124e2f5a8055b6bbd8066b83b7270f3ef93efacea7a2d9130522a2164e942ed3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
Size

1.5MB
MD5

9e0aa12eb15ee73fc31652d21e4310a0
SHA1

982df094944a996f6ee2b347e4dd34502b227c8d
SHA256

124e2f5a8055b6bbd8066b83b7270f3ef93efacea7a2d9130522a2164e942ed3
SHA512

ef60737e3db096f7ca02f4aeedad1728d8c7464606e4473f7ac4551c29d7b2c91000e8a1343569cd1b4e00ca55a58a51272f5a8c5744a20edda7bc70a8ff74a1
SSDEEP

12288:Up/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:K/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1424	alg.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
4916	elevation_service.exe
4576	elevation_service.exe
1064	maintenanceservice.exe
4284	OSE.EXE
4832	fxssvc.exe
4424	msdtc.exe
372	PerceptionSimulationService.exe
2708	perfhost.exe
4288	locator.exe
2716	SensorDataService.exe
620	snmptrap.exe
2492	spectrum.exe
2968	ssh-agent.exe
4992	TieringEngineService.exe
3316	AgentService.exe
3060	vds.exe
4588	vssvc.exe
1176	wbengine.exe
1952	WmiApSrv.exe
4164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f863b4654a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\OutProtect.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8f6f4b952b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f76667ba52b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090dc7cba52b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005681dfb952b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e645e4b952b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3792	9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3520	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4916	elevation_service.exe
Token: SeAuditPrivilege	4832	fxssvc.exe
Token: SeRestorePrivilege	4992	TieringEngineService.exe
Token: SeManageVolumePrivilege	4992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3316	AgentService.exe
Token: SeBackupPrivilege	4588	vssvc.exe
Token: SeRestorePrivilege	4588	vssvc.exe
Token: SeAuditPrivilege	4588	vssvc.exe
Token: SeBackupPrivilege	1176	wbengine.exe
Token: SeRestorePrivilege	1176	wbengine.exe
Token: SeSecurityPrivilege	1176	wbengine.exe
Token: 33	4164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeDebugPrivilege	4916	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2324	4164	SearchIndexer.exe	120
PID 4164 wrote to memory of 2324	4164	SearchIndexer.exe	120
PID 4164 wrote to memory of 4400	4164	SearchIndexer.exe	121
PID 4164 wrote to memory of 4400	4164	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3164

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4424

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2716

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a6137cae6ca166a316aeb716bc4284bb

SHA1
dba50407e95a374d6eb2e49f6d7118a43f8e6c09

SHA256
fa54e7acd9c692cabd9c8947fbeaf89e7659b8d99b3f8e99a4e95c57e9e627ab

SHA512
151c77369aece547e90e03705b508cc02b381e2872eabffb88d7ad31f6dc3f0afea9b672937b02696aa12d14df25cd0a98cb80c3196f36d9c668f3dc4e9f7baa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a33e9b25bb66f9af35cbee9f16433aa8

SHA1
7b5c8eb1f2b575cae44e70463a054eb6b9cdc58d

SHA256
255ed08fe3c930a384ae7985b52eb69d11aeddf75a55d53b9cd5e256154d4908

SHA512
51126b57392e02b1d17b156a8020d433e4dcefa97cc71f7ff50e50831792436dd0f349cce02e2adcd07963d4b4b3da69914a23c80e6cabb66582224696002f46

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d60afa4b0461182c7b1af11269a2aac8

SHA1
db1f5d57a90b7ce6e24bbaec43264e226ec62816

SHA256
82747ac6a281b8d3db015b46e550104e1420984e8e9f6b679deba0fbe0e99a68

SHA512
fa8a1d178a532db4b9cb0dce7f755c64e7f3145ad2cacf28d7f139f4ec66e2d82c7c41de9f0b108820e8179e7ff78508001807d6e54bfd83c2f2663109d39526

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9028529594c07115d7f37b99e9db6796

SHA1
2a9cbc133feb243bb4733ff13a2d9e8433f0291d

SHA256
1f569d6b231be32f16e484680e9b32759a396c904af1243c23b122981d24347f

SHA512
b9bce25fcc22713decdb21396fd4cc995322c4a7531e5d81ca410caa5f673e02f84bca24e36d90f3b880dcaef540253d37ce2135022eba3976dfeabe53ea57d6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d01a6b6157e999c6d982128603257bef

SHA1
cd8b452769d2b632065a3e612e2d525821be4551

SHA256
ee2eab287851dc010ee0203f3193a183cf193a2c20efcebb8dc80aae6aa9fc82

SHA512
791ed116457508523a7daa5c3bee47d8eebd3d76d53dd8c4e3c933eadaa8ee918dceba09343f6a5d4d1be6345e1c5f060244a0ea93cf4990db9de69b2cb2460c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
b93e8bf848e3c03692e3453dd60ff23e

SHA1
3e6bf79e0d6eade0be1f15df1d9fb7ee6b7b5185

SHA256
5e38c8e9c6fcbdda98f95b036010e008b427f8e8d8d601d5f2b82e727bedbb45

SHA512
0f020b590772712c00634f19d4e310e794a27815203ce4a3f01db1fedf0c5d2b4ee5c184b4e843a79354a6d08b96c67863dc8bce8b834909e6b20fac7f5f6bbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
47945fa079c874f9096c84af49d25b2b

SHA1
42e0bb5d6a73b192b57c8c5ba1a458670d98cb0c

SHA256
be86f30d70e6d089e7207b8f11b85afc2f278753483913b44dc625ec387c420e

SHA512
667e278b54dacc7b23d03ebb9613ac7de48855b916969a60080dc3f3d6a68f43edea455259408512acbbffe90b5499ad27afca52057d33ead6b989b1bb105362

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a85d4c32925586d552c5db13f81cd2e7

SHA1
a3f6eb5ef043e247929e594d770492771b9fc00a

SHA256
f02618317409a4c63ac21df5e12daae746f73364e8f22132d8bd44f40d55ecdf

SHA512
3f54522a6e8eaee0a443c1c69cefd3201be515c065cbb85f690415710b39eb33fde77f5130c7c1c6aa462c463d27bf0848b3816df719c664a22b7370c82c5094

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1c5c86310b63315b54ceb853dc4edc21

SHA1
27149186aef000975d0a81634de271f8cdfd4fe0

SHA256
cb1f251b8af48a5ad6e2d98244190d35e80d6ccb0c7185456e9f1d668ab85a99

SHA512
0f4e4cd42731a2c2ed4edbc6775335aef3e406aac2a84e23ab1dee6270de6d9804abc497f10f9d97cd3e217949c0f3edb2c927a0c9007d6b7d8a7e9cd9dce6e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3c527cdea87491cc1f72abd32e13eee3

SHA1
cba6a189ec6337eaba67c4032180d50ad6500571

SHA256
5a1469283c334645cf356dddc9fd3a0973193c2953ca348d1dd211045310fdac

SHA512
45ee255bbc15c3ac6c71fc4c6e5202465e28f82199f8e9980875ee00d6ad407eeaf6ff37af58ab4ef68ebd9df7b1986cf7e566493b9ee762d83243eb7fad363f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
faca2ed66a3548b907606ac39c3078b3

SHA1
29c214060d94c154420eef3287a7704ad040ad08

SHA256
5e120f2471815f49c8fcee90195399c8a4ff0cb32d796ac40363460b04c4a6dc

SHA512
df2eb7bd1cc73727da757cc49eced25ae366b65cac4e27b8269e363e060fe92301181b88f82b73b48ef88afd4a5c958d2cfaa22ec9154e2dcd4f6889045d31b8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e2ab41539d07a0c4f1e0d95698761d58

SHA1
d39938edd86616ff73bc4a2567126736e9d58ce1

SHA256
11812ac41ebc7da13c0d10da71e455c0abc39218ab42078d83c0649d28377e83

SHA512
89fa14c45e12b71a34a60041ee665a2f86dea8cf62db8cfa14bcadfa6431498f77bf7218efdec8fb65d2637eeac2492ce1755dbec20653cdd2a7d3c09ab21e0f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
34193f6cdd053d49e025c8cfc5bb0824

SHA1
b1498f703f3014b9b5c66e65e3a2ce4da0622230

SHA256
478e5fbeeb3456ee669fbb036a628a40f5d744667fa58bd6199e0593fd2b742a

SHA512
4a0cffa15f961b4097c40254c01b35cc98ad6a14de435b2192501c48aca50b1b31125ba2be9564fab9635736adc5da8bf023ef390186f4ffc9ff8e6b60f68c4f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
f8d25239925644966a20843216131aca

SHA1
bb27279e9b1da100e92eca1900ca3915dbb6a186

SHA256
b4d73ef0b4ebd49269f711a765f25798afe1062c502e408085c83ec8586139a9

SHA512
b362e80192134588e657f192e9f9a9234f2fbe9ce7cd8067b84765799e8c135befccc2a7ab66c1c74e5e91bf9b5b0d786cd76628f0663b4237983b94debafaee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
24768581d6ceb76848b0b5e1633484ce

SHA1
dd19f3f57b85aaf197c2237ba7f51181c4220d3d

SHA256
a30ba0d182268d345a386225c129d1b91cd2af5e75d3bb82861badbe437ee730

SHA512
cf14b49860bedb059d8f469a3d2b76aed17626f2fde190306c70cfc3e0b966ed088138e4282ae9c1c0c67a56dd85d1d80af60bd757f27deb2710adfb155384af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e09fe212305e5b100c31e6eccd72a8fb

SHA1
302b095e09ae5d09567410fa1dad67a43fd6214b

SHA256
f5784fee6064178eb5e73dd0698e0905d4df014a834e700cf02798fe7e401899

SHA512
e60abdcd1b2ac8d64174abcb7c70ed265c554d62d58d14297beaec9ae928c75ec90997975912a07f4cfccde9aef19e72545b4f22677efe3ea29cdd5b838629d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
668dfd28bae855a34cc3d79ccbef8281

SHA1
041daaa0b16bcc0069fa68a67710c7c60eed4267

SHA256
daf0e4619ee3beceb0138eb76d36de084e500cf6877c3affaac398219ae061d1

SHA512
adb96bc799443f0baedabe163ca59c2ac0e0481409e696f8e0a5a2280dc96125e6596f5894a82be22777b25e005fffd4f3756985f77b444b9f297f3f796d2355

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
32aec75ec6a0ee8d77c6ed140cb93e22

SHA1
8b42a926f2a0ff863178d4e013533c18eab78f8b

SHA256
34246c64301d427129442c22c8ae53bf88bc1a95a97431696438550d80980927

SHA512
8199b48bd8b7e375201e41e540eb008472908cf66d8d35f1fb3ebaa8ae2f373757e58d32c24e8e4a7aacc725fbdeead552280632b27cb4a92998f49f2555d7a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0d9241a9afac2c49dc1c462ccc73c1ba

SHA1
2e0ee38350cdd8a6aa443c03c3f10898a0082307

SHA256
dd026dcc3661ad4252e772e8582b8af2c79882b1582603f6f8a033abc00dee42

SHA512
44d01b8c59a4a5d0e0948c9f23bd3deda9b3cdf972cc3921909db3ddb890fa38eee4251cf1c90ae433d4984bbdcf26299989a5b723f75f3a1114dfbf1484e056

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a673c2c18f0707f60035f9864b467cf1

SHA1
746ca9ff8a1e2d92debd7dda6733f30c385c226d

SHA256
80afb1896062125bb73f9fddd6e031642f1b500f7c478221f4da15547943697f

SHA512
ce3ea1253b765fa5c7e8b6d77dec588899ef1dd3cba45cc3093f047201749b7f7ade550cd199e92c49f385df247ed66b81e03b0feddcd055c673f92e90cf51df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
7b5ec3db45fc4a48fd644b0d90766e7c

SHA1
d99f3efa461c69fa6dde2438b7456eab34fcc390

SHA256
ccc1bab04d66da49213c0f8f2025d98ea1e0c6d170e4936a2b5b35ae0ef6a567

SHA512
b247bd8155ce3d5e3938e35d6f31b85080a79cfa9697e5902ec78a251ed251dcc26aab977739b53475710584ce34ab1fe63468318bbc2dfc8898f931709bdc47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
fd0fd2649130a3ae97cd3f45fa0fc4f3

SHA1
05f15fc54e7466ebd114065864397921dc022775

SHA256
27c749a37dbd9bc53fd47d26c15b75c7e57c30c172fed2aaebcfd153cfeaad6f

SHA512
26d5ac37cba5a763640ad7adf6cdf5af856e407e43d43a142c74e7418dcbbb115e117360deac1634438913189d5d529e019de3ded6ba14c38e76055361d1608b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
7c77cf597364c62b2699cb92bfbadd13

SHA1
6d99a9d7501786850400f8db09997436e0d1ffd1

SHA256
e9d404706326481bb41b7810a40e2f9a440d22aa6f31ad627ac48e015715c74b

SHA512
421ce9c5e917325cad9acbd949d1a42b9005f3b70847a975e0d1bcdd51bf834cd60ed0a60a7c0781680e105d23c5a9dd349c91d543889c5d16c38622678925e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
8b9ae897c817f0242e2dbea95ccf5c74

SHA1
9e8ebc56012a4fd6ad872140814d75655e9a0e70

SHA256
3bc9aa7980e3221e62c2a02d7123af9d10d23777349e3bfa87bb17969f7c26ee

SHA512
3bf4643343c1de34e208015c1c77955dc5f674507367a829b6d74f4543a5efeca8b230278de9df885d16a3afd4d0acab9afcc750e986bbe997056d38a376eec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
4c17f7440fbeca04b9c6b3e826096ec6

SHA1
6fbab3526684178189c2ea85599e3d28ad2b27d7

SHA256
c866de152abf12c7898086bd9891fb0b8c36ff2e83337fb8127cdb221b2da23c

SHA512
54194a2566ab645c5a4ae18c90c6646bc8cfb73101b5863d7846710383a97b98526d3247bb70e7d93f61ba410bc3b602a61cc52f4811122f280d6bf01af5f80a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
05ad14b6d11f7622035a2b1e07195ad2

SHA1
babbb52524bafb1786f0a0af97cfe65eb4dde997

SHA256
1830f24986249aba6e3e85e707d81b363e387568d2d5e0e86666c7c3e0800e22

SHA512
7a9d4db9736d2ff876eff8df33315fff7e98720460f9ccb1528a743323d44e3f9e9b82dd1b69f7d613a6bc4027646207eb78755b1dd569cf6affd0d13d71a286

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
020d8efe5a5ad5f827104a925119635b

SHA1
0b1ac48d400261359e553ebc2419657db9902cfc

SHA256
28c126df9ad3c9a223365a0141dc945002373c06ded34f55b5339b4e50f9a87c

SHA512
016edbda5d1e89aa338755c51bba6499ea048fb20445506e5976bae61ce351924194652a255cdbde9c95bbcad1961a1340704b8ab6175fc1d030c0699984d4ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
c04c0175f25120e98d96225b548f975a

SHA1
35dc04e659d6bc8610d49130e4eb1b709a4f6e7f

SHA256
67250e56e3f99033673e74baf09269b0c96a55728830ce8191d9b0f5b193add5

SHA512
c911effbcd4c5a5661787579c8e977e8bc741ea88b0506f51acea1ede971780159c528a392b2767e64c6a9afa4d82626456e1fca879e3cf071bf0cc099a4443c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
26ba0cfd974aca68e8849e62e5460c9b

SHA1
1faa7d09ac2c891da29df022e6318342e91b1b6d

SHA256
9df802262d6b1e08f2f2fe93652c3a992654d253ea89a650d7de1f3be2d659c1

SHA512
32630f385f8419cf637f52852d5f4747b0283d4214f317904720fb241f27b89a4a5accc01cf859c4fc60909cd931ab78e058588ab079976b0772e10cbf93b352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
e4c04aad9e898718d4b6bcee40f28438

SHA1
9eb419b0c446d2e70cb7d6e9c5a83ac7ea896a45

SHA256
728bc2500a08d8dae91724ce837db86b39c1f342ade476661f18fc43a7004d6b

SHA512
c3c688b01875feb783f8770389a0e04ef659e582dec4edcdf4048ec9264df779a1aa256a5de60bfe68b97950885866d34eda41150138a1eb50530af196ae1863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.7MB

MD5
72af670e138c3da054b7dab35531c1d2

SHA1
2cd6383dd0c6517d8aa26abec0fa49b141f066a0

SHA256
b44e112a3db16332e0ec282974f48cfb3b3c32cecee4ff4d690e81e274f5a3e9

SHA512
ae612032c896c68d7c452bb99b38ca533559c1e92aaa7cf2e117e5d1afa0cfd6181845682caa85591cc66e31bf79eedfe7a3dfff7f46062e9736a8dcee719c56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
7e1dffa9b2cecbc29c427b4085b950f9

SHA1
596e251aaac036443cc721189617da76deaf2088

SHA256
97ce135d83fa50ccefc28d61053db91795f3ea79abd9ff85b7ab069bd08aa389

SHA512
dc589e1ce2486d4570d6d514f8d452c5f34cb4270cc6b216f8f315306ac452d796b7a6c00906704f815b347666d4540b3c69303439190ed6be097b50ef9d7826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
a320cc7e195bdd794303d664ae1bd326

SHA1
1e3bf7274fa72340cfcda4a83d3bfd860cd09825

SHA256
6cb8c642f97826f1725ae6419893451e772eaa4906ef9af39cd1c637d6703e86

SHA512
7a76e5917dd86aafdf51fb0669222b903f7f20a1ffe798dc2dc5260b686bb9bb256ab78a0e2d68d505158b62ac1fc05c666ed355ff6708e99ee80576d1547cbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.7MB

MD5
6530a30462d4717babad2b8446fa3d9a

SHA1
5353d4272e36e1a9ab4ad99f438672ea17410405

SHA256
1ab90fd86f43ce0a3e936ca6c708f8986758bab1b1bc3bb83f536f10e9c28cb9

SHA512
1e4788f7d645dc7f0f37965da03d35cdb8fd52766620240d5392dafaece0a4f8492af8027f34b3ea92e4ba38daf0417b0a474c89d7e70a438858879333c4baa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
786d3037d2b7a0f74fd2613246c43659

SHA1
e4d1c012df4cf4066478d9953f3139a7db10bcb8

SHA256
415e33129f9cd11c3179fb07b0669110ce2421f0e948e1a70ea1d45f6acbd26a

SHA512
edd762f5df1ddf9390b62cfd62dac5a8fc9f31590308df237fe861473aec6b872224f0df38b0e073025eb5cccd1a53684dadf3b2b0693d407adbfcd9bc122b47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
2.0MB

MD5
986634a5d0b5b7c218aa8f40a8199880

SHA1
779fc7fd9506a2a88139a65c0a116bcfd9460321

SHA256
1cc9d0e627584072684c149875341692032786b87db9a6d66beffbb96614a569

SHA512
55cc83de3d87a565f14859cb51eca8d1e6352e1546249777aedbb221c5f50306b9d848ef85b469312f09aaff70d5234a714588dd1e3e5908792d575a01b39e1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
e24e7e3e805e4d022f20d11b6bcc5d28

SHA1
87d30b151c92616185cb069af300c1a97bcc6cb5

SHA256
6fbffda9c71dc7302c498f072a8fd414dd62e5dcf20ebebb43a1440a26eb85e3

SHA512
2530f36fa45c224e4c3ca6830f191f0c65adbda37dc79d9ce4ac81ecf4cd2832810cc0b1b6f7382373819de5460ab73137379c3c3372f316024f33b521ef329f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
3caee26dc3bc79b6655e87e1b58b6d7b

SHA1
feee3e06d0e4ee2d8613bea03e144483b9ee1a33

SHA256
89684460ad88f73a67269a1dc833c63cb1d649e691da8feb01a4f71b8cfaf81b

SHA512
c0a64a66e3fb3e2fc353913ee5fb7eda8ec8c44bd91a148fd4b169fcbb2faaa710f9c7fefc45ec1f9b37b4f1cb76d51ace8365066c2e8a64669fae2ddeffd877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
29ed358ef9125e84d322e181effdc92b

SHA1
448277e6fca43bc3e225e784d495e2c1ec8b0f7d

SHA256
886b9b212a72c42626b2e17e3f84c1e0fb2e5ce828292e3de50d81768d6a0de3

SHA512
092758b697e0ce23c09eb1f9e0dada941b786da7d2cd90787cd427ecf298b98ea54d27eab137a44e87607567459c86d3c4c4ff85fe716c239d2700494c32ba46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
16d302e44f0cb30120238615ad40408a

SHA1
2ec2d3774da22bebbcbebd664cbf246913421db8

SHA256
4077b2fff175327f7a155dadd29c23254a39ad529442a37fdea8d2027f334638

SHA512
137c3ce674fd7d113787238643e5592d7fcbd0699397876aaf7ee08f6632f6c35c0c2e27795727e80048d8f4cffa677819d961649bc2d5123f8f696c9a7ba85e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
cccfc32ec2c21fd099235f086ef68a27

SHA1
17ca088742310ca07701d3847b8c30df885b66f6

SHA256
796f74e8ba99504a7984372ffc4a2a4bff5285e44a08ceaecb56d991aa319e9e

SHA512
812a028c8066ad8a80ee2905734cdd89dcbef66e39ad989f353bf7b1431f91f87d5bac8728520e88fc3a4eabe1ea740e7a8eba9f1c0db17fac10a1d0385c8018

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6886c623be788acd2970ca159cdb950c

SHA1
b9e8ad0d064f235ed38ab6ff0a13a6bfa613d2c6

SHA256
82aecc194b4c388cba1a08092329ffeb0f09315637774c9fd2d48ca2d0b70b46

SHA512
0d153db3394b2ba4f713c5ca2bd543014760681fce256d5d235c73f9ef092b433b37b682d868765f0742cd75192b91515d396506245b88af47e1c724bc4d9684

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
678436449f59af09d494e0e48af9e9d6

SHA1
4e1b633516b4e88afa2cd2c0f80f3b033b843dd5

SHA256
ec5635197999b5fbd86813142d5efb9b5a151349f2a4beb88db200ab83f8e0d0

SHA512
ba2877f5c21140b02cdfd1fa15d0f81155f7db083bb57be3ef40bab4f66cff19b704549dc81d7bf633f47b3df5b879cc872f69b56db1a596764e6cf6df8323f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
03c92d2a6bd7d251870c886408921878

SHA1
28053ddd516dc264b3e5ec37f3e36e98936f71c9

SHA256
3c764c329e9d6c357fae76a255b070e51b355a25f3acbf68d9526d0e8c981e57

SHA512
1bae532bd7cdd42890ef10ce1be6f1059017f0f3d8f2ea27021b8de11149b4848b34d32ae52086cc07928646cafa953e6337bc537ed31e5ec396e0dafdf98c71

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
f431b9e790b6d7d5f7b0ecfcb4168940

SHA1
7ef17032473b194b1a45efc4ff6245abbf8ebe2d

SHA256
1eb4c4f79ab1bdb4f476cab011b7904315f98b6b42303d19db826f5bf257cd72

SHA512
45f70016062e98575296a9630fbb5cae77a235bd9f04ed1188a812289b605a0eaa61b7c1e6df6353bf9267e1aae852b79f6fe53bb86cb45a083140ffaf959a77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2c07193ee0247513f8d95aa34599cb50

SHA1
5b50a4e2fcd288a82841c3b79fcdfd2f29ba0bfd

SHA256
5cc26b7b4c15194e361d808f660d4e26be4f8ef538e15a7b4bbd2b204bbe8ed7

SHA512
ad0fa926c27380ebc2ef7cf3fda2331ba92026ecc641986c733e2ea72017df967b40a43e0fa1aa97f82dab2c342633afe87af3350d8c5dbc192f9f24fed9a985

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
32efe51a01fa957a0a5e9674fb0eb0fb

SHA1
8eec7810fb2461e85b2fa6866ed0542aead6af22

SHA256
4cc7bc2df0be29ae90ab249e6ced748002453797bb5f3246f24efa88befee1bb

SHA512
fa02b90804237f02a5ee98d02e01497ce5c6f7d17d5febfae001dca9fcb633daf6214fe5b73d5b3e3076fd521d2de74eea4f6c17fc214e2fc1b2567b853f0d1b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
e83f30bac1e0f936e476a38156bbeb7c

SHA1
2181430abfbab7cd9d0452def202b1189892b6d9

SHA256
ca0caa0f2a7b348b720b44a981b065e1d4bd719ddbd0c0e67e48476dd9b1d3f6

SHA512
97f272a8fbe03cc2277c4add909fe3bd363f455b695232be2b2996ececbe2d31a1dc4d2801b1a0af42cfe1ed2e761ebe4707c4feae9c05cf57e36724e44cee82

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
97f116a99078eb9c10a7db87cff91888

SHA1
9a3ded4af865faf131b5d50657abc76218c6dc7f

SHA256
f3a496529937112f43f335c97d6733c508eb336b3121c864c56a0f4082a0d203

SHA512
209913d63e196970683119ff131d64ae13ed6179b4031daceef26047bccb653718137d850562c4b425e5800aeac7cc3dcc69d77f38db332bd85fa86da012c858

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
143a483bccce3ab63f4c9929b49d2371

SHA1
3b7293b725f7cdedb7d22e65575d527bbd8b4dd8

SHA256
3bb943c7c41961b0978ac74115bc97c89a87e42cb515388af9f60b5b70854955

SHA512
496773e71461c541d4428629e34dac7ae8fdf63b079c14b2bc56db7c9a9c059ee161c12fcb45b5093510b8850df7e37ffbcf38086f4cf5e181e818a61aaebee0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ccd0393de4960cd34d5660f2f316210a

SHA1
1f6669b57f984c179db0c0db45944f37609fab97

SHA256
14843e8c9956890b07dd21913c998d919583b1f6e13e2c2c3d369dce540410d0

SHA512
9eb419aaf9f1fbed6514224e8c96db83372b9a8d0a8dbabc8fb90cb01156a3aa2a603968d67fbe7dc3eade85f145fff1f55c5f858dd88feddd3d531039ebff8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b807b1fe74b746fe86def399950d5ff

SHA1
56eae70941b0dc155d44078167437189578c5e4e

SHA256
91d800b6a4524355d4e8c1fdbaf0c866c736263220f635c85aade6532257b68c

SHA512
4037e2e0e79e69bcac9527c09c32934741e3ae4894f33d03cf2ddb9e66ae9f01051fdb593c257a1bdfa647a5a88d612834597040988e0337934c10e6ce97a11b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
a4c5d3e84c3bf88e8fcfbea7298ea94c

SHA1
de1799662a05e9228d27cd0999bc47a70a805ae3

SHA256
53fb7742519bc6c95842f194d9c0fbaa3f94e9cb6d128135bbc213ce40a4bf30

SHA512
af711a24b53bcb1d18d0d58b20a72aab1e1163f9f27cb3bb3fff6d6315f43d352289b6c3e5381844dd34954bcc3bf96e80032782abd9786ca201fddd59405a3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4737eb41db8db11b6a5d178f85cc08dc

SHA1
be678655161dd95751386aa9f67768ce798cc10a

SHA256
475aff370e1b353545884bb2d223eea4c19cc8aeb5dcc6616e7d508f7d19f30f

SHA512
a4c41e023af5c99649b8a7544f542c2fb4540fd48c7ce34a8eb8c512fc5d0c18287ac58103dc949b506e7cf48c0e158e5eb056d6c70f94baabf599c674f5b54b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
d1d50184834277d0cb6f3e4d6ba1ca52

SHA1
afd67f3b83c49fe0add11e918583ca8c97705707

SHA256
ab5aa945c456fea2801443a9b96b43b4c818aca1688c2ae39fd593ace0183ef7

SHA512
8ab9fc8a931ec33353c2c5077d0430a76e0f41794fd3939dfcd032fb4434ab244d7d636bf080cfd85b1d35fe2a5e7df5b9d61229bfe18dd230ca1f5d325b4f0a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b15e8e6a944c79e4b0b2a8cdbcfa5554

SHA1
8c3aad45006729467a5e2419a6bd20064d91ee5f

SHA256
d887b47634e2e1c83c75b213b14a43d1cd391ebdda86c5e1197c6473eb4757d4

SHA512
d069635c2cf2b18ff247cf8f77c3932714371be7ccbeb7dfd8afec5b7ec8ef4c47c14f9a4e6cff362f2f40a6628a321d49c5996b5532f74853356dc8f3a1d6c0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
2c4a56843ffa62d230223fbc7db8d123

SHA1
78b34fa6738f71ad8d9287d10a86be7ac698499d

SHA256
116a5481721a863a1e869dba9070e4f722644b3cd3f52befd9d7a5ef3a385053

SHA512
2725759eeac18969d1ff5887f5cc89efe97a5d576d8c741bad7e7b1ef986dea6d43b12fd263d7ba9c6560930877f7956ed4b48453c9757ab875ef6ffe71a9212

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a512fc76113b9745e6089ec89482d133

SHA1
ebc123943929718828d1bf84424b37858eae7d77

SHA256
e3b008e33c469508390e18e2fa2695b03ca6154882945dfbfae1b49ace80e61b

SHA512
56e45f0d26bcdd0cbcf65a212bc22c0386144b905248974aecf7f41d8c4690e99341edab701ed0998b0aade5764d674e5ad451ab176b6555f47a5b310c6c23ba

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
8423ffcea40a40ee80bceb4bf5f87f17

SHA1
25a02e095a576e8f03879eb507b24465822cdf35

SHA256
62bb0fdb6f488ddd586d9bc1531bea72ec5b57f0d9af4b5a12e952a58458de0f

SHA512
9a2e7da0e7f23fdbe23ef8672807b1b8f6d4fbe1816af1bd793fc0e8ca1495f0a4dd4e75cb40311fe7f23b831127dbed49934311287835da9445ca0e021e7bfb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
382cfda91bfe88347028108f31af09d9

SHA1
eb2dff505cf63d6221a3ef230b5d7a69518ad19b

SHA256
914a0effe614fd08d9e14bb7b9cf09a70717af81d177b4fdf1af34ae86397d39

SHA512
9cb90bdd6c50b3044afea89b5792329291ed72d7df7e2ee8ba472bbf7efda6cd085e3e40a28ea73632d73709eef3a960bd2bb8b941507cb7e9bb75b705e1ee3a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1f94c85f2516782f271357fa84bce45c

SHA1
370d7a461815d89c8901d9c89dac2c638f3478fb

SHA256
2290cbba57db7278d8f42b32af4409448ed6b29eed4a5a289808b96498da96fe

SHA512
7f00c9d86c7f250df89a2eb6c019bcb22f7739cf036bcd4309973bd49ab538ff8a774c06d25555a098e0e330a2eb28ed2a9d62a0e49a725ef7a2f8a3492f1395

Download Submit
memory/372-257-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/372-265-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/372-263-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/372-322-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/620-482-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/620-285-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1064-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1064-64-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1064-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1064-76-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1064-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1176-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1176-501-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1424-11-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/1424-236-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/1952-330-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1952-502-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2492-493-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2492-288-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2708-273-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2708-326-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2708-268-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2716-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2716-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2716-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2968-495-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2968-300-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/3060-319-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3060-499-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3316-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3316-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3520-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3520-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3520-26-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/3792-25-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3792-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/3792-0-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3792-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4164-504-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4284-79-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4284-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4284-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4288-279-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4424-250-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4424-318-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4576-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4576-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4576-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4576-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4588-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4588-500-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4832-245-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4916-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4916-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4916-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4916-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4992-496-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/4992-311-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download