a48a954bf4c191bd5acc07eafd59ca143266167a17e884201cd410e99f6125ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69e585f8ae5cb14edca4183d52e1b2c0_NEIKI.exe
Size

699KB
MD5

69e585f8ae5cb14edca4183d52e1b2c0
SHA1

3ac0fdff99e7b992c4720feb267bb46a5d846430
SHA256

a48a954bf4c191bd5acc07eafd59ca143266167a17e884201cd410e99f6125ae
SHA512

9076f08e8ab06461006d78896ea79ef51f234659e1246be0699aa49d9fedff84f088d0c81623c1d408b0dafd797ffb302cba151ca0d1b3248c5aaf77477f694b
SSDEEP

12288:yDG3tEGJMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:mGySkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4760	alg.exe
4776	elevation_service.exe
4612	elevation_service.exe
2824	maintenanceservice.exe
2096	OSE.EXE
4952	DiagnosticsHub.StandardCollector.Service.exe
2436	fxssvc.exe
3696	msdtc.exe
3492	PerceptionSimulationService.exe
556	perfhost.exe
4516	locator.exe
2596	SensorDataService.exe
1036	snmptrap.exe
3384	spectrum.exe
5036	ssh-agent.exe
5108	TieringEngineService.exe
4400	AgentService.exe
4888	vds.exe
1492	vssvc.exe
1620	wbengine.exe
2880	WmiApSrv.exe
3456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	69e585f8ae5cb14edca4183d52e1b2c0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dee88cbfad45b396.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d291117c34a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000087ffe7b34a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f17a5b7c34a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a280df7b34a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8718e7b34a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005259d87b34a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4776	elevation_service.exe
4776	elevation_service.exe
4776	elevation_service.exe
4776	elevation_service.exe
4776	elevation_service.exe
4776	elevation_service.exe
4776	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2868	69e585f8ae5cb14edca4183d52e1b2c0_NEIKI.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeDebugPrivilege	4760	alg.exe
Token: SeTakeOwnershipPrivilege	4776	elevation_service.exe
Token: SeAuditPrivilege	2436	fxssvc.exe
Token: SeRestorePrivilege	5108	TieringEngineService.exe
Token: SeManageVolumePrivilege	5108	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4400	AgentService.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: 33	3456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeDebugPrivilege	4776	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1940	3456	SearchIndexer.exe	129
PID 3456 wrote to memory of 1940	3456	SearchIndexer.exe	129
PID 3456 wrote to memory of 4340	3456	SearchIndexer.exe	130
PID 3456 wrote to memory of 4340	3456	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\69e585f8ae5cb14edca4183d52e1b2c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\69e585f8ae5cb14edca4183d52e1b2c0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3816

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1940
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3b1b19eaad4f9386cfa36d088b88578a

SHA1
5be67883de6dd50bc6f91c8dd8a0032bff16b9d3

SHA256
3090f4e2159b3387dd81e55fc64a144c885da76caa723877598c7aa50efbfe98

SHA512
7d2300a902cb83692ab15a055a9b1864af7557e6217824be02afbc5002af0ecc2c602e5febfb3f42620be9af9ebb8c3b40989fe6163c4ed39466c39706f63c51

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
528f2c1187b41290530ad2f8fd2b0765

SHA1
6595062a3b6ec74783d205b6f66061b4a09ce95c

SHA256
a557e983f59cf2beee64e98cb03f0170789e4ebc6e84ea88f5d1557c1b6433bc

SHA512
1bb041e6e2e4d2e5f13abab7c24bcba9e4fcca896d4adaed892c52f51ed70e3e1a463de3e74e776e96e73253143adaacf98921c56e0347e4e489dd09b4026ba2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8086fec4db7efa382a95a984aa8e84fe

SHA1
b2a64fddd7d10d6b50ec5dd48294218b3a923083

SHA256
5f50295d5dec4d6539fcfd29a681f3b726901d8c18951953a5bd088b359da1ba

SHA512
f0707d4131ee92b6dd4db212d830f48d3c22b3cc440c28371b9f360c266b20187a9a11b72a3b90b0dbc60e1f381b6deef8252258361aef9fda3da363a2882462

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ac0b3989158d04142ca9f508234e3220

SHA1
574405b11f2d58a5819a8a93efcc264d44498c35

SHA256
565ad3f01f95b3eeeaa93c95d9a9a024f87c9407211f62d33e54345bb2cabae3

SHA512
cb7f2aed84eb2d767077c8e60ffcf4c7299db3834d2d9687f8f58e5feba7af67b3a78543983cca8375f52c70cd2c2342391554634f45bdc56b2e5f0e4dd78cb1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
733219c015d531306c9064361f7d4826

SHA1
3e83fc552db15dd0cdd3314a911650a770d9426e

SHA256
855c054781983c9b0ff3d5d21231c6040995f6aadbc377615e57324c5033b9ef

SHA512
5868c9ffde136d6fe46f4d2b65cd1f4a5c9b70f9251b499cb36ee0a7259ab7cbd624c4b2812a84e6261544a06218c7e7869289097efd4c59f79ad42d8074b0ee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3028671c8f74b551b84605860a68fc08

SHA1
ec70371fd1048e6f12ef58bd1a3960ebbdde24b3

SHA256
95cd856ef1fee566894cef7f8abe9fa888791c2940493ccda9370c30556dc62a

SHA512
4bd7f1dcbeb19864b2726ab41fa4c62272b714a5bdcb82a60201152741ed82e875fb77d2b2d4860234df667995f8daef75ad67711dd716894f621e08a861c65d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
04aeec12070a24ea69af6bec2152de33

SHA1
40326fe72550e5e4daf02f011521254bf6d850c9

SHA256
9e8c41124c5e540eddf433674f147d69e1ee52207e76f64ac13c6e68b650c905

SHA512
3ae79a6d47ea11f79fecf93b60c21bd8ba9ab9e6c63719ffc656de29ee48761d8ce2663d0360a57f87642d6dbf49ef277da6f7b843d49c249b95c4c0f36a8293

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0ac5ce8ced0180d3fb8a28046c30e711

SHA1
3fc8de8d0d486ff272b51846c30f84b99602a0a2

SHA256
9b52b01edf84c0499b15c592a705c37d3a27aa992d0ed7c8f70fd94d64b9300d

SHA512
2b9a7520594f91bb2233968e37e5a087e7c83c54502c0d17043f9dddb4037072448b3401f12ca194cb1d47fea9d53889c09f2c8c402cf5eafabdcf4b8407a9b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8fbe3bf79e2036d35c18fa5bdf11be91

SHA1
80a4f1bad11dd39a5ad7a7829a7da7c1d37436ff

SHA256
fb8f7aba01db7c712bdd4becf651608544139f401539729bb16f2ef70cf2290d

SHA512
feb7a4ecb2178eaca8df05beef0832891c446998dc3e214dec5f46b979ad7eb94c4f894c25d4b8af9c356b63711fc8d00c5eb2886bb17007acb091493ef9268f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
27176855dd8bdef544b8fb1c16a76deb

SHA1
a7cfc0295a76714abe07d28c81fd01443bc00a1b

SHA256
de55422f6ab0198efb9c25c2b258f404150069093fefc6cfb695731aef89ec6d

SHA512
265565bb10b3547df65fc5c3125bf09f5481dceb3ce36a4cd71db12ddb2a1fc9f77a7983d13bda5eda4635448a76b6f30594734c80b520afd3a232e734a9388d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e22cadf6fc34b9bab08046c63247ba12

SHA1
8e67192155439d8dd8db7fb4953c18178e3efe0e

SHA256
6d69575106cc15f83d7fd6f667f36b03616c21ef90e7ad67a1f47c297980473f

SHA512
2b643d7f1984bb80e53e20a3deda8da1f1a29db5fa9edf30e9b0edb67c4303d89e3de6ceb7229b7f5cfb22914b79795cc9d91c2628c48f6a142437bec9579bbc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
766dd4850eef57b4612e543a9ea31d3c

SHA1
1d5441d24220ac44e5b209e24025ba6ad3c21ad2

SHA256
92d2230c889627eaa15c583820c6b170299ea886b19ccbd0326356d326ed8f4c

SHA512
86431672b02a04c950f28372e856f7d1850791e0411c63cfb306460e188eaa1dcdbcca9da13f1765f6fc12c29d3859a79e78e407443c8588b5c0ddcaf223845d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8b705e6a099465e87602f85678042dc8

SHA1
a253e222a083ef3c96228f807a4e6f9204f7fb0b

SHA256
0314dc8eb7f6a98933f350888fec0f7a6f5b942caaa88e00efd05a403f607f6a

SHA512
cb14a089b753a6dbcd215815993955ca6267d6edf357fc8601abe5c433eb419f3bfde8ef33e9af19db1b0f043ff21cd6e2de624ded2c3d138dabd3fe45896683

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
61885355f4902e34e1d6d36141782f3d

SHA1
5c449816f7538c635285676925e5e171a5f074c6

SHA256
7ab495183984ca38194752b2e9d1f982cedb1cfc3c7de75d88c5f1b644158623

SHA512
0a8b685ca84a0c8af8056a0e6c2dcf18b9e39cff85fc57d77b0aae6b464d829114ecd0715ffa40f06e240b5a11e22ba527b6a4917217d9e36f26e9f1f80d2418

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fae770d15ac4bce5f58264a8107e3cc2

SHA1
07dbbe657bb8f43889eea0ab61de25f8b5eae42d

SHA256
a3a337414cf977cb0edc1522629052877cafed971c134f3d486425db72999da9

SHA512
2dd079742a0e2f83fa6b1ef0fc8b9504affdc43050f11148f89057128b04655121142d0a9778cfd66780fb9813c276e948ad25f2bea996fa18e870e218921e0c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4dea1c4c9a615b0b0b261cb0ca3ca50f

SHA1
8921a122781279919a46ccbec3cd1d8a25209240

SHA256
3e884b6c0542e5cec0905b651e585857512ac6f4a9c80af79262143301fff9c8

SHA512
87bc0d3969cfb190be55087490927f9d777d1e6145220c382d6c1411c85a30f670e314699e9b79164e059dfacd5908bfe60deb8b955049b8412154d387c49021

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
42af04acfd4ac91c2c8c0262ffa87aec

SHA1
b1c911bdc3393db5f42449025c3412278f3870d9

SHA256
dd29522592d27e20fe88c2f33a339cd5bb0eaf816fd1327ea56d75f088fc2d50

SHA512
d3ec9952c53290b557f5daae7b7572418e36ff93f559cf4bfd429e280043fd7cd984c347b81ed96617ea9e166676df1ff2696d91c735ac9ed500c1adc6ebc2b9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
c8744bdcc80cecd7ea37c8744f31cd21

SHA1
c2dcaa2c98a71dfbd1c696591d1ddca4d6148939

SHA256
2d7fb8ea82d0943d473236fd38b351af26bd1f801f793c6df6dc1f2746bd63b9

SHA512
f0ff7e2421066f78bed53e5983396cf0b96c9f0b231f3fad46437231f122c4b7ee1d395c63eef04daa12e612d37118f185df1b2aada1abb077c83c53124a317f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
829f59f705da2fb49d038e00dd47273e

SHA1
9d734af4ed7914889903ddbf704cbbaf7e1ae6fe

SHA256
4d34090e41c722b43c0034570607a85aaf3d66d7749bbc12d775da5086ec16fa

SHA512
2770ee7e15a2fc41df5ffcf2c02fccf9286378b521bdee06068e634fc84a536107bd49ebe60ff044af9a70166f8aa3567cee902f93227ce162e69959818f49fe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c453ef645634a897a6be965a9643f60b

SHA1
f284b271c058d6579aa735be62c13b0fd67bf634

SHA256
808181df8b4a1a40e1a54b6e7d3e0a6aa987fadd069a39a7e0b2d3937f43227c

SHA512
e67290a0d06dd3e9b1d587f43bba982a85525b4a4fde59d364d16e5c0258476b691f52b37faeb9fea1ee76935ceafc5d6de050867398b667124e067578c2652f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cf6017f441fee62cc81b0b79df8dbdab

SHA1
6e4a35f4338ccf4b39d5e74ad4f2571b6ed1653b

SHA256
31b3fc814809b107a70a0263d146f3f0f43a68fc485a7d489de9891bf315a251

SHA512
f95f36e42f5bab94d49fb6e12be01e5b17bda7ceb9efa762bd9aa2cfaf5e3821674e5d365f2182db5cbbedf15d2c1d8a074e333a3aa71adc4a18d58e0bb3a7ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
51580306feb960902f9b7a55c40970f5

SHA1
2146a3b63631edf9b618777cd85ad7d65e893939

SHA256
190f93c3dd00e6b0aae2c69b5f3647ce6545acd6957de3b2f437fac5a4f0f2a6

SHA512
562ca6fd0a33ae9a574453b16e2e2eab597f10cf5c8fa58ff66a3bd760b0e6e2377a441ba2686fb20631a0c597822731576db21f1d016c4e113727c6a67d105b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d388d14d74fabcfe87ee4f2689719de3

SHA1
c902314c5cb3cd9fb452d9dc7d84c14e2c459fc7

SHA256
13cf560ad621803a1f1c2aa95943f22b2312e0aa1f4e275604600501e3f5b51a

SHA512
38863383f73488c9ccfb2166d0aa86bdfbbac2005bd90d69c299fed3ecb94a9b6f80d08e7ffeab63ec63c343ddd15dd435cc679c1cd6f3783adf18897255d19b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
20256605e89b27779714e8a5bcfa98d0

SHA1
5644bcace22d37725fda8f7b9f5ac1d650297192

SHA256
2fcf2b838e6f8bab4dfd6ed9520d5c41e1f0d6c227629380d282ed8f577a84b0

SHA512
71cb5e72012710fb4845df4f9e150dc05e863b32f3daaec9b9418d05b943bb9f99d2574d3b0184da4fbc2ebb7c7e9673287d05ba96942316a13eb1b3849210c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
45f799bbc0098b8d9578d037faa2ca7d

SHA1
bf453d848759e26d77c9e94b42294401b3e61484

SHA256
c25f378aed2317c8dc258fb29c48f412faf371946cb3507ff328c2d6789561c5

SHA512
c4e9ee7b1d87e721283a10da4fa76ea384de902c4796d0c2ca2793056663b9dc62cb4d60a490773cc5cad7b8018497153ddd3694cc156c9d7d91937a7e91e21f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7d7d071f56708846e713dfe56394d169

SHA1
6aabfe2b74a8660bc28e9740851e0e1c3befd0b7

SHA256
2555df8b879f8d98f1657c10056e6f29f99de250a22a64627f9e4bcf2b7d4b92

SHA512
616b5fd2f4abadf71e6343ea3f857ac32b1be5d2ad5bc87da00e13629ccecd72bad75b16b3ee6e53849ea35c14981ceb5e6386622257a20e19f50ad9fa4ed99d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b0e529c93dd03abfb0bd66c499d57039

SHA1
a441aad545efec4e576dd0f14361bf7b09b2fe8a

SHA256
b1b54e11fae2ad1830af415742736a0a94663556fd9e607380e770af4978d2ee

SHA512
59fd025a8c5df27402a3b23a064a40f73816266a3b2dfd617c8858b3b4c948a2a6e79805858471c1f1dc93215ea9f9350c0e4dd514f494540784374a1a0f1e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
27ea57f0ec96aa63be725f1c2e6539c0

SHA1
e64e9047a34ac2624d6e18d4f5c89c5306000de5

SHA256
62800ff5609923dd98c9836cc58f7e40ee4b1537eadd1bb96cfa67f17391ed34

SHA512
d1e0233c1a86c91ae40aeffc6d372f4016675f75a0fb647218f33798dda64024c08582709be2f780da064dbb9509a99b884dfdcc2fc9824d64dc2efd16b584f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ed49fbec3134518ecccea45cc71124c7

SHA1
3d7314fb8e66197cba2546426e10ca425fbfd361

SHA256
809a8e138777ee13db257780763ea08d7f978335e7c5d6fbde52e9be0f28c40e

SHA512
04a77094ecd81ffd17220c8417a550cd7d4535a86e1efffc6844fd359c9112fde29491565644c17e4e474806c7ce3de6edd158366511c73f578e539471cd599d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b5aad98f9df2f247e78985e365c2830c

SHA1
ab0f040aaaf90658d02b4c7e1601dd0f9bc9f987

SHA256
b9cff9081e47de60dd6d8e425caf6c13788098a0072456fd6bd942dcf03aac6c

SHA512
38ad8e097aa9e60f04fd67515d231e8585b5a95da9bc20fcf34a30f1bc7b3d2d22df150ff9b143eb51dbbb046fd80e12b1bcc7e4efa4dbb949260b8e4e59bf1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
25bec8d65bde5672ce04ac139c66fa33

SHA1
d3bfe3e538139f3f241a97c9780d9df39dfa34b5

SHA256
67a91adac09d7ac2fa016e1bdc531844562f902172020929729afa18aff269c7

SHA512
2ecada8acb30f874a40dfb1485c671fdec9c5fb368a1c3f2c590e762686fefecf759c6486cf17dbb2acd8985133ecb8433ba7beaa1a60553c1b38809a7d80d9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a99ba0eb2d84ee721ec5146caff71858

SHA1
a842c27446d8136ec13ff7ef20d6fa3c8cd739c3

SHA256
12a242486b4111ba5c30eab3b50d70dedc85409fb89524ae6116fffdf8d3555e

SHA512
2cc26ae43c747cb4d968e424427430ca286ba976caa8a8f9d3faab77f5330f7fda25e07bfafc10cc72f8564f53330e6b6239ac4e3d9a2203d7f28b5f116fbfe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f9e99a5fc5e3012cd0efaf5a6a4aa32b

SHA1
ecde349cc0185416ef632edff3bfa7ed132c29aa

SHA256
d97c8baaab8c8d4f37845380c6e6355c28a44c435931220790456a176fc1548c

SHA512
276acaf3188e80c1a2770334d4281f36ff3a8835688cb87c2e1ad92196f84c6564237fc02149807cecd6b7f21df9f5d51f6db06cc7a872fe17d7a9e0482156f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6559236f686e91c95a75cc74ef3b16dd

SHA1
279f7c7cc211b2ed1daec60009a8a3fc7f50f3ba

SHA256
ef757a6f0332639e6582c3e318c514cdcf407310fda630611f2034dba8204794

SHA512
326dfdeb7c8cd716f1b6c1032351738b46b08b4513f2aef8ad6c95ce858329e0870c561f1f85637ad4b6d4f1650408db174b6c52057661fe5e5f6be42c27fd51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3a037f8d3f4bfaab54b489c672733746

SHA1
fd82cada79c59ed69842359790f9ef0ceb97571b

SHA256
e13635a46a823f46970f8b7722170211314e7ff347c1e246b93f7c6d7b798625

SHA512
61eec42261b5297dd868b3caa8692742d2e9d14aa9d5003d880a27eca3d4a7818da026f39811da99bcd42bc8b8596d82214d6777cc6e798d42b85407190c186f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6c027aff2078522b0dc39c31fc123ce3

SHA1
115c86acce97a9ea1a29ba6e4bada30999013d60

SHA256
e53b1e586583dc7eccd4bb67ff1575a75333fa901ce5f7edda36527ff701aefb

SHA512
ddab8790abf40be6f73ddbb90f458fe0c68f0caebd745bd017d694dd8d0293618a1eb06bc0c87a19279f298b85aa5d210f3bd9ecbb1b6040742b762b82acdec0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d6f2f2fb66321d26fa0620f5895656b3

SHA1
dcb4cdd10ba90115ab0012eeb04d85d85b35fcfc

SHA256
b7b2b6cc1e007057e63d88d0be95961827ba6116d0ff22c729d62e16ab050bf1

SHA512
f16bd442d4e9b9e9e6028a3b59dc48adde896667c34fce5852a97cab7c7b3489accfceeb7185e25906bb7a77ec767bbf4c23517e3bd95435c21ecb45e4f095e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0d412d7b18233c21fad8a715e38cb4cb

SHA1
c6f74974b30b565091d506c5dddd8d2cc47c36cf

SHA256
670fd9a2af264ce38e16a78ad9264d78831c12d0a503a5e2db44a90dc2aa667a

SHA512
f70d10b3486b5267e06806e408c1ffe1aa89cfcd166682c9c20a6c8c42c5eab06b02923f795fba3fddae07ef4f5a712cee5c688d679e2a396e29b24caf293295

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
e074d7b3c02fbc6d900d4fa941563d57

SHA1
a0a9623308bc9a76e6de4356de217e01e445f0fc

SHA256
d8964955330fd1a7a4c48bd9f32320378501edc90948f233fa24a9224991fcc5

SHA512
372b938930372cf6190304fc536476858d9ada5fea1c530c5f6777f897049d3e58424a61c8c11b1973764646d76396028a507741b808e02fc4099bad6cb0e788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0d204e239da92bbaae6974733a69fc75

SHA1
39ed80a486785208bbe5fb6b8b84e9e50d45dd04

SHA256
8261ddbae193e5a9384ef05d6512db4f347edd5fcc5a9c02c5fc05e146263ed9

SHA512
5ffd28e577f524672db94dc5995f814b8db8b78f034457def545a313a2fd3d93561f5248fc125dcf988f772133c5033d8e09e497bee717f35ee45c9c0b63258a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
c359de8df6cc0c21d1264562573ee78c

SHA1
4fd3f78cbdac06b8a63d93b20b3821ab098ff4e3

SHA256
c35c2b4a4cb9c589fad75c37759c43a8de548b9e82628fe4a673ad8e1b3e5c67

SHA512
2f9a017ad60e88874fbef02430bee622839353ffe6b15c37e16cb79d8346e516e36c681adede28b14043b055b79a2f45b032c1b2f803d0027e1bb93b77b4d5aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
b84a67ccb089b905a195c6520777ed61

SHA1
5040c0be62b9821f7ff7035a3a13fd7464e6f706

SHA256
731231cb3ecc2b9bfdc55d7ca9ac795f626e4e45aafd0c5bccf3db7161fab812

SHA512
dcdb81f5f863dbcf0545381380caf2247e0d7907a642f2a7597441412443f09ea564e9d73733ec1040b1ea1879081e6c4baaeea350dca31c1f50303bd07bf909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
7c5f7ac0eb078dc4eaae26c160de143a

SHA1
66679e7169c4c12d7525e25caab497a370d0c5d1

SHA256
ac8c6bfdd13263cc7b673d30c7e0c2b0380c71c6c4cf89ff1048202f4f72d46a

SHA512
d3307b2afc993ad505b67f45036fd9fb53a0f050b1cac001c20f5397994301327291d1d4e39e496fe35705167be921cdf30e090e7a1c988d8a9abb639642993a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
52ed50516b7dcc6889c621fc08ec14d2

SHA1
478c2096a21a7adbdd0f38be0fd63b9826fdafce

SHA256
384ae94f78b40b2b8400bcc733568f58061966f7856ab381ba24a8edb4fa25fe

SHA512
fa5bcd446bc216269e60925b501e7a94718a0f2171113a9ade2e27d69b685c82fb62466dba9d5dccfcd6bbce510718b9d7c729981b466182d58fff5678167507

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3ef2adeac8c3b05ccdcc0a66ce6109a5

SHA1
a5ec3fd3c1484e7a8738f37e29879341bd2ba5aa

SHA256
000fc1d46c84674423dea037815ed038f5511507547de29a53eac772e4f3e8f7

SHA512
2fe8a6332fecc8c723e20db9137956d05295699c7f8be19bbe10a9bced05ec1dea276d17cab54e8f749d6f188e0decc923f8fd57272f73e1d4e52faf85c27b66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4b894f97860a36a8e1906579271f2b48

SHA1
bbffa16ff9646ed5b2d64d8ccb1f28f79c0b4bf8

SHA256
0a4c7e3698cdf15f2e9aad274b008a748e35d877f4006286bc63ece1b9d5f7e9

SHA512
477e0ba1c486fbdb2a1089ec700ec15f2ffbf80cc432372007319ed6a5a9897a599ff47adeafbf114aa93931925d3735a497934f95c90840d44a29e57d09eafc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
eea5fe248a360135662bd165e53bf411

SHA1
ae06bea5687ba21f0ff30f54ad8822a2b62819d9

SHA256
b8d92db3fc2e764403b0c5bcdc679bdaf4cf64ddb5977320f70ce672c243f9a2

SHA512
4b2899db64d691350ed005558e0a15fd1bceca8ea99f7d202d2840dcf26e2b716ca79496da840417771664817c0904ca0acee79a58786646b0f3881b25bc29ee

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cbb0b8d5876d951470f3b7a6315ff336

SHA1
b14a6bea973176f0e5818a28bbb4497deac3ef15

SHA256
a371d18250dad8e84782311b36c4e793af5d858df3de9a8f71f2a8a4819e76be

SHA512
07d72311e7c8b22e18f7aae0be78d2acd153af8e309fdd813cd501ac5d640303baf13b0bcdad906f377740a76a90ec6ba575f65e4f4d51001479fa6d9b19874c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
364d6d3592269493fc14fcc621ef288e

SHA1
35b7d88a07a7f878d18f72cb229b43e8183a7d18

SHA256
947ad992829ff13bf7fa0866b933302389e5d804f2443171ebfb267354d2ac99

SHA512
952ea83d88e3377f699f31a98cb83ac3f0be5089bc4e4ac6e92d74c6259c23806980056f3c4db58be66fec1511db6d77dee499a724d2f3e76a8cb5d58690175b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1da152f4d45cf8b68738e1aea91b5fcc

SHA1
36f9f5136e4937babd0c133328ad8457e8ab8bfe

SHA256
2d24177c53cfecbdb2f73aec68438714181d8e14936908dc716ebafd4331b739

SHA512
fbe7c816fbc915692b8365bb929548cfc210c0e917fe34b41fa57cf9bf139b0a0d69cebf1e1e480a97965263554518a330b59c7b2f432090a77fdc499a1dca34

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e3706ee67140a9535e471a1735564bd1

SHA1
e4a9f5e71fa364ffd23c8970107246a8cd93ab60

SHA256
083cfc55471ae227521bfcf6bf64d1aaef52314e97eb71b64cb580bc936503ae

SHA512
47b831e8bd96d52bdcdc04d7f808a797195efb99a23aa993c2f52898a788ea9a9b3354a04f7635a8e9248ec3b585fec6c15eee3758453b0e5208da01379bed96

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f0725427572f2d85534b45a0095f5e42

SHA1
64daeeb4bb0040217f07ce41c5a3f1e2df83a46c

SHA256
afae1d0c09f1e6f5026d1bb5afb5b6392edf835825fb08db2ff9747ccd991f0b

SHA512
3771fdd7e0d2e6a02e62417517975cce82280cb5974c9c7af5a0b20e3fe071e809c03fcac539cfe5e3c6299ddbcb941bb804853ed9c41ff58347538b5b88ddb5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
36e294b829ce41a573c04c1c2ddf1da0

SHA1
a5b827bb4ccee1c79f5fc86467a7ca53e9517dd1

SHA256
2f6133c1d452ce72b954150cb877bc6c4bcc4a3a43145b3525f856397a623ac3

SHA512
32f7d111a088043ac3c85caf3d196ae273151f6175593afc3f0a0dc52e004f936935152ddd0eb885eec357ef6c972ac72b4c0e3f34aa3b240a7cc5bf3eadece5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d12f51448c97e0ffcadb44fa4540f693

SHA1
eaac95db32a2c4a23ee7c63979436e3fb5d4df06

SHA256
8cace261642959e768a1cab598816aefb7f0c6098a937e396fe7453122a32626

SHA512
117086de32fb8ebd0b9510a8b6d3c9b0b9afbb79a30fa9ce3fec0f7e1cc19ee4ea4e7f9f37f1bc987c1b1a7ffc689835334822095d8d13bb71afe02c20c3af2f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a9ed0f311fb0776f2dfd575825ab2fc4

SHA1
347ecc1f859a160e88aefa3dd51cae3d731aad87

SHA256
56acc4b872a1d1e3e475c0effb129b1637bcea99492640d515de23082c624760

SHA512
ce374bb6456902641b6302925b173647ac5c144a44da3c4b594097716b4d045b446d6d7969bad523010285fe795656832a5691fdc2bbb384e37722dbdec0f32d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6376c086985f5fc389b184d1f9496108

SHA1
bcb60b974c70ea7068a7ed92eda1f1df1f976255

SHA256
eeaf505c409ab9667c33edfa030a15c8461b3e37cd6bebb0365625f9443e7b65

SHA512
30eb9ed2637bf532b09f9fae3986d260921df358f57843e1eb9d1f3fd601ac9e85775b4bced9472989788eb4b7a91960c76e7726b28f3f6de4e9443c0938392f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8f6ef4f7d680eeb514f3bbad0b771aa9

SHA1
05d0d78bdde869da9cb55567fa3d2d5cdc322b87

SHA256
e47a445855ac0632fb65a38b145c5dbf36b60bd26cca2c2ca0bbffc9166e751b

SHA512
2d0c23cdc24d999ade4270fb098b4946ab231f6c484c8b7913f75ee40d0a7e5bc6000a5801e0be169569c450fc4ce6db535210c2c3381998a3440fca10b83084

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3db41452e03787cc07e3afeb79004de8

SHA1
7e117bcc0f23f476d4e25e705e1e44d24b172b42

SHA256
679400f0b9aff2246919a06af229da100630b54aa01063b4b0531b52ed09eb03

SHA512
dd65cfbbe8ac943789d330e46a848f4ea92a4013d27271b4d74a72daff160c747042f6a74c467fa4d533df84a6e835267ef31359ee0a9e990e11ee31c0be3c90

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
68d0b38f118538057b82218a8215c27d

SHA1
0b3b2e02c789eb115cab5a59872ce3798230b6fe

SHA256
33adbef49b5d9c6a71aea359e72f7d6745465c3510433f6c0ea81fed4971321c

SHA512
7c239de5628cd5f1a4adb9fb0a360908c08a6c4623b784af489604b2d359a051aefa4a19c0421e654482de525c2b7976029986b0ad27ddd8f9bc603c7b51c9dc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
861b062b3f9e5652a86c044d31cacd20

SHA1
f5dab58d2f5c32ecde5366f9300d0017cc7e69c3

SHA256
2d21ac88b82a54cfa15a1edb7ce152e72bd5b0fcf94e7a2b96ebcc61898bc30b

SHA512
aa89eba14c867e81c5f17aa00b3eee4b53bfe8590aafd238dd3f28c75e634f2f540f452d0ef1d037d6c7ed412c87056a69aee48dbc5837e3fe4eb114f623cf69

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2d1cc40b5929247dc965a7049de014da

SHA1
2c0281450c4130efa02370703d7b786ca22264c1

SHA256
1d98aa83b229edc7f47656afe6062fa621e41b10648e68b5e04fd62ef40b2e37

SHA512
2be3d15b732b62edd53d83e2af19489b80aeba593ba67d332bfdb2c840b6e58f965c2933679a1336b6ef83698fbedb2400dd219fbcc6846f7d41a1624a330f92

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4017f10bf1bd89c0e951a66138621c18

SHA1
e02a9c4cc489863c67041d10384c89a8fa3f20c9

SHA256
24d26f99a058fb6bcc3d1a34271d7d13e75e989626e9672f3cd6d7a0cab546b9

SHA512
07751daff0a30a9ebc74b45416c1d7799622fb1c9c83c3f6dfdc3167472cabf7da7467ec0f91be19b90a3c21953e70ff560964d6f51a6f9f60f7a1f863c42657

Download Submit
memory/556-292-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/556-409-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1036-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1036-536-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1492-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1492-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1620-601-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1620-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2096-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2096-70-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2096-64-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2096-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2436-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2436-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2436-252-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2596-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2596-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2596-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2824-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2824-57-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2824-48-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-49-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2868-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2868-1-0x00000000007D0000-0x0000000000836000-memory.dmp

Filesize
408KB

Download
memory/2868-6-0x00000000007D0000-0x0000000000836000-memory.dmp

Filesize
408KB

Download
memory/2868-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-422-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2880-603-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3384-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3384-585-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3456-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3456-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3492-397-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3492-290-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3696-385-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3696-266-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4400-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4516-421-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4516-302-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4612-37-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4612-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4612-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4612-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4760-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4760-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4760-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4760-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4776-26-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4776-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4776-27-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4776-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4888-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4952-247-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4952-241-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4952-359-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4952-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5036-594-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5036-348-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5108-595-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5108-360-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download