327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe
Size

3.3MB
MD5

a25f510db2752bbe201d8695657986c0
SHA1

f23408bb322343c3bf02100de5257e5926be5ba3
SHA256

327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1
SHA512

beb74e646f5fb5bf645e4b7b2864243d556e1031248f98d006eab2ce88b8df6dadcf0156bf7b3a4a64970b613fd11dae0b918ba3c41f7e9d63befc86e88b16c5
SSDEEP

49152:83BKBUvdWJTy4nia5w32OvfZcvkuRdLHkJEANmsvHHu36UpLei7dGy:9ni+w32+QDENms2KUtq

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4668	alg.exe
2016	elevation_service.exe
1672	elevation_service.exe
1724	maintenanceservice.exe
636	OSE.EXE
1468	DiagnosticsHub.StandardCollector.Service.exe
1076	fxssvc.exe
4992	msdtc.exe
2472	PerceptionSimulationService.exe
1760	perfhost.exe
4352	locator.exe
4000	SensorDataService.exe
1232	snmptrap.exe
1384	spectrum.exe
4692	ssh-agent.exe
5004	TieringEngineService.exe
920	AgentService.exe
4640	vds.exe
3224	vssvc.exe
2312	wbengine.exe
700	WmiApSrv.exe
3388	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exealg.exe327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a591db1ab4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000495710a767cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080770ca667cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000282bdfa567cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e8ee1a567cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e59da667cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7c41aa667cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8930ba767cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060c9fba567cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f281da667cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid process

2016 elevation_service.exe
2016 elevation_service.exe
2016 elevation_service.exe
2016 elevation_service.exe
2016 elevation_service.exe
2016 elevation_service.exe
2016 elevation_service.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
2016	elevation_service.exe
2016	elevation_service.exe
2016	elevation_service.exe
2016	elevation_service.exe
2016	elevation_service.exe
2016	elevation_service.exe
2016	elevation_service.exe

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4640	327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeDebugPrivilege	4668	alg.exe
Token: SeTakeOwnershipPrivilege	2016	elevation_service.exe
Token: SeAuditPrivilege	1076	fxssvc.exe
Token: SeRestorePrivilege	5004	TieringEngineService.exe
Token: SeManageVolumePrivilege	5004	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	920	AgentService.exe
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe
Token: SeBackupPrivilege	2312	wbengine.exe
Token: SeRestorePrivilege	2312	wbengine.exe
Token: SeSecurityPrivilege	2312	wbengine.exe
Token: 33	3388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3388	SearchIndexer.exe
Token: SeDebugPrivilege	2016	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3388 wrote to memory of 640	3388	SearchIndexer.exe	SearchProtocolHost.exe
PID 3388 wrote to memory of 640	3388	SearchIndexer.exe	SearchProtocolHost.exe
PID 3388 wrote to memory of 2176	3388	SearchIndexer.exe	SearchFilterHost.exe
PID 3388 wrote to memory of 2176	3388	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\327103a87427193a91bf6094bd66f012a904a6a68666c6152065d3e55edd42b1_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1724

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:640

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
cda6ea161f1f162e72954ffec4a9b247

SHA1
f9ab2a182317988c3feb6ef0d0911c29b2b78acb

SHA256
5e3d51d2cda2d2455c88970e555bd4e335498238c9b2b6d29fc150ba822f565c

SHA512
2dd6671711935ff6f8a0b81e42cf40af1d4b8f3cd30a5c6ff3e51aeb0044de3fbf4351be931225f3741e5be84db3ec14081344b3a840e1f64372dcbfeb8bb4dc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
567b2c143b219e815ed51a7853d1fbd4

SHA1
19c342397a0d864e5c4677fce06857c65c9f6326

SHA256
08871c318b46afc27bb93a0597e4174d899605dcc29772f66853ab9f4b5b90ac

SHA512
ecef387d7b4ed20a596a96562e936b6ee3dccb0c4963ac544e1f05d85de9e28de3c841acb69b7b4de6d99d084b8045416fa4092e6311acce6c7a83fd97b60315

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
275a251a52b90217a4a5c5dfca9d2b18

SHA1
bd2dbe61dac7c698d6e445bd7655b45e830b337f

SHA256
bdd90fd9957141b5fef6260beb95ec9c7e622f8771066f46087effc05d600da0

SHA512
0caf90026f0949996e31bed4910d1e9a710b878bb6ffed8603cc778e625e3a0432e856cb7f0b4992e4ae33947cd5339c4edb97ebfaeca17f74448ae7b380d430

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ded7cf07172ff4869f12e67463b9ef61

SHA1
67263ba4ef6e4ca9d6cd501017e3dee2d69579e8

SHA256
8c9054e82916ab9141165af9aa17fb83b6be8737066e0c905f332e11850dd62c

SHA512
ab6cc43807bb72c635a2ea01c70821b40d3baf9f8d9693860fa74a45c47c130019520efab7c6e46708604eecf885ed9d31676cad7eaca4ac9cb580f583176c45

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
310fc8cd0379314e49c5e299f2cb5a88

SHA1
741c70243a61adbf87dc0491e7d868b0bcade50b

SHA256
db149d195b7623417adb038c6f7dbf99d7b9346c13b307f1a8c72cf421297341

SHA512
fcd3dbbf722fa72e674bd7b7ccc1d58295e5ba3e8772caa09040521bf0ddc511c68067d3f9e01ffd3cb4b371e986e1ce8ca7f133c2f7a578744ae95c3b9b583d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
fd7a153d53da9d78197b7b708e01916c

SHA1
bebd2648538bce784c1b2fe47321f73b46812687

SHA256
82f81d67c77a9d67e94ce1cbb8b9c3bde51a642363fd6eb39a57f889b1c1fbae

SHA512
c1fec39ed7b415e9c321c7e215d6ff4b07f446070c1f2639003441cdbf9a1fdf73ebd66826096e40f0038f6b04d40e3d6e24d43c824076cf20ca8fad6cdd3927

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
0d13197b9bdccf2fd5046f1abd140504

SHA1
4f6dec3de68e89dd5c2d4232ab58bad9aac75b7d

SHA256
54c4b0ed69e7cac77eaa5b39db2f4fa7eaeeb520fc48c5e402baeaf02ba2cdcd

SHA512
3891e79c96e79a9836f3b2c452b3a4492e3094639fae4e8ef49cddcd193f6dd1b5275bea7d8d6dfa8c03fc2845c5f0d55fab9a6899b9682807e9eb63bf033dfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e5b271a78f94582ceda173300931bdf5

SHA1
2b9acc9419dd53a4b438d7fb2211b91a98ccc972

SHA256
a3dc63bd6d5caee30f8c64a0f2d028ba9231739684b4e0cc9efdaef106d0b81b

SHA512
dba1169e4d16afbf86117c0353ad42083dcf050d535abe62d6beafc3b638adb7cc4c0d413565d08ba461c0e2189cd80073412c19e950823f5b8ebe726ae909f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
3faaa62b14fcbf92847cd9900cd0e0c9

SHA1
a8a0a9351c6aa3ba78cefcbf47ff6fb90d95ffb3

SHA256
d45d1f72747529d33f5e07a265d7b7677a18d36e2f4aad67d4f2454118cdc568

SHA512
5e3724582f564a65b2a8fe0bdf922f7a0a31095220a3cb4a103632f1c54a568f078bf4cb104cb2955c12724187a56bcfe4294a14d7b7ad034739f7414042cc06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
19ab35f94497a0be69ba9e38a29e8579

SHA1
65c9f3828713b18f51dcd5f109f6be32ca8b9a6d

SHA256
895113f01461eb78b4afe6bfb37d081b99329fdd2c2d27c02d16f4887621c62f

SHA512
7248e8adca34f00e0b1c749d66f1ff75458dc3b4a3b3a5567f3f0345b5f5b5f239fc362eeaefa9a5530df89477092502d4da62a2dd536e4c7234c462288fb30f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3d3286fbeda2241a34907e7228596576

SHA1
9db88a5d39cc9ccb87007fcb8792f35553d13d6c

SHA256
b7d1870660ab1254b9807bbce5137440daa35dde22ceaa3d67f817e1aea90d3e

SHA512
bb6b27cce32bf2a8e9b2d0c2699890b37547214fed324f9c0f49c2264f6ef27d4b196ed111dcbe7ed6c1291a2c41991390174b1b68ee19500e1aa318b959debd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9a371a3da1bf86d01bf64d245a0d4946

SHA1
5c7b2df91884ace60eba3119d006b89a0e643694

SHA256
6db67808108add07910560108850df404a60f14a40cb46882afe38d154aa6649

SHA512
e689bd7b5f0a33d8aa68a158baff7f8b36f0c4ab07a7a2b8d11ee73dcdd3c4181b79aaf9fdc85c606bb7c8ad66fb4287356f9f12a9ce390f3f7cc6e2783b8a97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
05428045b91e0486f94e155ccf3428bf

SHA1
37dd5d8a0c07609eafe48be205bb7902135d01ce

SHA256
72302750f6650063dd8a71b1600dad2db551f904b200f8b970bb4f940238645b

SHA512
604e215bca0e858eaf942a485f424d357aa39dd201e30b7dea6a413c6fb09b64ca0997d2e1bd8fa25073b655b0402016c39ecd6f578893c8b4cbdc7067df35dc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f8be4d3c7dbfad3c38cec3ebf003ac2d

SHA1
757432ad8c2ecdc11d9c4bb8d7dddac5bfb35768

SHA256
fad814debaa7a1ac30f665b1ccab5522348344ef91d3f702c430e5ef58e3e2d9

SHA512
fc7a8c37af2ef5ba351788e31c6cf4e77ed5bd6c89921671ad3e0def1e39e4ac8bed9f55b5aae81285b9262e909c5c18dc5142134f52813451d3769392408337

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
02fcf9b322a3c62a5403566cfda058c0

SHA1
152734d83b6725cff893af5b4bc72dd8a690264c

SHA256
d583862d357390add148275c8e8ec78a8be51adea550a6e3e6d4cba45ac495f4

SHA512
174d7f249fb4d0ffefbc1336afe135ad54a638be046854b45ec4c4afeca1c636c6e864c12ae35fe25a63b6fd47507aa08699e7c9c98c9887345ac49ea73857d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
3e989a9f2ce0f42b6eae2fa81bf20bc6

SHA1
17e7e83d19032be7727f80490ac19011c1599f42

SHA256
f4817cda51eadadea9fc1b7754994a153b193c32f85a725fdf0f976845c4a349

SHA512
bd4f56ec0af3beb0ebcd39c3eb05c95e61fe8c6e00e493143060b6049837ad14dbaf4d3fdc4574405a4a63f4474d4e8a0cb459ff363f02cec1983050a7a387ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1ebeaea4caddf932f88a1c186617f89e

SHA1
59bd8a598e2d8579a3e1b548b0c23f0cd4875561

SHA256
a0bf3dad960ea060e71a57e5ae46a25c8f003d5bca205cbf375f64a07b5f85b1

SHA512
61488050d116f40547a257d2c2f9442fdd3d9128a70b7ac5a0cd5840a899802b1e88325e98f73525384760aed35f8943f50e9d35d785535827c017bc9e72a013

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5f73fb65ae49f5295fb47b5d5df02ab6

SHA1
63e65b76ee10fef9493330da2f261d51564b0463

SHA256
649e2fbfc957e08bdab5d4633d319bb45561e68df79b96a99776b12494d75d02

SHA512
a86324c8e7ebe9edaaeb33ce61224fc403f2d77150d73119910814ce2ca2076ff52a4d0ffe56a141211cb4e13331cd003631fbd09650aaa25947e3664de54b06

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b393103c9038e07fc72d5bf0f38ef343

SHA1
6e8d9d66facee78975e412e1e055ba61005a6818

SHA256
01ee26123e4cd71e69e9cbc6971bdb576a7720e8a0950166c33b2d2eb3cbb27d

SHA512
27eacb77dfff4504d78d918f80c473c3857932bfdf48db7da616ce797de60914cc0144c85c4a5c136ab7f666a53d469e8efbef2dcedd4c9c8f54262ca8415ffa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
e7f79c50d68a8e5cbcd27d0822d42c14

SHA1
d799fd27dae909a7b10a054d2c4527dc05aa7801

SHA256
30e336d531b1e83b0d1d435c1e8c31d544c665ba9e16cc7b13216b97395074cb

SHA512
ee05a3006aea9e31e65e0acf970608b1c8b4f3cb31d237da6d3fced565412efb788f44103ac65a5f1f02379e8c9463d6bfcbcca8d90c555d70c6ff389242037a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
beeaa93549ab1ab70557e3cd13e9cf12

SHA1
f786bb6aebb9538b7975ed34a49c76b5bd4666cf

SHA256
776d4b6238502e98a2af225c84d145c888f062cd5bee4bbdd4f8464edda08240

SHA512
3bf936acd0d5584bfcaba6570f0acbd036f12b21930a399c8ea3d76a37805c98b24a661a01a57992f172092de228b0875a920dcfe7539a38a225a0fbee9b8a57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
8a9b4bcd8addfe3d8344de6ed9b8b435

SHA1
e4c22cea8256e390b4093031c6691c7050becb64

SHA256
353ba8a2fd050395eb7e0b7c81a1f1265d53495623aa683e122e6f3e66a78ed4

SHA512
ae854d345d5b230ed8d371d48835342e26aa48fada35ed49740e2cdf660d36e0847673cd4e85f8c13351706bd057eb7a26d15737d07ced9cf538f345495e79e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
4e07eb58aab0eb5efa0e7bdba0ba679d

SHA1
5c0db5ecc3b32e30fee536c7077c34be1329a73c

SHA256
384f395b310c0642dcf9774c0543d959dacec19dd619281158b1f3288432e768

SHA512
94daa429d85f00499144598db7da9a350342a819a9efe63e8d27b49e0e7208dd35eb010c5610403194aa6f515e7cc9e45a0232c92047633267c3f29d2e183f50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
0e142c89770a691098747219ff6efa33

SHA1
16070902a5a99aa0562a3c6435eef5ed96d7cbc0

SHA256
5c706e03b9b615adcd25f63fb4d7c72705e8b7c437daa30a83662d038455ea45

SHA512
606b9f1fc0c34482e3c0e3e896b7730d53302465e3d50931d1438ecf97fd456c845686b39c4ee704f47d58e206658326a066a83e42eac4d1e987057a280d3003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
053a8024ae626360d2cbe046bf59acbd

SHA1
89bfa12acba0a9892a2fb02b8de47e6582e2f4c1

SHA256
e74c37d92acc94dd9683cbbfeba2f9fddf7ced2e81deb03ba35dc97a5025123f

SHA512
703bd2d728081062864d6d8385c8b0eb143fbc90cdc8fe770b9354c2b848f044deadb02000be5b810981c25a36a0853b73a7ce70495e2a57cd0d679807c4fb9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
c1dd67828ce176f0fb7505fa6bd38d03

SHA1
83d40a3ef80bc50e1d830e06d05cb646917c6f0f

SHA256
64700811a3608abc25b9c046ca6210267903df8762b7995218ecddc0532e2d4c

SHA512
e0b0b96015c81d923fe1c95c4f1fe6f52cf7b98ac031755bce02a9b79f5795b428df48f17069afc3f31b05bd6398d32dddc23a88a38e140ff64f019302d2a3f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
f0f617863fbf4b1f01e9c0789d00ee3f

SHA1
556c7a8b17899f29bff02e547ac25798f7ee8dc2

SHA256
53ad0eb74235677f420929d07126aa1b51868978f7ef1a751b11e17bfd07c81d

SHA512
64f09263d369b68955040931ebbaf69436b2b9f842865a2604efe9dd5796c0e30dd7b8964e430ebc38479fa569bf57e914a443ae5f21fb6d7e20e56facdb3e0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
f686d0b4697cf15fc08a22510e67c384

SHA1
d437a412348812b2519028be676fb2bcf1cab1fd

SHA256
db3542aaf37533efefd5416c531288fc30156b27bc8fd5655b4f329dc6da5458

SHA512
2f41b653757c2ee93a5c3b4b919f1041cddf6757d6307e49db73eb4b3554475bbcf22ecbb529300d28c90df7c196af9f674de4a485f76ca9368ef19d58df1bd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
e56f7988b666ca27226123f234f41699

SHA1
b8c26f136ce3a49b05896125d74a7455f61ee7e7

SHA256
6f818a1ec2e8144007b3686e3053567b8498acac6e947e50e72a853809b796a7

SHA512
6c050e070099b6c499906f5c117b5c43fd4918bf337846ac91c53705de4d2303799aa216c82952613385e01cfe8539de2c6aa6a50802050967a87c1242201c5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
766565822676a91d6610381c58107616

SHA1
e73ffb77fcdb51b4aa0f768dcd8835d1cbf3cfe0

SHA256
c5fe927d938eec24b30067d2a860c05b5aaa3f934084c8e956523ab697a8d88f

SHA512
4896c79db18d7fefcbcc9cb2f1269bca5e856cfbac542ae36e808f1112ab3dc108041593402c5bf7899aa164f3b71374ab19264ca13aac42b3de6aabae406847

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
708020f1c812cdf8ffaeff324f6f0d42

SHA1
4079cf2fd2393f8e9092d779080ee74ebc200617

SHA256
6b6fd4d6d40d6261c4459a33c9b81f4ea9fc47312495ea485d45292e5701de5f

SHA512
18b8e5f0262f22c7654286cb3c43a7769960374604327fb12fd283f76687e8496167cd38443dc095d391d2eba98f75da915a010a5e2646b9eafd72d5aa18da01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
c03c9e6eb702d955036afbf98c46b46f

SHA1
3bc9f179456e1bf01987cf72ffb9ddf372509598

SHA256
cc26b362bd7f0776b40ea36eb0a1c7e1bad6de6580e901800ad0ef7b6c3fd574

SHA512
2e513df81f33f393e7e0f433291839a5e606d2a4451b77ed88571ad95f5ef0d24284457c9ff766836d7a7cc6b818a4aa495047132c93e0f3e5aa8717f74f99bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
76c7539a774878c839dafa34cae191d0

SHA1
a3c99bf13600deaa4a7196ead70897e4bc28cbe7

SHA256
1794f1555321a82a3ddd63bf33a0e35fa1023e36ea4a1eb3df65ac87bc01f8c9

SHA512
6f97d57e8d21ab89c107324c5faa5f57bfc711682c8ed8b022043e3d800bd67fe71a60b793bdd789d4bc8f5a57dd017b4a57505e2cae2e13e5e6abb7cc7388f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
798758853817c7f051946dfd3c13169b

SHA1
4cfc02e932db31c38dce7f4530458778e56cfec0

SHA256
436544fd25a7a845b7dd3f8c12094a25dce6222660c91529db2c2170331bf4ce

SHA512
2560e058bb1409f4947fa085163d8fdb6f9d07063ef8677da630836553a2b4f10a80f385cc80f13c06bf6cb9d5155d432d59afbb8353ecec98ec8577f4b0687b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
d42da5da6fb316b775f5b72800bef30b

SHA1
8fd8fe1183251726da5db5895be571e07d017c01

SHA256
150715c3b4cfe442bbcdba3e93ce0cdc097d8f6e8b1505c22dd095b524f76dba

SHA512
83bedb4d9b1d904915ad68b1ef2e4de2032e59942f2f1c84d0de51856f7b53604d4e1e2ad9c377d1fad6e5b9e466d95b561cd409e333231a22003981a7afd3b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
ae1d4b071eb31846a6813cae8bf6e3a5

SHA1
687b54f76506427c3b5fcdddce0cd4d37ab7d984

SHA256
b7f5ed89ab93d3534d8aa76de6ee350a171262457f94dac51acd4d1481c4cf01

SHA512
c914bfe84b2eb2b9b5ce895e3c5b9e99c54bcce78e0208d798829d6b2835e25771c1bc6681ddddd32398be45f32ddc4b32cbf28d4cb02041550a50adb45ac358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
54e5586d29c648764c93f1e97fb9d038

SHA1
e433a8e3eecac17a85751b9d562904de9033d175

SHA256
17a13e9b4c2f309fe07a06a6f592e7f276e110b4564d96b97c46e9b258997ed9

SHA512
df3ab4d1b50a4a3d12ded9b87cfee698159ec60cd9e01ceb2a81a3dbbadfbe143da7c46c775f4145c86ca7b66eb6cbcff59b405ecd12108115dc9ba1c3e26f8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
b71339f4ab5ae707863d7d370ca7f509

SHA1
dd731d8d0d06b601fdd96df190837e88faf11b32

SHA256
1dec488c2c2d4e5f6a092028cfb51ade63bb12c45d31297f379b2e032156a62c

SHA512
371c25ef45832829080c952520af4205b8220b7ebe5b01a40539d3fad0c162e33e03ba2796a49d4002a86a7ebebcfb18ce09845a666ba6694ee1d94611ec8467

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
92cc0680099bda575978e704698dab05

SHA1
e75605cc5cfed319facbd8b43f5b079170873739

SHA256
3e13c00f2a32bd0915adf86e02d3206e5847710aa802062d338545f3ce9098bc

SHA512
b915ca5561062ffebe7b3a632f8f728be9d2648b30082d21a175f004d998fb12a4dfcf3cafa548ad0ea7d7e6949649e5f2d8e89b02c0ca9f62468a03a45bd02e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
c49e708eda02b9b9ead6589e0c428fd4

SHA1
370430cf32ed6219860d63529a65774942a7e6ce

SHA256
de3f7467b5a6edaa2c748f5857e219af181d3dee4d810c9d3bba42753b398d20

SHA512
20c805e059a8fa6712bb124a85ea171578bfe8a70320eab57e53bea2b877f047f89cb88e09baf4c65c3c390550aac217770ffb7ace8d5e784c21c609bf34af30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
e4c77da258d516ec34daba26d11a074e

SHA1
333d81986ac1c86f045e800689c6b9401e120e4e

SHA256
8a0b9e8eff4c10d7afa05d1502f0c133c720c7f0a68e94ba6a920ed458fb7966

SHA512
0887e3d5eb0a9e4b317c4ad376487a9bc9dbe2418a434818180c9a68670107f5c90e21dcc236398fa63d5daf55e3b5c01647d7237ffc92310c13b8ce3bbf4bb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
09d37adb23c48636b303a3adafb7f992

SHA1
182d819825513f88ecbee1269eda325347e5e3c3

SHA256
fa3b8d658b50ee4736393fab1afface8d85374d39b834c0dccbf9a8b6598e3e7

SHA512
590f53f78b6d75428ace01682fb3c0131e8392e4450d69dbc21baa9c43be4d7ca6e26bc11253751a84d060f2a2bba43be99df9395f612233b0c79f68e62b4f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
902c74643809b364559c2aa4d6fb62a1

SHA1
1cb260b00cf1c59959bc267d4f5e15d88847ea91

SHA256
326153047a27b3cf8593d035b7325e627a7ae1acb3be23fe22ead62503b9f186

SHA512
404c3f99283685145793734f910cb43b2019f8975aa7542b7c248382b453cc29f4f6f5c1173d31d1043a50063da859f0425b5ede1f9cc07128fd73113255dcd0

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b31eb8aa546e677863ef494cba297859

SHA1
5646f373188e40f49b0040d92a9f557f962fbf78

SHA256
3cd4033ffacf364d7daa9a585c26e213d365dd44d0a306c60dfd3ab9863bc41f

SHA512
f442d69cc8ab43d09849bae7fbcacc30a280cdeba6187e7f3524d02adf0f1c17eb2574e6e340f5f4121e7b9370cb9c6c4f9b3d9f2ae9e6e5642d210ef1f4c9b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4a6772c5ecee4618e8e9955a6732f3ea

SHA1
97b33967903fd27d86997d9ce0386e68194e6a3c

SHA256
0d7d9071c33406d03af44c94ff3fd02a09d837bab48bb7e682d6b042311dc166

SHA512
91e52fbf37229c3d0ef05a882d247bfde2bfc511b1f7a137a1e072d3afa93e95d3c37570147bf9821f775f3075f89b80dfd7830de6a46fda3f853652c3940cc4

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
75fdae76d04eb1974d7145fd5277a236

SHA1
e5ad81b3dd474e7c96bb907fcfcb204e287b7a70

SHA256
a0cfd1c30ab3bcc593ce00796c822c81b53a7b4e4316790b01fa40d066f8ec27

SHA512
af2bda76864fe282dee8e6968ec9d20d5645b2efcc2977e5863f062f72f859636714020b62dcdeaa3f59389924dfa94820f57e4b2a91af73382384984858fcc7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e4a4b5fd68eae106af2b7eb0c84ea894

SHA1
d82bbe23b079a1307397c17700833b0946621e56

SHA256
9c9146fbcef7cdf420e6daac348d6a92d405115cbd2c1241fdbb75fe123775ed

SHA512
01cc4706e78eb0c4be1f03201652878eafdb97ab827e6d38170f0a6e4eaf04c6f5710b03778a76af060b9351879124a211754030f6cf381f6b97427f0272bd9a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4eac7962c02c307bcc66527f91e05196

SHA1
954d0c93c271cc9c3e0adc2efae46dc597377e40

SHA256
3f4b4a184be76d7131c642786782884ad9bde2563867d14b7e9d2fdd0b6e9177

SHA512
6741ec6079064418188204cd76923b5339b12be81e0b67eab89373badd4602b4a9340ffbe6399334c1cab105296114a1c8b8ab894a48a3d7af905e5a807b0b81

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
4f0012b1c666539b1d08574311806e38

SHA1
511feb435f66f41ae76a814ff9e04b438b89db67

SHA256
4ec6f43253afa6b83ac8dd4e31c198a63bc11906cb7029fbb3bce4aa5d3aca9f

SHA512
e2b0ab001e6a48570bb01de1191f00023a586123414d07eb3c678cfcdce59b9e817c0260904a6dc11c62ffb337c6522002e8bb991d1d6b1257dc843dfeaee95a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
27951491d78b1e9aed9caa1414f449be

SHA1
8d988fca61315eab474c4f899a9fa606be6883ab

SHA256
9c4fa95cc6080283c0d9560bc814f4f9a48b91ceaf77f0edf5ebac879b533ada

SHA512
19f0b4900ea12d67ccd2eda1fb36962dbbb21a53804ce36bbc998f9170d6678bb1fe4f14e7b6397c2408baaa478f2bbacda1ecfa05a239810ff792debf7f8dc5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
6d87489b326656725d99ab4c0412b5ff

SHA1
dfd3b141cb1fcb7d0caa01128bf3ec7f7fe09f87

SHA256
74ad8cf220750e41940f96baa3e7fe50a0651f9d1bac5478a659c7efa2039cb2

SHA512
bf8c35626245381c57c10f327ff5db1c5d0b0bd824790cadc4c906d708005100f822885da39f6aa2df9434d63800b963dc7eec1d7b055f9cc1d74fc55d80615d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
39ab4bf3e6ec80665ebb7e09cddb5380

SHA1
1c516c47f543d393587129c92b65860dd292dd8f

SHA256
aef099ce5c294289fbaa8704703e9e7c579f2d2c182a38272610cfe1d84fdc85

SHA512
0cc5549f28b9c339a4d375ba1fb32e2592d3a64fd3bccf334c0a9c94e32343bbc4e46fde2bfad3ee988f76085496fb68b724a011e3b4c595effca57ba7a40c8d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
67e832dce5252e09e0ecec44a9ada01d

SHA1
8b4f5f99ff1e8aa1fd44fc9341933414fc0313c9

SHA256
085093c3f8960252cce8a3b8596e7a498df131e2a1ae1e51977a6ab8c64d120c

SHA512
585261cd5cc939448e7171ec2310db175840f2c6db780e56c53cd66c509aded335c295453111a1105a45b400dc63cce4c1d49d2730341fc9654761cf494da7ca

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a8dd19993c641881777c013b0e074ca3

SHA1
a0817c187ef8c4e11d7b0f6ccd47def1e640d5aa

SHA256
c69c89955744b086a6fac758f7c1b36a723119ab38a3a7d3f425cb7d7345ee6f

SHA512
8ef5b56e15faca136ef0b151443604cd0b39af2373b0f67b44b65116707b2797dcebf2e2020efac2ef9aa5df71ccdf5a8d22646b3fd2e6e44ed547d0d3441cac

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ec128caa9ef03da3bdf982b7d95bdf0d

SHA1
96f5dadad072080458c85275c1199668493c9a1c

SHA256
dac6959284111161a906db9c688e0fb0d048b0468601253950d29ac75b5d381a

SHA512
3224e6ea7609bd69f845a7537f423a0482e0dc5cfdf8e1cb86b43cc1479ed691479060d6a7f550dd9302cc315079697f6d68b5731c5499a8cb1261fcb1fcf73a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
636ee46c72d3221361bf76b376423bb4

SHA1
3f34baca0e80bf6b816d450bc6eddba9f59a74d1

SHA256
5acee1c88e78a13363b58f2c7215df0503a32717a195e536db5e6f5618879d91

SHA512
92927ff974773fb6be156910c71dbb2dfaf3a8ca9172b54ba3cfcb6ce215290f00af34e8624fca88657ed8213d3fdb8a6fb86051369743d56c43db966593e9fa

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
cfab290903024010da16484ac506e4bb

SHA1
3b89fb253e17448634eaa57d03ab1e4ea8d95deb

SHA256
04282b78d7a1733ef70d4d3ab3c658721148411c01fb9990884922d59a6776a1

SHA512
aa71a5ae5a42b59ba7b6a9d2c2eadb865bdc93148cb04b43d249335fb0f20277984d3eff3bdb9f80995968280119df50b9f3cb29622f5b7447775467fb3d8fc8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
19d0d2f49913ad21b169dce83204b5fe

SHA1
7a0fdc00a24d442a89245d5e59bc4d77b7625eb1

SHA256
9b3779440c3b354ca71037f68f3259069a6344965fb4bd8a74fa40df8ac05742

SHA512
3da25407c3d3adbd4e22856795765097e64f129c8e719f05b58287b8db590d604b0418952a027add992c95db42a8042c3232a9e9b409a75312012d60c8dbeab8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c38f901043d56067a62081ff10ecd051

SHA1
0f38e21bc81f6d436aa92b2dc7e146988a5d4747

SHA256
9d9f2744125620391121d5b0738fc5c4ac46e090087f3b9ad7cf551eb0065b11

SHA512
44992c190050e282b5069e06cdbd765060a9b200575c7753e6fb3a79e5fa90156c06b80bc671ecf6d894afd651b60d1243fbf66f1d2830efdb62be661bca94dc

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
29da504bef1e35e7e984f76d147cf7b9

SHA1
44da6424800469953c47fd1a91fbf22bc5099ea1

SHA256
27755f050b882f9c44818184fde8c77414559cdaf4eb39b455d31a28ef9089f9

SHA512
dfc1df230930b95979fbd14697f76bf36f0abd538e6366f2733a99bec8357b562199dc24541ade876e01cbe2cfc37d95eeaf2eccdcbef30b9a6dab696212cf4b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
268ef89743b98ecee91188971480d9a2

SHA1
b3ea85cb95577b8cb811be805745859f109ea383

SHA256
4f2a7b2fb50d556b34c2c77a91a3164cdda667abb7e3724ad2aa1ce4570dc982

SHA512
4d939e69def76137784a5e87ce5044e5b091ddc6d85ce5e2a97d1e685bf630ac0f9297c130a39211eec2e1e391cd4bb8da5a134e81b27cc26cf319d725b911dc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1d2f281663f09ea1c8f674545e41a691

SHA1
943ebc3371eeb604e16175fdbfd88f8d3ecd9cfd

SHA256
2418cd1192a6f13c66e2696b942930a5c6e0ea5668f1cce67ef1f4277fff2aed

SHA512
388dc5caa28b917cf317481cdf9e888f756f60231b4b52deb2ad02ee460556857ec1d2c74fd074d67ce2f98531c6cd070310c5cb633ba56d87b71fd11d309811

Download Submit
memory/636-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/636-64-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/636-70-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/636-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/700-614-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/700-432-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/920-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/920-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1076-253-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/1076-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1076-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1232-521-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1232-332-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1384-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1384-522-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1468-248-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1468-360-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1468-242-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1468-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1672-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1724-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1724-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1724-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1724-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1724-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1760-293-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1760-410-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2016-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2016-33-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2016-27-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2016-26-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2312-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2472-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2472-398-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3224-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3224-399-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3388-444-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3388-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-435-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-607-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4352-431-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4352-303-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4640-387-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4640-6-0x00000000021B0000-0x0000000002217000-memory.dmp

Filesize
412KB

Download
memory/4640-13-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/4640-1-0x00000000021B0000-0x0000000002217000-memory.dmp

Filesize
412KB

Download
memory/4640-0-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/4640-612-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4668-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4668-15-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4668-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4668-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4692-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4692-608-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4992-264-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4992-386-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5004-361-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5004-609-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download