c6d67eb3f6f7e7667a150e148d90549a37ec1c5fd8b78a178c3d00e9253494a4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c647adadb08d59b4fdaa1c1a10e1a0_NeikiAnalytics.exe
Size

2.1MB
MD5

18c647adadb08d59b4fdaa1c1a10e1a0
SHA1

0690a892980a545417ae455a26687e0345949d76
SHA256

c6d67eb3f6f7e7667a150e148d90549a37ec1c5fd8b78a178c3d00e9253494a4
SHA512

17653b998a46e798d2a2487f955ac6358a6cc100fee102eb8fc350a871d08750727e1a0b4e2448e310a0b51d1cc7163d9e9ede1842dcee355038555e17fea16f
SSDEEP

49152:4AaimdzYtiKX9G4i0awIlrrE5T+HblI7a8K2mFhbrr:4Aav2lX8VDgelI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1068	alg.exe
2956	elevation_service.exe
1160	elevation_service.exe
1288	maintenanceservice.exe
3420	OSE.EXE
2476	DiagnosticsHub.StandardCollector.Service.exe
1724	fxssvc.exe
2172	msdtc.exe
4664	PerceptionSimulationService.exe
2156	perfhost.exe
2748	locator.exe
2500	SensorDataService.exe
1612	snmptrap.exe
384	spectrum.exe
4396	ssh-agent.exe
4924	TieringEngineService.exe
2020	AgentService.exe
4752	vds.exe
376	vssvc.exe
4680	wbengine.exe
1812	WmiApSrv.exe
2732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	18c647adadb08d59b4fdaa1c1a10e1a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9dedfde11ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008761083b65a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075eed33a65a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcd71d3b65a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c029cf3a65a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054dbc03a65a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f01e73a65a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000379d033b65a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2956	elevation_service.exe
2956	elevation_service.exe
2956	elevation_service.exe
2956	elevation_service.exe
2956	elevation_service.exe
2956	elevation_service.exe
2956	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2732	18c647adadb08d59b4fdaa1c1a10e1a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1068	alg.exe
Token: SeDebugPrivilege	1068	alg.exe
Token: SeDebugPrivilege	1068	alg.exe
Token: SeTakeOwnershipPrivilege	2956	elevation_service.exe
Token: SeAuditPrivilege	1724	fxssvc.exe
Token: SeRestorePrivilege	4924	TieringEngineService.exe
Token: SeManageVolumePrivilege	4924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2020	AgentService.exe
Token: SeBackupPrivilege	376	vssvc.exe
Token: SeRestorePrivilege	376	vssvc.exe
Token: SeAuditPrivilege	376	vssvc.exe
Token: SeBackupPrivilege	4680	wbengine.exe
Token: SeRestorePrivilege	4680	wbengine.exe
Token: SeSecurityPrivilege	4680	wbengine.exe
Token: 33	2732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeDebugPrivilege	2956	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 928	2732	SearchIndexer.exe	115
PID 2732 wrote to memory of 928	2732	SearchIndexer.exe	115
PID 2732 wrote to memory of 948	2732	SearchIndexer.exe	116
PID 2732 wrote to memory of 948	2732	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\18c647adadb08d59b4fdaa1c1a10e1a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18c647adadb08d59b4fdaa1c1a10e1a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:928
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2db6a2f8fad67e72d3f6d29b509968a4

SHA1
69158f1892bd4c721cd7813381bbde484af11d3b

SHA256
fa21e8f37b8992ffec9c5d47a28e2c7ea8b9e8452fc75fcaf4396ee14b406f6e

SHA512
6a43fe8b0b63553a66c4b36097a1012d5e02d60f892fb5b7b27a08c7ec28005091acfaa5917797e992864c8686825f0f4a867f0490672999f1602f7245f8de94

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7789b82603569c52b286aa70f195bf63

SHA1
c28a3df48409d032cf44bb8cbdddb7e5005d4502

SHA256
41dbe994f5f28297b18a6c8921fdc64c7c1454ee9e43bc8add7acddb2f143965

SHA512
0b157c002d1409d336f103b61e908c36a5a58a4b8fc3c3cdf1ab26c8e8a2470a64adfcbc4bfb74f26105868d7b152d1d3777eaec8463d421bbbf22ce9b12d67a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
69efdc04f99b320328b3b4d8a30de28f

SHA1
54d14f7d56f2a364f57d551c3dd187d7b2218150

SHA256
185943902d2d24f26d902d46ff4184bbc33ebb70e7c09cd435788f3d7830bc1a

SHA512
3ba54de6f214df7a2a0fcae76f9c6460f3aa93d54bff58e3a8de28a0bd8f9482419b9054b210297db54271d589de334e879218a25914ef5133c883ba2c38472c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d44995c7e0859fa8512b7fe5d580d256

SHA1
3bf86407c972352a9b08ec514b2236bc478718b3

SHA256
6d2958c74e009ac3f0365e793205d93b684524f82517d05cfff4ce8cdf853dc1

SHA512
187edacf226255790678530300240e6bcc38a3d342fa34cde164eb924d032d8f444f24365d8bc275b8dfb63bbf330fea8fbf1b2352e35846e718659e72e517db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d7a00c1edac341a5d7e3d775e7827b42

SHA1
27d1558fd517372a34ecf0cdf3a90e6689be488f

SHA256
7260e97c674dca3808b19a310a8080bb8649cdc7acd3d30844da9e529f2cd0a9

SHA512
9eeaf65a63ac4889099d8de2c92154080776785c3dad50c0259bada07f55907a38d1877adbde57c3fb984faed9db854f6b7da009fce03c40c3e9e377307f6aa9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
11f680be4f232dda25f34be794274d74

SHA1
97c4d03dbee74f1bdd95177a7bdb4c9267b6545c

SHA256
f09ba471318fb663f31b466215d8c21995427ff65128f939798b6e128cf89a5b

SHA512
322df96265c9fed7e241b1822657fa26b0c26fbcecf0da2a6bb0c5866e25877d9d92ca43928882d9d1cc10f38dde10889b5574f4ef955f2870141d7abbae1cde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f3ba8b4cf1bcc00826f35d0eaa765dd0

SHA1
1c0d4a000c821ca038b83c3390adac34074d878d

SHA256
fb004600e53e38350f6122147ed7c685834bf40cc3b93a1a558d98a0900cdd1d

SHA512
f9788bd9d724cf499a76c4a317346272bd7cd7f90b8462832a950c8c51b0b5f5696b52f8fc67b574751eefa402c41246b6c36b51c5ba90bac846223cd0318699

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
040494f068ba0f352255b546c38f5746

SHA1
2d969a5f41b7fb8f39765d8e2d215d7eb02f0bd7

SHA256
094a87f3d9b1a7ab0f02d6c5de28acebb20eed4edb4b0403ba59db203fa342c7

SHA512
67cdc24bf4b5f6fbaffaefcf76fcf5a65e35841b841ace6b810cc0d689233e5d781847c33b8202d0393b4512f5a8ca33270d8c472a5a067830fdac5455136ea3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
15cd6ed1268d8a7aff9c97aa370467b6

SHA1
6ed1388f7a48be2dff1dc70336d82c6be5c42945

SHA256
3cd2262337c1151974cb67e8b2dce1b55eef0451b3ac7a0a830337287ff7f9d1

SHA512
57702c00ca1b1ca2e27490e39f88b8777d2bcbc23ccf5a26b080725ce6678683f003f60c68897e3c8c6d1d602b23e97f9623639cee9863e40ae5fa26061b3b1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
010cbc5f7397a937567acafb40428492

SHA1
696811db6cf0f1c5bc67665ead76b4ebdc3bb71a

SHA256
a4974db65d5ddd99e7afd598ee31fa008de92da01d94e522e1222938d5a1c6f0

SHA512
6bd57448b7c206adc9a0a85fea36e9acc8187d6bf878778e4593ed0630043221b35d681221a935871154168e245cb65e164f4da5afcb3ed366c29de27c03ab58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3051e2f7374561bc94de0b4837ccdadb

SHA1
f20f7a31c53749aa0bbe85ac313385dda4f263ce

SHA256
8294e044b0a2dcd546ba32f315fa6c0812aed1066dc97129f0b56ca94e3f5c3e

SHA512
b8b2586e70ffc22f8e719ebfc3d8e19b868677760c930a9149208092d3de48496b9a6a49cd4e4217c56e5030958da062105f148644215abe255293c7239bdb2a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
36e4c08323883b55db8d61ea642da4ad

SHA1
aa35969fbf51bcd051364f09ddbb20c7b4d83d8f

SHA256
53e74218bd434a2a7c2e5fb5f90c0fc433b467b2a1c33ee054d7968aa718c6b9

SHA512
6c707484fa2d0ca1f98f3b63f7f8ddd6f6eee4b90c734ece451b8249ef58050ffefa7cccf5660aeb18fefea4228180c00ab05075701a022ccc40f1331313eeb0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
eeee4e7e7a95f9cd1fcc4b938374244a

SHA1
16afd2d93c1173e3603019bb97535ea6e29a3024

SHA256
963db62c0935f402c40d70339a91934f92d62051ad00952f820ba751d9630113

SHA512
e279440b7a5f0490f69b5909dd58281fa461fc11ee2ddc7a27cd09b0d06d5619e616dd34a764d82a9296553bc5a2c1b5aab9a964aacc18e0d61577a427286c8c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
9951b1f51afc98aa306eeee6921b2e72

SHA1
549f19903b55081f92027e01ea8949134a747c41

SHA256
5240377d3ecaf73b0e3245a61a0b8780d6de39166baf6e2724ac63a87554ea8a

SHA512
74aecf510c29a0eea1608537364f9d31354dad2b86d27b6310c4e3a2c32fb47f2fbc5aab9ef944155f7ecf93cb661d817c0697d042bc9e790a7ab0eb2353e57a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e46841940538d8a524950236804a931b

SHA1
fffb3b0fdf2f5d82e0d8f3bdbdb925f971cf045e

SHA256
59f08ab111af986c5b1124f2ad7d146dad299661e842a240e82406027f782b39

SHA512
c9a6df167ce1a1af834f17b6812e07349e01f5b38ebbfdeed3b409dfb934c7f8a2a620ec0b9c83f6669638f107270a00a38d63b87e436a83e33dff94714bf213

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1735584309bb056c7c047059f1047c63

SHA1
434eee2666842940f245b13d188b85d8a74f5b17

SHA256
ef0bf16f4f41f8171f6e0ca28fbaf7e4f89f0a7a29232963505be288de983593

SHA512
43e908b827e69c9437488a1c2fb31f640a384ab0f293231555bb308657fa1e4fd8780bd70e9c8893bdcc469d0296fe776c3bffd4f9774c096079749283842e09

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
064f58a8fdc155bd81ae78a7a2c3bd14

SHA1
df6ede2e5fdc45679a1b01fd05c5beeb6700a5e2

SHA256
93f11d21de08144f8f0aeb615cf13a8805fa8c6bcc3bd98032636d688024b286

SHA512
f30faa29d4f0697728d8e4cb735f1ba62e3a49ac2dc234f7a2f4a00d2e62bff4b620f91bf6189746f23a1e7bfc1735d54ff9f100c52c8c2ea236eba6f2798cce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1f2e0d0615d17b598ca04ade15fafb03

SHA1
964d560e65a623b89b8f473036739a078b551f4a

SHA256
9268aba8832549d8283a12798ee78fdfdf05d884a5f2c9677e71ef7838fe9dd5

SHA512
38ce18c908ca20c7988d0057762c1c044f90a3ba8daaf976722ab009e6bc368d799dcb8d4c230b0bcb7a596f23a26d58f28ee33d0cd46fa11232a68ac44da118

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
241fa48f9aa8978767c816f2e400df6e

SHA1
7a257bec9c91e85b72b8659f38cf1b845ff7f591

SHA256
c5535debf721e21f5185618ae5dd42ad5854f63a7b0e9aec6fbfa4c80646fda4

SHA512
98dc72c651664eb80d10b8fd56f3e090513fddc2df6c04678513815d909fac264962aaf0be36e81fbc07d8a00cf69fc5d3cc7e98ee8435ab19436de00a3c54d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
56b7a2904c4300f8f3441bf507754875

SHA1
8944e09287398def89cfccf9528eedc9094db54e

SHA256
5c5d3cd51997622064a152bb21397630b008336fed484f886748db5a4acf300f

SHA512
656d6539aef20bf1da81132503c488b9d60639e5d190e2a0d1b15e4074978ab5da3d5b04b0c7bf1fe529e4f8c9d6f8ff2ae93e633ba5b010f67d0797593b36fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
30a74f553ed4f8a598aec60867b0bcec

SHA1
fed3d3e9f3056376a278c5bcd99b3d0007f65b61

SHA256
168221d3f4831b77dd2bf09b2da9c8accfc41ce089429a75966b48015c39c29a

SHA512
f63b5b7c2d0e741def6d39a6ca5a3e4cd2382899068aa190b0f33be0127248fd09920fbad538f75cf7849f48163838ecb091c4df21e44b06f287461162f7ca56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9937944e099dd8625c39513937804983

SHA1
9903482d1b4cfc19bb7bca4745313ad629499ea6

SHA256
d2a8629e999ba478b11c057754f4db2bf4710b608b6e5b6d417e72532d01e281

SHA512
46f19fb54ef88eb76a33f091151b09f3ec3571abdf6b87358f876e07975d0f90cba8a2ae2ebeb0956f7e217871237af6bbf2243af0edccc0678e26e407ebf758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
1bd9992664d3c6320db6e47a52f0edb0

SHA1
e232398e9439e04ce0f5993af6d2b46fa080a974

SHA256
b84fac0394d7bae6ef58259a68cee0c49e84e82198069801e147867b53ca4468

SHA512
398031020b3ad1a29b5af1a98473a37e14ba4972a7c0ac255141ffb771b37420cd57a36d4024debd059fb81fc03e362aedbc0f1afe7ad57aaaf2be80ae1881b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
dfa2c49ecbd7ca389231c756fa681300

SHA1
bb3266cc547de50ad249368a7e858889b4f0664e

SHA256
527cf7560835bf511fbca0f4d38c97416916dcbf20a00f55f4854f9c8fad15ef

SHA512
821f28f89172df5b9777de0383fde17c9efadc6ce7f3617e1717c626047312e8024696eefba81f13e7dc2e9447444ce41732006fc937c38a1c4b0a21c94586ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
acd289b8f0965a2bb430626a50155b82

SHA1
735461df859b65d70cbec395829d774f4a864275

SHA256
1523b3ea95d6d6016a72a2bf93a1c161c69ae521d58ca679406ec33db768521c

SHA512
b8a08ade8a420faf786689980bb48c9c22eded472ff2b4687ae3f61c8990f55601f04182532038c946ae51b71e8d47426cecf6ebcfd9cfd1e99ffdbcfbfd8897

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
e23388f5d9ce90f0669865fb1f7e8c34

SHA1
815afd7b2602d61f15ed33eb0445abc264265194

SHA256
2eee56b82af6ddd7911323e2a5b79f14b63735e6e699cd1f441cc6500a100215

SHA512
ee425d84bffbb9429fe9b529af52f1b2528e00621dc2763d2f6e5be1eebb4c10355c154af0af16d7ad7e9add1f30ffb3760b73f50baee6f33e1139208da6cbb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c1128c9ca32583ccf16f2d445e30cca3

SHA1
1f923ec2f745ef86c1678938f293a165eaeebf9d

SHA256
f4ed1bef10056cd77d20ee5dd44d3ac97d38d27033b4c662503f6b19064a3fba

SHA512
8102983458df8cd5237666db63e754db49c0528e60f0cb709c69b67cfdddcf7f71c4660298cf2d91c7c4cf3fe92d74dd3f3a37620d42edcac58d6e5f3268acd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
a41bbe24ee8df1a7d707ac2605c42100

SHA1
092b5e5249616b53699feffa35d949e346a25bec

SHA256
a90eb5bf7c2b62912703a741525c4046360ddfcd95ca89ab54fe023bf0c2a34b

SHA512
2cd29866e1e2b32a752944a9ea80b0c16829402089b96fa7d1e06267fee04f8d0c498ab3e4174581187aacc7c4ba8fee44fac977ad8c48353084e5475afdd1d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ba5115c95b165874f3c12cfdf4cc694c

SHA1
3e5d13e14d5656f5d90db1cd47b81aba1015e374

SHA256
92c35499e1c5649c792afbe203f969d26e0b399557b08c07e43bc9416bbaed9b

SHA512
82d8d29bf2fc9fdacd39eb9678f566f531ec78a83c5d872c28d23a56ceb5234f38e21a2c9377090c4a8984194011ebf8ea8e927fc1566b38c5b58f5a29f7887f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3efefb45caaafc3e8edcd3008e0d6faa

SHA1
bd8d24ede5da5861a1f04006b0ab9401cef31789

SHA256
8ac0a15564d43f74ca308d5482d0fde0f5e99c8e9feb3eedc2b0b976e0f92609

SHA512
fa05a40d2bf10ceecf0a62f85bbb51dfdcaf31399d3326541c5ea6ac8ea89daa3f424e48d44091eeb1ed6cbc5bcede79461551f1e9ccb6deea774f8a19af8939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c9fce41e73843da49a2a8e1a441ca2ba

SHA1
c69cbdc59e80e3bb584411d01dda30bb8ad31dcb

SHA256
873f897207d959d35de228e951d11e4c91657944845aa4484110040baf6f34de

SHA512
19b0adf0c4f0f5fcee35b89a425d524d5b4765cdb5e02f342447457c916a47bd4a901db14bd11f4c59cdf2459f280fdc91617d765591de9a1905c6717831c4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
d20c19f3c0581aedff92401bf5becad7

SHA1
f369ee8ee6b9f4606fa7762e52ab06c5da74ccff

SHA256
c5a1f7a89efaa183a15224114414b6432a25b8a8c265eadf82b8fe29872e531e

SHA512
ac00c05305a0ad5c1af7db7d0c2bc447234ff620ef2b2c99c79cd62c17c484a3f46bbd84c6aacf3cb733a05d331bacbd4c7a8693305e911d98512186496a6500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ac9563af3eb83d34dcaa4731449e3874

SHA1
c7d909ebbf73c564c77f433c53b35e858a3743f9

SHA256
d5ee7ae13e8693d7152dc99a7f0230bf408cc5b0a3725709972957b090613b4e

SHA512
e7706cb0ab6e73b6db5b40f3fc83b2f13d4bfd72900d48ac9d4eb04d5d79ced5aa9917f54d3571d0195b8e2e4d751acefa456770727b0f4d4e8bfb31433e73a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
5a40abe2955848d54194b680aac917b6

SHA1
fe9793e6e228ca99b448b0d3070f80c18a1c234a

SHA256
1fa79a1d9506798fe7a959609d586b8ae2fa1dc56bbcc619aa8d0194f5b779b8

SHA512
7fcdad5e4cd720d9586a465911d69a7171586f849cd0f5c7f3db2dbbbf169dc63d9432154afd8ac7f194961165a842aefcf24d1efd38e9052b6d34f8626f0f6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
48315d232133057de86d35a77d38b60f

SHA1
ce07910732cb2e025d6cebd32ff9e275e6ce7374

SHA256
d3225383178dfe34e145f0e65e5537358db8d861e9c056088f0e6f0b0634f4d3

SHA512
cf1f6dd42d88f82110120a0f7f95d8629daebc6fceb5e3eba4deec738b551b63196ba130b02b816dc7fff168af3c3a745af8c97dfef8c11c6f78e02f0825dd03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c01190184b567a2df6f39310b92aba19

SHA1
98e31cb9de2141344c6a1f44c021927fcb5af353

SHA256
65a10699f8c02753788c877e824348d568c971d74785ec317698d269b68c4b27

SHA512
7355434c75ffa04c97b40188c211d7d36b5b3b04c71eac2545552f6b5a2bda6866ae10429e022c70c68934aece6f7fb6f82d10c1a4cdc5909728ad04ad588315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
552a2670648257f59a6367f977ae6fb7

SHA1
6d45a7f289a9334c4180af256e2e16ba5cf70f73

SHA256
792702889e5a5c912cda707d7aeb3ef7b12dd7258477d3f239f1fbb141f29511

SHA512
6c394eba8f6ee519c33cf79e944f11b35c80a51db7a90c083bf698226c745f3fcc21414979aa141829cc5f462505c17258fe6af755ad193477bb8ff818d2c124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
faa8b7c713f3f610d751db327d75109e

SHA1
aab8dc1aa56c2d0784a64a4f7dc6a345920197c6

SHA256
3cfe467a53a5a1c5ec1bc864a06ec71f927559afb6bfc10abd4e5ac739eead8a

SHA512
aaa7f94e0ccf3d2a67da0df16dc5e4560ccafb60a32502222106436fc84d5fc76928b1ec273b1978ac1cc99e446b4c80e5293be51b4056486b09afac4bfcf826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
077080cded73839a12ca4b28e8f6e232

SHA1
1bb2c33b885ff79202c2ec020f594c5d1396cea3

SHA256
7995dab4e6908463f6616c820ecf6376e11a7318ed8e9e5a2b25e325f134d75a

SHA512
998b23b0a09be061b094d7f08cedbe4fd4dac5cc29c6fd0ed0fcc3c416b56731b5a4d31fa3efec297c37da7708ac00d696428c753b46219aa66f5c6b311a2e43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
2b069eac377a0cd798274a4f2625c8cc

SHA1
a79f20b46e8bb4d0775ae4dd3dac7285be5d7e3a

SHA256
b3066c6930e149cde451aff07a0032a43e9539df3f2e967af4bd3abfff3c10ca

SHA512
69b076d009511e1d50c665ea66cbc88079d5181222728981a6584fcb87a2783a1f022f5b0de1794d65e28ad1b549c20b906a940aa38ff48c28d71904690889bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
d8dd635e0bdfc47b629f339a25d5b0ba

SHA1
5931527d6b95e44c38a7b4bac8859465010bd9a3

SHA256
c5efb39a48d5eccfbeb87ae9c387bce0e664f1d4fc558314d6bed3442db35a4d

SHA512
50a1c43456e9eccb737ab8a89c561d5d2e20813064370f7fa61219662807e903554a85e3b2bb1a7049d6e4806c3ec812509126f2a2e1a44ad29e79af9fea2f03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
91b52f8a17a76db3e780ef1c4e7e8b8e

SHA1
1e59942f3ff395e407a7719cf52aedc0408a1b8f

SHA256
b7a358c5cd4d782a325368dfb108c36ccfb76d157bf30aff551f8019842e8ca7

SHA512
4160dca0ed1538d89d2b1274ff2221aedbb2c5244099cb69b7d6df871dd44ccc4ae3a24a8f1dff54b50a93ae254122199dc0153131cd83a72228180ecfeb12d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
2abafc371aecbcaed918254c919b7a5e

SHA1
3ce8171ba54090e802c69e5807b0d574499bbed8

SHA256
738dcfad45910056804af564b54b667f31dfa5db2a54529029f86dedb799e7ac

SHA512
92f14c87b020d3c41dc1c6b2d556ede67acf6def79756b8033bcd2be34da9bf1604c8e94c6577658098d88888b2d708b79ccfe7862e697750e33835da448228e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7e429e8914bd83f9ebb030b2339a911e

SHA1
be6863c6fd58db3a5c7e3681b995cc38e1ed8708

SHA256
78434a58d1f6fd3457ff3861f6447de90776ea64ad4f1d8ce4be3b8348d7e736

SHA512
0a152c959337348d2e89c1273c46b0e6f266ec57714d3dd9021d09d92014a5743d9eeeb2fc17f0273411123b60af03f598ce25f37d7b503a39b3922ddb328d0b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fc9edac4134a78a140ba09c3bf4b9260

SHA1
c8512c9ec864575cfd7b1e63bc6c90d136307794

SHA256
95116f29dd38724f933112d254ee3c9dc84389e65445e4d0dd00e00cfd5f26a1

SHA512
0af6584130bd4426792207b0e62890fa33ee6ff384000fa20ca360ddc8014e62e86e020985e852e89f294c065cb3c41b152bd981ba299059d37ae09fe7f77daf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aa2edb4d86177d9a178a684d3a685f2c

SHA1
934ba0176606fe4d0c44f3d9884a5015a0fc4495

SHA256
868b6f0ce2ccacebc2d14077c49ae063b947e464b3e6e24e26d1a0826fb620da

SHA512
3f35690a3842e60745f48f6c7a8b02d76076f2a093d7a0ccc1eb9038dc93455eebd3e11e66eaec16925b5c862f6d4e6b66ddee371fa446fd85d1a990f4f76d08

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1939d2bc58568d7c929a1da91821dfc0

SHA1
fcf924f130284957f827013399ba78aca4edeb1d

SHA256
ac71147faa16ba686056b8dce45b50c1f9a0c3147197a6a84058814143448cd4

SHA512
e003fb196dadaacd4de2e203c5c36e9b2f4176e7e7c5337adf646323a1a16f84d199f1f1771c8592e514b51e13762747bf5cc8d995477362a1664e1cb86f3638

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0909bd2ea8e7974356577e838b43ce9c

SHA1
670e97e7cc19d5157973e38199bbef33c8945427

SHA256
bfbd90fd74cf409d8d081f8df9caa7b852abd13dcd18db577224c3f57a483e63

SHA512
a018ee1c1855cf7b52087265d4fb34db1ff33c557963c9908b4f3985ae53042d50aee5e5785f414f548f3daf8605c5bb1c2a155b832990edd82e5c1cfd06c08d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
97c684633ba6e3b27db945fae093ae90

SHA1
c03d72bf8b3930b1ee8b888d1bcfc4feb79b5e19

SHA256
e8aca54a17ae0bd2e0fa2d1098047882d9c4e5b78ea135d91230cebcad176aa1

SHA512
dca7a139317d41a6da9ee94d629db6555a7f526a4b4b807b2a0e66ae6d6222a8118c5cb9ff919d62c628f0d15bcae47395c6b238b34118565a9de84238517ea8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2ae4f549cd582bab9b428efbce500cd5

SHA1
483ae29f7c79d15ff585955d50e25da6facc4c67

SHA256
9ab5cafe71f3d61faf0578fe5da6c43334dc06a39ed19b4375410a53e76ff34a

SHA512
dae2c6967a7b4c836ff621cbc603d3e1ce2d7a33f8eb70de3673ce563da6dc09b42e248029e979bd7a5681161df0fb87900056fca00284a3fe0b86a529e3fd2e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
c4c0d3234a6e21a4f7f69e81453a7f7e

SHA1
c29287b612bf814f25f6cee21716ad9a2b4e5b30

SHA256
077c04df3a9e43f537085f36ad54564f21b811db997df4a8f13bc8b1c216bb21

SHA512
47b48ff1f6bae3b2b275400ed25247c30ce564fcd13132b6f23668679a415cd87903b1607193ed652757fdd2f0605deccbf7cb65b683b612b0b88b47b5b31b4b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
abae847fcae2ecf0d393df9a6a147e11

SHA1
3ef2c98c86a513ef666fa3eb1dfd06a61c80fed6

SHA256
1201e9a1e406d5e82cd55d954076da325bd64d25778801b81cd3106ff957f810

SHA512
85f1d43556936a648e8cde36d0a26beae66e86a52a59c631fc23106c3647c32bf06edb700e8fd89723b04357cb2f30ff7604efa8a6c75cfb1647437081aaea33

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0b090ce9446d4c41c25d12e1472fcf67

SHA1
df1f681671a611cf3f3839c28e7b1040cd0172bb

SHA256
84170059cce352ca1d94dc045c5afe26afdc78d093c7818318126f95bf590f65

SHA512
dcba8b894693c70f31cb3ce2aacca1aea0e08c3d874999aea89bb2b7993f22611c38a6e4ac0552076d96a79f7f2a3091a6b5be9fdac876dcaa6a2cda8558c647

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
49b9fb30a7e6d25c8ed5dd244c49fbae

SHA1
3b0ad48573edc64faa433debb87141983ddf9135

SHA256
1353c86371f535de61f5a9b97bd027efd79c479e743d3fc46b8052a51a9d9462

SHA512
ac1cac3e156f7389e756505fe85ec9ded7ea620b8a01bbe84b47989d5c4f3a6e6b3c09678a81e7165094f87b9f139cfbf18eeccc26e4b16b59c4be5d348c1a09

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
995cca81eea437623d9d567b5c454e6a

SHA1
05db1f9c3cb54f1dec915c633950c82819f8f119

SHA256
7c1a43facf42a30ca753ad158867d8f33a3a366719cae9a74e9e96f3608e582f

SHA512
bde939599f5da2b87841ad387e54c47c51a1a15fbeb7d81a79ae9f0a11805e33a7b6b1516f08180bcaae4e072038bf1f5c0c72eea893403cb3a7e2ade34215d7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e18b163528e724e0a08bca20b249a0b6

SHA1
a6c470e86553c380d51407474d2292eba22a787d

SHA256
0bdb2c4612454e21c2c9e417f31a050b929a1f4cddbdc23314b71dff81afe0ec

SHA512
913073ae1b7aece0e8f1a050db52563a3b1004f9c9757fd621747cbb5f24dfdb19bbb89768cdb02d5d0818ab4c5b86acaf574e4b9bce3632aeca258967481a85

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
21132b293c446f1715567b6b666cb362

SHA1
a18f8fe7797b7836d0d383dcb4d21572762b6c7b

SHA256
92cef9f014530a4f1fc777a21df6a539258c88b9c2e50ebfcc262676ac3f12ee

SHA512
38df81e46811894558f133fcc58ffda96c428378e6ac1d52c35b724aec78731d6c35a8a492a9ce0631a038ea7a701eb197f54be08e9c951d23d2ee9823cb99c4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
286a6139c088fbf9423cba4e9aa0865d

SHA1
0260845657d9abb22a428419783b90621b201409

SHA256
b858007db5bc3224ef5daf024166d08cccb91a2b80f3a8976ff77968b16babab

SHA512
8716a7f20197d895836c0c426cd305bb941c1e9ff69eee920d2a295bf8dcbb2ddbd914050749b008c7fda90fb76df5f56572d7ba36243493f763a6c67e59dfd4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0f7d5dbfc41ed74914a19091a5b0e7ed

SHA1
65c5495660f07911519ecd73082b140d23938e8b

SHA256
ddc9dcfb1dabbe57b825b52018485b3f74ba6c6e0e6f89988539334124ee170d

SHA512
9f96a95d74c798c47e0c2c7d7fce0fc1f50b0db933edb501a9922a80bcec6c5cc34bde813ff264eda4f87ce55c849bee05966ee8a368227895ec76b54db202f9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
74bb610f7caebdbd349b7dc337a27b15

SHA1
24465463d7076394e8da6d66704380fcb37bb6ed

SHA256
51956ad9be1fced70f5e00dfd7f4ff7078076aa9cc81ca66c33d7118fee15418

SHA512
23318de794a349a62f12a03a4f9be5c905b7c5a2ade169683616bcd563e33fd7fd607755079bb613ecb22ccd0700dabeebcdec2485d3c5b8a8a830c6ed536928

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
38e556390c18c9d706986c1a724ccd0b

SHA1
c89012390730c2191da6bf9f22ab0c0339815df0

SHA256
8bc687608cb1a7b383ad7b0274ce8e41096fe789971eff4ff44fc819ff0dfb30

SHA512
bee718fb7a55cd994510134451336403237db7f4263ac11fbc54d54eab223d9298e915ef7359c64c915900faec97a009230859e89d5481b14c5127695311715a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c19f18763ad61166730ae1b8e88de8fa

SHA1
98a278a081c08143c072055bb0d1bc40af8fac8c

SHA256
5e9f2594308b5ea7eb3fe6895242e5aa8012ad532a4b380827491d88fd8a2ec1

SHA512
fb6e19e7bf8f984290b7a88e1baf7337256bbd3c8042a2190a4f889498e9129d721a65d708b7ffde2df2f9dda81848cf2169f393befc025a5c876fc182eb2953

Download Submit
memory/376-674-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/376-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/384-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/384-668-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1068-15-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1068-23-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1068-24-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1068-234-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1160-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1288-52-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1288-62-0x0000000001760000-0x00000000017C0000-memory.dmp

Filesize
384KB

Download
memory/1288-59-0x0000000001760000-0x00000000017C0000-memory.dmp

Filesize
384KB

Download
memory/1288-53-0x0000000001760000-0x00000000017C0000-memory.dmp

Filesize
384KB

Download
memory/1288-74-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1612-329-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1612-664-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1724-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1724-255-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/1724-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1812-418-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/1812-676-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2020-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2156-405-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2156-295-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2172-381-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/2172-268-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/2476-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2476-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2476-251-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2476-363-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2500-667-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2732-0-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/2732-13-0x0000000180000000-0x0000000180228000-memory.dmp

Filesize
2.2MB

Download
memory/2732-677-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2732-1-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2732-12-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/2748-417-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2748-304-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2956-28-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2956-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2956-37-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2956-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3420-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3420-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3420-82-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4396-669-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4396-344-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4664-292-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4664-393-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4680-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4680-675-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4752-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4752-673-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4924-670-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4924-364-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download