400e5de2dcee9b575f27520715071b811340c5b034e6b1fc51f7897c37f6d43b96882ae28a9f180

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
12e7bd55bb3b11ea62ec318e7e1e9995

SHA1
5aa953541426837e075d22f149833696f2ea142a

SHA256
a902c5d95c9ca67cfc928b2a099315b1b6c90995fa199155771a83a10ef4716a

SHA512
2c804b78d0dd27477b52837b007b38b79409eeaee7980cec99dc969a0e24e95b5a5a8d5c7857fcc7f79060204eaa7e3ebb4bcdee8eb7f2c4fe034d3cdd3f3a67

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0d602ac3bbc4bf71c0b01f7898625b81

SHA1
f00cad07dd2d685966a0a68b80e925af6d6ad273

SHA256
9465776fd70ab981d762cb2a5025b34561cc6d694f4b262d6fe2a9754f186eff

SHA512
7bb949692bf847ef22c422097099f549cb1ed7adf5b5afa1de259bd282dbcc582085a26d31503989bfb5cd4af142a33347915d14d5cb8cf563d13c6684984b01

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7032ad18da3a2d398f7ff1444087e05c

SHA1
3df3044280a63406551af37d8449520586391ba1

SHA256
431dd0b4dfa058a289458a96295b43a976e2a3cec2b372ab6e0dd39bbc70db4f

SHA512
e28ff2ad13c89519148c3f74bd1e5d99cfedbf0608ff477c2246b323e5346354c78677cc430e87edf2ef1ba7c8b13ef81b4498e543cd2586bd135d29cd9a6792

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
919f480ce1dc3101534d63df6ba5c8b6

SHA1
902d7ac342d65ea428161cf48af3bdd98f6b888e

SHA256
808ad4be52cbd182bf77759564e045a2bb7c1ce6860eeeeb2704837ac5e07a21

SHA512
7a7e759139e2a87c882d656f9c62c66e6c794e99b3360dbff22215cc1735a631cd936a59bd18040297881e18e6657228d5c75e772b4e6d43633f7915775aafe0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
a0898f74f1d7d969f3b82309beacf9ca

SHA1
aaaa3875517b514eb8d6f86e64f7b9c6d11115c4

SHA256
5f7b3dac4f23542cc416722f62c5addf7f2a69d04797d00d28eb926ffbe26650

SHA512
fe0e77ef2b723007f2b58b654c8c0b26cc8aacbd9bd5ccfadb2a7d927ab0a5aa300bdf8afaa91e8106ed54d5474b719777316407e212151a5134d7017218d3da

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c14b3f42c5dac78ade11d721d1febea3

SHA1
4c0926d269e6ea9fde3c7de15c5a84e276379301

SHA256
7a828cd3326fc76a01a7502b4cb8858a041a37a9215cffbf595388bb0bc9b889

SHA512
b0a30121759fcff719282d6ae72f42aacec06188c28b6a3d45519b17eb01deed6a84911a920259d7e63c7a8db5928ec063c872bd357bcacf9a7dbbed455b67dc

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
a7ffbbed315ad72b2413eb26ce6bcb82

SHA1
3e92cd77501188610a2e28a56bdb25975372845b

SHA256
19cf204730e398799731b90006a3b52bc3a7333827570f2faa406c0f75213bfd

SHA512
58ee7c59f367f5639c420965a29294337f9e8dd9cf379a48e4350d71b4397029f92b6e41bb596f17ca5884774b3f5bc825a43db13da6af9cb70ebeb40e649f49

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
0b736b41924f78cbcf69b56993721e94

SHA1
5d7fa62d7fd8bc6fe7bd4f4de2fe8d002ad773c3

SHA256
15bd766650fef65e89011f91d09089cf4561b46611bb757b8c6b3f05fc108854

SHA512
4bb5d21ed1fee5173fbb61e3dd6fcd003890c0ebfa73d3855e8685713617b2c053dd369df649637a68e70cdc31e93320502b13f6a25fb719a42f904037b6d609

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
657a3a7e3943d28946a93d9215e19aee

SHA1
6e71e4810afe23d663fd6e906a49df99cac8c4f0

SHA256
93e186827c287ac3a001381544793a1bee8146c278f6ff92ebd37eafe11709e9

SHA512
6558020fdb8ef63ad72a238515e759c82e024501d88599302460291e53c37810b3c88e9939ed07f7f4a08ede7deaaa7d2d084c844884e25ed2f243da3a7bfbf4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0ef4f1382642aa73d750e672303b1360

SHA1
41fd09159605ff57e6b56f7e9b720c4ee28d1841

SHA256
951152b18412e41fa562806c4078ed7cf71235fdf0583f379eb17dddb5362a44

SHA512
43ec6772e0f39f6f37f791e3c4b31e8e1e89783fb8476a1a1cc92e48d7d9259827ce37fb4a5a23553d3656cf0d949038956036bff093f4df97df5e8fe216c3a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
516081aba4538e9be51c0a97581f88f6

SHA1
fccf53a879b32f99c9e2535cd84a4a2b2350ff21

SHA256
09eea35b099214a677646ad4764939c627202ddc5cc5bb36181fc23fc45a6dd9

SHA512
35a4534b4bd868cb34797bed34da7e49b33eaad8391ffa857edcb1aaf53b1d46296202d935c972ec6cc92b3d8277affc0aa36a0361d455ec8eb7920b818c134f

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c5d6eedefa632d9b84eb9d41acbd61d8

SHA1
0023b972629d71846d2529860c0ec07cd1e4d107

SHA256
32ae472f0bff7c99050e3e3a0ada6d2489fcc150e5592590a1c38c3027681d72

SHA512
1e5d69a0caa650fe3fdd641306906dcebc18537e1a576ba41a3425bd19e898fe2c8ae6155d9b257c3c536b131222ba7a54f7859dc391332c1b8ccc158d10c50d

Download Submit
memory/644-518-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/644-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/644-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/680-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/680-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1012-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1012-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1068-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1068-35-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1068-29-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1068-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1084-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1084-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1128-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1128-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1128-254-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1408-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1408-416-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1508-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1508-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1508-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1508-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1824-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1824-392-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1852-635-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1852-355-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1872-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1872-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2168-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2200-596-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2200-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2368-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2368-515-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2688-643-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2968-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2968-380-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3112-2-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3112-0-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3112-9-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3112-12-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3112-14-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3356-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3356-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3356-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3800-72-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3800-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3800-66-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3924-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3924-404-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4072-25-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4072-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4072-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4072-17-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4396-354-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4396-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4468-519-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4468-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download