c356c50a9f4b67600101e6fd5a3cc377635b17bbec969d86bff42a126f24c16e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
Size

577KB
MD5

8e407d0feaa063d8a20567b8c48e27a0
SHA1

520198df916e1cdea5f7d89e9511ebf3b6f5fe43
SHA256

c356c50a9f4b67600101e6fd5a3cc377635b17bbec969d86bff42a126f24c16e
SHA512

da14183e7d2317466546a42e19c7fde653ba1b2ef32b2a20f4b8c23de9737515ad8881968f3fde7991ef591c5dda46d61eb9b673e643b40d6e3598ef4b2df67a
SSDEEP

12288:2p/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:I/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1676	alg.exe
5028	elevation_service.exe
3668	elevation_service.exe
4076	maintenanceservice.exe
4264	OSE.EXE
2064	DiagnosticsHub.StandardCollector.Service.exe
1172	fxssvc.exe
3660	msdtc.exe
4692	PerceptionSimulationService.exe
1332	perfhost.exe
4908	locator.exe
4544	SensorDataService.exe
4252	snmptrap.exe
3740	spectrum.exe
1524	ssh-agent.exe
5052	TieringEngineService.exe
1216	AgentService.exe
5084	vds.exe
2548	vssvc.exe
4736	wbengine.exe
4460	WmiApSrv.exe
404	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f15cc424a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001143e7b1a2a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cb8fcb1a2a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e992d6b1a2a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095ccf0b1a2a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000709f65b2a2a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d3e63b2a2a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e9598b1a2a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071f3f7b1a2a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eda308b2a2a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5028	elevation_service.exe
5028	elevation_service.exe
5028	elevation_service.exe
5028	elevation_service.exe
5028	elevation_service.exe
5028	elevation_service.exe
5028	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1904	8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1676	alg.exe
Token: SeDebugPrivilege	1676	alg.exe
Token: SeDebugPrivilege	1676	alg.exe
Token: SeTakeOwnershipPrivilege	5028	elevation_service.exe
Token: SeAuditPrivilege	1172	fxssvc.exe
Token: SeRestorePrivilege	5052	TieringEngineService.exe
Token: SeManageVolumePrivilege	5052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1216	AgentService.exe
Token: SeBackupPrivilege	2548	vssvc.exe
Token: SeRestorePrivilege	2548	vssvc.exe
Token: SeAuditPrivilege	2548	vssvc.exe
Token: SeBackupPrivilege	4736	wbengine.exe
Token: SeRestorePrivilege	4736	wbengine.exe
Token: SeSecurityPrivilege	4736	wbengine.exe
Token: 33	404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeDebugPrivilege	5028	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1804	404	SearchIndexer.exe	126
PID 404 wrote to memory of 1804	404	SearchIndexer.exe	126
PID 404 wrote to memory of 3272	404	SearchIndexer.exe	127
PID 404 wrote to memory of 3272	404	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e407d0feaa063d8a20567b8c48e27a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e556f2089dba86e541e6bfc39b60b703

SHA1
757f54f6307bafc3ed8cf99734945fefd0711302

SHA256
d4e9281641e5dec261f46c4123f1edc6a13317eb6bf5b9cfadb5b8bb4eff1772

SHA512
155f1fd900544a2f1db4084af405924a80d4180b511f1556a552da1a90480dfd74c372fb60e20b42249f4711148769785d6cadd663303a219fd8403d4d042bb0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
46e17ddcae8235594e6b6f2a13d472d1

SHA1
30a3cf53994cc23b47e298bc975df120b92fe44b

SHA256
fa9b2a2e6b063318bc74cc5957b8b5cb922f9fa19badb6c3611790875b22c574

SHA512
b90016c52e0b7cf5d9dc9751a90ceb8cb73c845a2ef1b1172f5ea690f69e678cc385805f5295b535f044d76eb5ebef64a6d137b5d5d6bfea0fc4ec25ec2ae4f7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a7bfa30b9db45eb06ce676b376bb90bf

SHA1
936cb13a92623be7244c6fa39cd2ffa6f01c628e

SHA256
d8559b2a74b5fc1c5d711311efc2a8cc400172666a5beeaba0742f593502dc0c

SHA512
30b596a218cc64bbe4853dc937426dfaf95b603c26cdbbf3116cdd90f1516709839a365af9621cc0cde286bafa6b3ebf963a7634bd5e419f376744f44869ebf7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
541c0a88b2dc3446ffea26aaf55d06ae

SHA1
91d267cbbb1d4f00839ee53a0f6cd59b3db97cc9

SHA256
5b5a4172746f8e006f534ff4903373c20cd8d1cc9b38ccc3e86f556f724c61f4

SHA512
c6b3d93cbb6e009efb8c9d608decda3e5513a0bbfb5356ca81f92d5109f44e9a04fd47efd41ecb003f63c480bddf224038ccc2633ab3a1618a291851315479e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d77b7d9ad6f426c035732355b874982

SHA1
618cabef8cf1e886c39c461c781de25e6d2e8f95

SHA256
1cddf6b4c6ee84a20f3484be7d950b82a033c5ef2e83b08fcef6d853aa0f7345

SHA512
ee7e7fb17cb6e17f255466f695767973910e79ec85ba2d384242e94f9e16633c5c9b8518ae4591532c64a6a91905513790fa4197ba3975025b0aae7b7de00c51

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7e49e41ad769008c2328a19b35df9ebe

SHA1
442f57dcd8c42ee505700bc92d2e9349ca43ffe2

SHA256
fc3a5cadd723aeb11f67d1602598b9486a4b14b48823ab9bbc52d19b678868d1

SHA512
28d9544c9cefd0c9d223fa069be36e469861df84f91e561216fbaf48816658db165740c3c8fc11f43e35ceb538f14fe236e49f5e17df89233a2ef011439a4d17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
933eedeba7bd2ccfa8eafc4da463cdba

SHA1
cf79c884a5246433f46da0671a61655911dacb28

SHA256
bf4d907b30e91a2baf623bf7a694c0281f7512868e1039eead2b75facc571b5e

SHA512
e461ea6cf78bfea115f5b1f785bb73f979edfe41dce87c6aeb0d64b5cca46eb43f669c3312d9271ea1c805cdd658b7de92cd5bf5f0b55644a08ddf77e09cc72b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cd8077d582ffa8c183aa912136f61563

SHA1
72503a7058261c9fe1f38757a9fffafa88607588

SHA256
a3273631d4c5b8df424e21190c5a3e489b767e7eb93b3e44679eae903439dc07

SHA512
b81d554d1c5d594558524a002ac130d302f78a60b6a7686c73dc64962052e0aeed042cfc9bc5e11c0e28f4107a8e4cdd351df5013ebb9c29387b2a37f3d373ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
554d2a5992057a4cca148cdb0e5a1b1d

SHA1
e8d3b01bacdd41bbd63a1d1a0f28691b5a94e68d

SHA256
c70d601b3c84cf2b40611a6b91c9f92c93895fc7854e46fc89e217eddf996ad1

SHA512
933388791fcb31fe9f64cc7b4e46d68ec3cf04b044130714caeef7382a54f6758f482ee91977acfa4c7374da22f013c48903e439373c49a9be716884f4043a49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
632e94087fac4d46842aebc7126542a1

SHA1
6161e41325cc9cc3dd00558e50c866bc82a25b25

SHA256
0503d7cbf7f19523cc58776d94dc0f117656302553c32da8d3fe9fee12e22d7e

SHA512
22f8c4ffdd8d22f97bccecf1fb8e46958c653e3325bfe524ff81c24a88c9ee27587a3679fc2a5cfbd0b68780371b8a908f31cfcb4aa7ebce3632b37428624452

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ee00992c12b59b2adb712865d441cb60

SHA1
2e79085b419f83bb824f6950791d68f887b28226

SHA256
c47d212605e20822e756b59642e6dc780fa2d4caef9acb70e3fbca56a61a6176

SHA512
a6a911453482d7f21fce022069d97452452d44a39bce9e45b84700f8ad41b312eca7fe04ba47567516faf59193f5c9c639a25e3c5b07f051233dcfa26b25cc4d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
95036ce31bf31ed13e9b7e5fd7eb6aee

SHA1
9ff951b18b50477a8fdf378bfa571736b6308bf0

SHA256
5ec58aad2b82f4ae954cdfda4b792f9d4b8b93971f071ced32cb5b5b6a37e316

SHA512
4395df710cc8c4ce3bf56a7f6f80e218546e5c7aaf06fff7877570b78857d854246f63703337dadd1fe8f2e7daf397c842b3952c5862572e676aa274d941de88

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d8a522af9088b65b64fb8d1df412991c

SHA1
2e8217737cfb888c683d799c935b656d1e2f997e

SHA256
caae02aebb5dc6f6463e9b442191e99cf1dbe375b01ec740c039166e83cfb369

SHA512
a0615dffe3bc44b448529b2df4fd0477bad6efece42d019503ca524b396cef70e69806e2219999f92efa88ed354a5c06c68a1966ac1cedc31b5a19a89c17b8b4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a0a4bf5725a804310dfeac253816eefd

SHA1
c43d6b18726d0099cdd6cf4583a6180f49efa397

SHA256
2aa074eada65d1a202d6e6a04c3595cc6d17be0e3c7ccc2036fc24f27c49ebeb

SHA512
d85e0844ca54a89e2485a4ea4fe9351f0c3c6f121e4236ecc30e96b734bb60ec81a3e6107db9f35b291dac0859c7566de73ace8f836b8df762eeb64ad4078833

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
84cced3e944e1b9c9aeab804bf68b19c

SHA1
3b8cbfe3c48e268fb5ebbd27b45170f7d89a32b8

SHA256
862fe154a0e3aea23c975249a90eca559052f7dd80e31e387a294ebc166e1421

SHA512
12a57580a2fab076fff66ce4e6705c721306ae0f6a588aabedec1c609f26b79c4b7fb1cf612a9d4c258daf378c408f33df15a59003db7cb78dbb5ce55810476c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
31e8f0d29b0721b6e3c91cbf198dccaf

SHA1
6b446b84994ceed0b017904f678221f94dc51e8f

SHA256
b545524ddf9ff8bf08c2f4f9454c0ae60422078053f9aafea03598ee696b8505

SHA512
462333e9a4a596ffefb03e01e52f41f34520b40c3543121a2f8167ec94b5febcafc6693777d8bfbfec2f53ad426ff7c31442be375676ee95e20074b756ec66e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
56b951fc2675f2262b3253e86bf85d43

SHA1
e417a6d1edc6cf5bffcfb8245afb344461a1c1df

SHA256
0562f690a1309828d9dcaa7c349c474aac4284ce5a039899f2a07aac1c244bec

SHA512
97184822c75508258d44037990f9c08165c88bbf181f669967bf080fbfcffc6ad96c1b87cd5e4c11bbe122a8a5f41e2e53f6d4cb187098498265d8ab48964ff5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d5f2b43907f98bfda21e2fbc704a3716

SHA1
72431ca638aed62529bd2a4a457ad974d54f703c

SHA256
f7248efd1d637a5338aba11346910a56198b5264a87e20602793c7665fdbd86b

SHA512
3d7600d1ded6aa8829f67a057bb1d7dc78e0efca6c3c68f4e0c30b32eeaf3f839b43022d87fbc176c6dffa4cba56723977414f35b9253bad05aea3f97d6acd75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ad01db17b9748652ad0cbe5ac3d11bb9

SHA1
01ae03aa841db4f635b24e130136de52b410fe2a

SHA256
49b6a40822b021508181667d35115c82cb39e370938405f80a43a06a2ae13c5f

SHA512
cc24c984bbd83845a24e1da5ebfce464fa58a38a6249dfe692793f0b5163e5ffadea8e660cb027cc0d0a6e72ed4bfc465ef74e1d97a68b5e441f1c5ee75b2940

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d39f662997c35c1c0ee3f19adf419940

SHA1
93e9f788764685dc139eddf5ab7ff8e65f5819b6

SHA256
5a0a4c27892afb49c1a960ad77f0dbd131f375fa34b40e8803255031d28ba9fd

SHA512
444e378ade0e484b6e5ea4b62ed355b586098c60fffe7fcfbe0afb1c6bfc04a88b94e79484e76f3771017e6fd56b06b7eb0ef5ea47bc6ace457934488aaf62c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
74183ef7ecffd0bc41d298cb73130fde

SHA1
f4fcb8b8a5581c7513b2ef9c69f5da0a4bdb2b9e

SHA256
56916ec2b61094229a08ab0a8b0ff5f4e66021841e37db25f3b9cca60c18adf7

SHA512
44eb3702689f82475f5ac2eb052f793a2ef438446646bffff8c0432a0e00f82a76f18273b78d929cdbedbc8f8db1957b4b9a43612e38b241c46abdc812caf552

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
34b045aa00f82e38473dce3725bf9e8a

SHA1
88f2e547e1decf60b777b731c19f20fe646ac418

SHA256
6d295ddf869c6db7ba52ee3b37d112babad09a82d7579d66cc54ae77b3085c3a

SHA512
9b03ba3083b88a469984c49f9f1d0f96999765e3dfeec31cd660e5a2c8fc4de7e8d119755cb84c026595c656f12e8bcea575f3dcd5fe5dae294e991327a47750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a6f5a2b5a3599f578e7e8bfe250f508e

SHA1
801c5cdc63c45cf28ac9125e15a7163f32787261

SHA256
6494e1da861817c0c35a96f7c17edd91966e0f5f5c873393bc765ff30ebf4c63

SHA512
e6ed641aad2a6bc9721294150a3265a49e46792033113e895d3a3f0387dea9eafb4149870ea16d163a24191c08f670061a35e324c80aa51ec7f33a03506a84c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0fd77d493a4b90ae1fc03145ea7a4a64

SHA1
f518417ed0964d6928f9902eb54951c66ec812d6

SHA256
4cfa3b5c0ae32925ddba245885461066b94beb468f80d13b30f203b281d99eba

SHA512
37661039b1c2844f22542df61b6ee143254869e7828007625e342d4a650ac5360a25f49613e9f3fd879e2a6893463e6ef11c3de3e6309b012acb9c1ab2dedfcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a2bee02df6da55fa5b16f2395c1408b9

SHA1
7377cc1fbf262748900fc633a290a4bfafd4a180

SHA256
153bad6cedde68ed17bb922d1c542e2d1a967c4142e60a8dba2e4d9ddc0d1c04

SHA512
0e857de1a0d8c160766acc40f46b89082252b0b6b72adb4d05e9fdcdb1c567dc07a62c61b9cd1aee853586894aeb12d037d36a7b4a200d3b8db9299eae3b50ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f61b3d8385f7111adabf830dd20b8f1b

SHA1
184f49a596654798c3fbef91da3d0ac5c93ee8b0

SHA256
833084ed95bda343de6bb9e575c53b1d9ecebfb99e617f80c64c254f1fd623db

SHA512
e5049f8dfd49a45e41b7ceac48da452a2608322919f7b529f150e18f404793f59503d1e62bfad4f226f10b15930e3e8b8cf7ee977cda2384660d701c77c70d80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7e969ab847de24a392fff867fa437318

SHA1
415faedc356f1d3f2ec0eddbae8b6f4780053681

SHA256
9d5fb23d77f78bec12b3992537c190161f0c5a37205a48b833ce7c1ddb126c3a

SHA512
355883950fb5c1fa65f2e9914a44118bd419d4ab88c06a041f3a4dd1dfc5cffdf01a79c81f019b86ee4710f7382d6a683856104c7cf7469e5e0f456f0140b676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3dae2923034b5701dc80c6530959b473

SHA1
21e636ac61a3b726c8d9d558881dfe023271ac48

SHA256
dc6aa3b9d5cf6517da6df338bc7430a67830dfeb73ea3da7d5114ddfc3e29dfb

SHA512
d22fe82d67eceed2b7a0de390b9815dcbfc0ccf7b38b906ba7abd9889d4c05ceb46aa324d53a41cf5fc1e50f4ea95e03970e3eec66c69191b427352c781dffa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
622c39d43e9122e1112c642c9cdcdcda

SHA1
1d929ef507dcf46c460b9c158e6db23a609f0a4e

SHA256
6407ac9bde69dd7949a0bf6cad118b842095f61490f9be802f59231477e9bb63

SHA512
ef79ed69420d11b51043c847e63e8b5b88ed8fc9eb6d293f538b6e9f0caf3ad140cd839627fb74f5bac5efc823f8c54d7e44e3a13f36e3544d4bf36ab86a27b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
10c4b8691e25f7e8c459243afc8b6c4e

SHA1
eb7d890ad4e093acc90687919cdca83767283a43

SHA256
e189b8f53ec8b591d7fe51903a72640b3712908259db7332fb53ab0a93d3c6a5

SHA512
33796a5d06f251d940fe447da6208af40479bba72b9c0711c78ba1472c0a46f721a7cd4d38ad5b8292d0b155a847d5d00f6092cedd78060cec78c248a3966fa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bf08bd730dc840c0fdcac73cb237d49a

SHA1
dd8d867b1ccc8d30b5e061f0a49d0e91c1f3a04f

SHA256
aa4e23d072f7d093693a2437076aaab612c5f2acbcf579aff45e2f7dca78879e

SHA512
06da6539a7664728c6f8ef6ccb28686ec5e8aad19e8e81315e78b9d5cbfdabdaadc1413984f275578f4816507da9a150126e12833743c42d8bde9de79b434708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
47eff690fdcb9e9bba7cda221626117f

SHA1
640a93c5620f0d8951ba401f169a62dfa0ef10b0

SHA256
f7947e9d9492f8414a18dbbc64d9ce93c25e6c30a39c0e0124710c8510887cd0

SHA512
854b973c736c15f7da36132eed1fb54d6fc7392a111dae15145a11094721769dad74d39545c479e5ceb1b4595efc76004795a43a85dc7be5a7a7347091b089f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2af9a1428f7db9a15bed3d8e8f85b352

SHA1
288f9804388d73c76b859ecbe45683c8ed048848

SHA256
d5d3f2ed5a58494027e99f91f28c91ccd4cb27a8f15d3c9941d9ae6171eb55af

SHA512
41f965985d99b9bae4d20fe0919dc1576cd4b81f143208d1aa87592f9a7bcc4a29d5412a568dc38538fee3bd61d7e70fe93a993e66a08c40d0642732a3c1b1f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1f5e5c9453513a9d75facc6335bbc0fd

SHA1
d740a4101fb206650b36cfba385ac7ed8903736a

SHA256
13601a145852be08b37b1a4a93ec3ac4f84dbc270b3a52d4eeb50adc6357e005

SHA512
8a320aba8186cba8d24a6174f90f31e55c60d9781456d939f6c389d48d5b719272274aa74287a4ad4c21521413521a8f0e472170e89d6bd026e8d5cee79267cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ac996eefb9e2f3b6232ed43652f43440

SHA1
9a441f0980f5d92ce7171c0e7f6995c40bf2a49f

SHA256
9416f109381d06d552a67084bc2193d80d9f8a406d555f354fc62b285bbbd4a1

SHA512
b7822a9410c72816492e728bb60f7a7594563a5b0a3a702840b51bc525089be43467adf6467dbcfe9c8b8aaab4a8b040f9b58f50d64d2ecd24a988b7013fbc59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cb2477f3363900bb82dab86946477d6e

SHA1
a588bf8b33a559cf2a9302ab8e4a647b130d566a

SHA256
c7539d7c63ab550584e7ac2e3c25ccd30444df63baa7e8a935d955796de948a5

SHA512
752fd2e925a5bb2aacf5150c6fde8a1a06d89ff4b39818bdaaf10b8a440ab2941ebbfe786b13b84683f772e4b79490e55c0fdba52c7eed071bd08a1004ae8c6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0c95ba77f7b6863c09c9f725b879dc36

SHA1
dd6c9d002f71c249f6031293ef8900186c6e6a2f

SHA256
c575163b10f1b4b2d2e48b5d033bb530cedfb419677df9d348001e7675163c40

SHA512
fece7bfc9d6178b212720d5c9b70cc2c1e5df11c0cde84453cbede3ab847fba70250b6e44f52270f61464e61ea2d2eaed3bd3d52fce372abed302658314f46c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
83ce24b86e5880ef93796fc58effb00d

SHA1
a2b3a9860a7f4a28de1edce5a0ee2ae0e567569b

SHA256
6aa286e9aaaf7cc9f43b7dc6d874d9d9cc8ec967131df521f1b9643c328e40de

SHA512
281b0031d2a0a4c20b1fd915a490129842e8229eca4ecc9d8bc5014af20f31194632ec873e6f66437daea61afe0fb50331a8464f9de49b459d6a5915d018bdc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
07d275a94ce1836e477a865a06327745

SHA1
bdbbdb87e338fd1dcfa6f9eb22ea9b8a1ae504ea

SHA256
0aa04abc4f1e5cf5da58a0169711f2bbaaa65fb2fa242b3b77112636bdfac5e6

SHA512
d87ec125fcf44eab8aef9911571684a0970cdaf7f2471dcf435760f8dd6f9369cd6668f623956a64308fa9a5e897449beab61c25797399834f6edf311d0de839

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
3078b85ea5ed4c6017ace38823c656dd

SHA1
3231263d2b335159b29671be7d4b924bb08f55d8

SHA256
bb462be0b498e68c646edda5faf294f1b5ac6f17e712869f9e76fd98c138707e

SHA512
d6b2d89998175436dc391e0cbaf70b8ac1a8a5ac3670e947f3d119afd5799630e98112e2a9c4713c5a0cff7de993d5f87ed88c606ccd050e7b2691c1f9ffa2b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
fb66b4bec398fdaddc3a0c3a4ae9398a

SHA1
6507d068df0372b07650fd02332a7fd40ef1b906

SHA256
1766899f701507d0a12eaebf28e4733bd098164715ead18decbf43d1b5bc75a7

SHA512
2121647d635070723c27a1db9cc136bfba1e77ab0eb497243a0b21061b76a831a076d14eb793bfcfd8c603c44fb4123384ffc2b57b745d4207a0376f5e639422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
b08876986ff6fbd9020db8390794238f

SHA1
f509054aea609375512b010999c2d6ff45e16478

SHA256
ab0634c337800c749f435624c20900b7e37740811daf3b454e6bb86facb17ed2

SHA512
423c0e609935a2c35ee6a3126a32b4c2ad83ae469f384287c564731b2c2ec4fbec70213b3863d347eef65a23ba55624e002d36767e0c91669aacc0e316f72312

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
558de827b4889e33190bde939ead6fe6

SHA1
e69f684024054bd81680d5f693bf0c0ad655ca60

SHA256
93ff788df8dd45c3371f1ba71e62e0a960e9286f8c77ca5e9ec55080ae08d31c

SHA512
4410de6cb2026305d7c0beba1c5523b98481f0d6e0aa02c6429a39c6e3101130e59f04b100980ec60d7b92d2a3d2aeda542621bd87a74d41c71250d10e758b0b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
40c757b0e5695f3bd32d43ef6a6e51d0

SHA1
98b07e60db8a53282a1a4857ed7c0849571bfeb4

SHA256
8f4644445d8fe2582ac4497ee8be042993d690171fb2f633232f00100d1dd3e3

SHA512
8997b5a164051989a2a2df2737a03ea3e08a58411cb39bcd5b424c1e2e3ddbdf8ccb39ba67dec8945184843c4d439abba660805fcbc3e1c1b73e188deb6dff5d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1b3107e75d1b3615b7f2d52c874248c1

SHA1
efde9405b80c53f8289b80a78089999cf83e0fc7

SHA256
b16686bffd2b932b7d319a40f415cc662cd2d9c6edfafbd85ae8d1db09dd871a

SHA512
ec3e0e47c67ec3265f8fefedaead881195904de8fa833e2072585ecbd1cca6a397958f299db6e9586e69395b9de1ae550e0feb552cb42b48cd63864eb753b1da

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
92c60196e05797a083cec3b4a7d2c8b2

SHA1
af218af22fda80482a7e4f276b3ca5bfca6b5b27

SHA256
552314d44bf01664f79726ce6ec811183dbf990f2a9885e484a7af2f50b09472

SHA512
9da9e9222bc6ccd34462e41b1b476569f0ddb23f6796e38075e653977648b864145c3ae4e0a597a6f8581dbaba8cda8721fb8c3d65893f7ce4fb28cfccbc16a7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
811a523981c1f5f1c5bf849b20a2cc7c

SHA1
ebb503a3f5a7e0b1f6a8e7655bd913f9452b7056

SHA256
07884d4c43d05e15b6c7bf00ae424cfbf5b41f8df28cfa92ffcf7b0dab588abd

SHA512
84f69d6e4e0aea120777219b9c18fd4bac4a0e510ec6366b0f5a388b9ebab58656eec6e03dbc927b83b61f9f85e2028e2c07be963a524319425b7beb03612972

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
678d43a0685312873e2648a44756a0fc

SHA1
44431f8e1af51d56e33618e330d57de05a13b64f

SHA256
4d28fa9a56193cb91b6b4d80bb91790151e591d919157b59ff6fa2a7e4dd7c85

SHA512
83bcd48c519d8d6f918470b887f891d3a126f8df9921b719e234b8fd6d0705abfae50ffb7947fd953ae94aae4c0a17ab856a10f54f828a346cad5bca2cba165c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ae491d342b1cd5a9f8fe3532f23d2ed7

SHA1
315907244a7ba9f7bdc1528fe0e321ecdaa210a4

SHA256
87fe4eafd8254c05d9487d13e9c267b452dfec165851505d40a844125159de27

SHA512
de7f5597c5ee7dee3f19dc4f569ceedcf9d8f4f9493f49f0992f639890a73b96a6fe64ca28afae0fbf5ea31b0bfef25772a7c2ddbdc0c66eb48a84a832d77b2f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0ed770ed9daec262a077cff2e98115e2

SHA1
7e458f367e156fa141c006cbc8dbc2d1d2e42662

SHA256
2fbea110b8f14a9f6a53aa7a79d71ed83c9d4ae2ed2d8b03bd2a5da7acfc18ba

SHA512
89ca0a756634f196350b07d340979d2944f3864588a6f416a064df83a3f68bbc8413a1f3c32f4b903219de22c2be25ae14ee065a833db81e4c8f77165ed744e7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3274bf2def20fa317576fbef0280a856

SHA1
89fa663373f01b01b49f915b2c7970f7969d1373

SHA256
73dbf733bdf2c43f99633ea3d7d5f2e9f5d883fa1b0854c8d069c918da1146a4

SHA512
4774d1c1990b6d0c4ead70abd7e0dff2cd0c315dcacd244048fa84a8c5681b54be6b0aeb58267a94d7db549b6a776c22fa81f5f1b702ee253ff9d99872324e79

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5d8cbc7cb5782c0f76dafab133bc8698

SHA1
f4c9b75428b8b1afb49bcbf242f517bf218d339e

SHA256
bb657f62a664a853fe4231ccefbf1f22bad24e29e67cfa433fe6560328a5a6d3

SHA512
11a95a260d3f6234278562a709dae40ae38446ac399e12512039a3156cad57630a26fbf19395596cafe4ab1177162ec9b59aeaa839f94bb6bad17a1cc6869046

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
452cf28ff67e2b7a028278ffce7d37ad

SHA1
85b42094c5aa6bb90aee2cc5b2a75926a1afec0b

SHA256
9c6c825be6c23d4da239cd7735f25ba3a8fa189b2f1ab9d5825d7678129bf0ef

SHA512
779f4131366ca0320de55cd5a17fbbfaeb440e62cab5606a1d0e01507e727d55b2f6c988f8bbde19eb2d7ca6b289b70a442b6dbc23aa727009ae0fbadeadd306

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fb0cc78550258fdaf8b1f4184ed85cd7

SHA1
15ce96bd574a1723bae1e79704426df0af3f9823

SHA256
6494a7a520389f67a4e12186684505f056cb1073ffcd1a49ebb96069142a391a

SHA512
20cd72585ff4d9c5f4bdc9316c0c192b72d3fb3fc04e83a6565e07dcf84c248292b177942fd7999f4c8aff08dc6093b210ff58e9f6863980d57dc43d8da1d7ad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
64f0ec5592a4af29a925e8a9c822c61c

SHA1
71b838d5256ec6a6f4fcb46bee3fc0c693397f31

SHA256
5dfe8c97ea57e16e705ea4361c5c1298c69199966237e33ff71d678481eacb0f

SHA512
c70479638f463f4803911ed55bafe0aa6a27c25cbb34205c824651ac2077ea31e0d238b64b61f03d1a08f0866a5c9ac0830c47e5f1b0c2b4e0f5545475a76249

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e6ef5258c0a718082c3e84efc72e2c42

SHA1
39f8ec0331e39656d73cec8df579b5fd3b5fdeaf

SHA256
791f453e0ee78762c1c169069e5c97a9345b9eb8ab5ec31cf55ad0b0cbf5b4aa

SHA512
2861a5c5f179d672e76298a4cd7e9ba2e15304b1a08ba3735d47ad2eecd611b1f96889a61edf3dfa9b02205c45e8128034b21177e98e3cd2a2aff8386e69e778

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
becfd999a59592cec6ca1d23464b295a

SHA1
32161e2a4dc77d6eb23905abb70d5d483c1bbaa8

SHA256
1d0f7ada7720ad398c37f847718808fe3ac7df47cb51c0f73429c0b73f22e6cc

SHA512
5f947d87bd0b0f2454ba3f7498c997e85169936e4a15ba470ffc28c423155297e6d2bc360d3735c9149388ec378a1611747224daeb01bf5bb5c067e934c1e581

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ff0d2950ae7dbe8d66320da1a2cab148

SHA1
daa6aec7f88a3f09ec008a98bc3f13bbe51a93cd

SHA256
f3b3f6c69f5993522d28d1f635d9f148040aa47da2ff7e3c8254158be7f44b63

SHA512
e0d187decdb2d99b07b40790cf42307937bba2c19d33839dd97dd9f0c26626ea3ae47f146027eb99c0f67dc67727cc6ebff47ea6b0a357c78813f6103c5305e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4964e95d41eea47eeb4d6acb7de3375b

SHA1
9772c0ae8e9a75550e320d1404a95a56208fdd89

SHA256
c6b8c5bcfa335bf4e0d6ef4e0e14a454c5aedc2e885c1d9c43198c4d1617d2f0

SHA512
774cb80653cb26a1d6fbe8267d4f2afeee58e2909e60066442098a69875331efbbe53c85e71cda70455f788636172b3cadb61903a80e9a38326305f084159da7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ca86d5b029f7a1ad4677020d0b7bd65e

SHA1
62c600e1dc8c376087c7d008d5f28495bbdd4fea

SHA256
80485fc12132004f59998c3ea9525d3b91bb641fe990503f33d182f061ecc2b6

SHA512
a328585f4b415a440a1f7df1a3d97a519600c1e4f6a882143e53d20ba997026f48505dc2bb9decd0edc1403ebf30d24dfc783943317ce8ae19d04ddb9385a250

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19c501b27f2ce5e67ce34bc9eb7a0bb0

SHA1
1d4fc0ed0d387caf0d40bbfefe914a319ce2902a

SHA256
447774d596efd5ec60a4158b3a2b8e3d4d2e3d083df5f387290a70f57029ccca

SHA512
f8388e6ee079c8b7a3981a93b4860d714cc5e4b89f0bfe62ca1b56021ac612a9e241ff7a5c45e2e5b8feb4d8cdfbc02ee23f9a619b514c56312b79bd66c4e3f7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cb9a207360770e2d831ec6b894649da3

SHA1
5cb0873cd9aa7b65ea900accdf287465dba94094

SHA256
d60dd41baf57f8800060978904c4fdae65d1866747d52ad9dfe7ba6ee06e0aa2

SHA512
981ae0f044224569deaee15ab6b764b2bb16f868246beb301f434d48190ec4ced7e763a6cace7bba26e5d407794765348d219f8e35a9e1333cf6125f1b2e3224

Download Submit
memory/404-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/404-675-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1172-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1172-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1172-256-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1216-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1216-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1332-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1332-406-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1524-664-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1524-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1676-11-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1676-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1676-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1676-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1904-26-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1904-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1904-6-0x00000000020B0000-0x0000000002117000-memory.dmp

Filesize
412KB

Download
memory/1904-1-0x00000000020B0000-0x0000000002117000-memory.dmp

Filesize
412KB

Download
memory/2064-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2064-356-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2064-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2064-251-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2548-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2548-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3660-382-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3660-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3668-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3668-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3668-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3740-663-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4076-54-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4076-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4076-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4076-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4076-76-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4252-662-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4252-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4264-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4264-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4264-71-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4264-65-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4460-674-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4460-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4544-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-667-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4544-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-293-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4692-394-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4736-673-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4736-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4908-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4908-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5028-38-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/5028-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5028-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5028-29-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/5052-668-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5052-357-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5084-671-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5084-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download