ec52b11eb16afee1c402b3eb1b8ae9f7066ba5bd8e0cec0460f995f5ba31fa07

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6286f0f59a27c89f66731104ff31ad70_NeikiAnalytics.exe
Size

626KB
MD5

6286f0f59a27c89f66731104ff31ad70
SHA1

7e0877a38bf33840569b03eaa26a05c4b0d85499
SHA256

ec52b11eb16afee1c402b3eb1b8ae9f7066ba5bd8e0cec0460f995f5ba31fa07
SHA512

12d614d10f7964a626032c5dd601dde3a371b735dcd943f86a8270fd7536b0b3d899ef9c65602969bcf427c19017e319f94936eac8ec8665bec5c0ff572f8111
SSDEEP

12288:vImdHqQ6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:vndqQ6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3620	alg.exe
4728	elevation_service.exe
1564	elevation_service.exe
1316	maintenanceservice.exe
1580	OSE.EXE
1284	DiagnosticsHub.StandardCollector.Service.exe
4468	fxssvc.exe
3936	msdtc.exe
2044	PerceptionSimulationService.exe
976	perfhost.exe
4292	locator.exe
4748	SensorDataService.exe
380	snmptrap.exe
1852	spectrum.exe
3060	ssh-agent.exe
4860	TieringEngineService.exe
1188	AgentService.exe
3636	vds.exe
4468	vssvc.exe
1744	wbengine.exe
2936	WmiApSrv.exe
4884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	6286f0f59a27c89f66731104ff31ad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\268ce4f2c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e298e80a1ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007adfb00b1ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000733430b1ba4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d857690b1ba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a39c70a1ba4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fdccf0b1ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e136e60a1ba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7095b0b1ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4728	elevation_service.exe
4728	elevation_service.exe
4728	elevation_service.exe
4728	elevation_service.exe
4728	elevation_service.exe
4728	elevation_service.exe
4728	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4072	6286f0f59a27c89f66731104ff31ad70_NeikiAnalytics.exe
Token: SeDebugPrivilege	3620	alg.exe
Token: SeDebugPrivilege	3620	alg.exe
Token: SeDebugPrivilege	3620	alg.exe
Token: SeTakeOwnershipPrivilege	4728	elevation_service.exe
Token: SeAuditPrivilege	4468	fxssvc.exe
Token: SeRestorePrivilege	4860	TieringEngineService.exe
Token: SeManageVolumePrivilege	4860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1188	AgentService.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe
Token: SeBackupPrivilege	1744	wbengine.exe
Token: SeRestorePrivilege	1744	wbengine.exe
Token: SeSecurityPrivilege	1744	wbengine.exe
Token: 33	4884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeDebugPrivilege	4728	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1484	4884	SearchIndexer.exe	125
PID 4884 wrote to memory of 1484	4884	SearchIndexer.exe	125
PID 4884 wrote to memory of 2872	4884	SearchIndexer.exe	126
PID 4884 wrote to memory of 2872	4884	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6286f0f59a27c89f66731104ff31ad70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6286f0f59a27c89f66731104ff31ad70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:1316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4204

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1484
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
bee30396cff558cd54456cc4df6f1a8e

SHA1
c2451860f894d5f8a50f9ad94929d341702e593c

SHA256
81c235dc4e6c549b8abb8baa413189d72ca1db40b531880b7097597218b6342c

SHA512
b6a400422bffb48d29a7aa3afa4edf474d772757797bb800b63ebc4c1d800ef3ed184221c48fbd21a17c9aaa8cc119f9565621dc63af91547594053b1a4f932e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
835e09ef8794dd01708dffb5722c2f5c

SHA1
a89e62d8b4bade0887703928b0227a12962597f6

SHA256
f80cf9391c8544f856332af23144b5b825aedd0c57f8b1f85420119a726edf3e

SHA512
3bdb056ff21eda743d2f19d1ba803235a26b4fc678de79338ddaad7fd2f57bd251d9e304bd01f34e33d073545ff4f50540c7491698f376341d2c8dd9a5dc13e9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
28d64e24785af5260d87fd4084f8e6cf

SHA1
c08fe37f415c7d81147bc4303e87900d9a5e8e50

SHA256
baa44d80158b3f8b0ae71df129634e0e180fcdd62a26fb0eec0a66f26a63d945

SHA512
b1523b7431dad105e8eb2bc607f0874fb680181f8f7e29880ef154ac8558a89005c56f87ec1c16584a2d55ffbe523cef33b5bc21ee97abd200d2e2402be60106

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
305628ec87ff623ea7e74f249928eaef

SHA1
6339d32fcb4954ed584938b57fda926b58799994

SHA256
98dac7f87e1ff77085755c70726187acce70cfa3c357334b306cfd97a15fb648

SHA512
36418e8e1a2b58e3cbfa5fe5d9a6064214c7989c6a6fcad7ddaab1d83eb32ac5950c8a5693cc5050b24ad44efd3751d4eac08069fbd46cd3719aab188b99578a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
890ab39751529d62a39baa4c6138cf66

SHA1
4e24948032d2f2dce62ab5cc34eacf83d81c7819

SHA256
e626d1a83682f4dd13a3d9954e63155aea76055f225b78bee54373a3b4dc4de0

SHA512
417ab3eb4ff1c33b2a89fa6d122eabbc94f1435f9ff751f9bf140da6a5a653efbf6ef1cc50b69b2ae10708711712d587cf52a193c8643533fe17e3840ac4e1eb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e9e881b6c6f4d9ce5a37d983663fbe3b

SHA1
35849583f4baf69e90942f7c56095b92fb303c2e

SHA256
5bfa49a98630ef3b47d40f403f4214ea12ea437564f3cadf6137f4880bb2c67a

SHA512
feda86b36eb9d76bacbe207e8bead9ad72f5ff6967c3ab35f6e052d532b75cbf5ad057f57a7b595ffbabdfd0735d428f097ffdb7f66ded1d1a985a6e55e070e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
12b419cf0785639ea89dd3677c6fc9d1

SHA1
d2d0f095eeab9f9822006c357fdd88f7dc985ac1

SHA256
247d81b2f4f217ef2e60efba97ea8bb8f06ea3a1b53c16845fe6a485b23d9673

SHA512
81b714c221dc95370d1c1534385fdbaa9d29b86a8e6ca4feac8f41f6bd7235e873d358a5f81c6e302174b1a9bb8c334a6668122393119ebbad35eaefffede30d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7cb93988be8c0c98e9e86a107df8ece

SHA1
047bec5c0b99cd3a7b186f0de8dfb4c0d1d06461

SHA256
e3bc75f409b7febc9e01932422b73f764d9f26927d248731f7908cc5fcc22bc1

SHA512
d1494dc4c3c4fe1b50967db69a2ed9cf4616f1cb847b396d671da64282a76dfa20b1ef880f21cb6030f3c1cccc58c896efbcd0ffae002ca188875a41378c5458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
52c3490ff9102602115e1ab7012b10a2

SHA1
4eaad7e4d911d2da811c3df7716b938499abe044

SHA256
2d17295ac0f149e816d9b1fb5828fa92d0eb2b335c9f2a2205559c1277add2d5

SHA512
4696eb6ec349a4755d12bc6c780e198e7b3a19c042173c0976b65c2d25698dd0d17c3e63f66d00727bd01ea333f64deedbcf7fcf044df2d20e55fc0586171b19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
487dd44cc80cda8affedfa976befea30

SHA1
56112c4ec7c4bc17e9218556aa321b6469ded2d3

SHA256
15597874cdf48b990665bb091651f6b230e939536a58834a1b35927b5ebf399d

SHA512
1fcded1f329f9ede5f9b185df64d160914423f187e8e2c957f9007ff039d5d60a4e083a008eaa14ead29ca3603466ba3c8dbec8fc8c6423537524eef40264f9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
554cf730dea31e02b6944903c193b52a

SHA1
58c5e10ae5abbb8dd4144fefe02f2afc74f14821

SHA256
cb5230d49c5c5f895b8c771be6c207b31356a835cab74fb1a5e3dab3e8909288

SHA512
8880b0fde34d3af2a2b17f7250e614b7459950d36b4bdf7b791d138dc3a9fa27e29a929ca4569107b885332cb3ca5acf50985e7167049409fc59629d6101035e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5498aa5612d2696a0b2ce1318770bd5f

SHA1
a88bc6f5011decbd12943be96f7aa8b376c2448c

SHA256
514ebf381f8e51d54456c58e39a0e59f4ba228303c5e2382084876912f36bf44

SHA512
c1223a91421593c66497b5fe2f4d3b3ad9f1883b891cbb384f887880c86fb5171b1785bf487bd83b99ab774c3a6c024f1fde7b5fd4e030ee9b8648e48a01d8b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5ba4b385b705bd9734ce4095f4ae3011

SHA1
3f4ecd090d2fa80175e94da2d06c1b8bc0760420

SHA256
184500b2ac36cdffb95817a66d89be5f63662ab472cd1ca693a754d381b632c5

SHA512
b7b636fef1060ffdbac3785e95b67e00011a9306b01df93feeb171183d27fc2672b1afa0393b6b6423a2bff30b90f9b7fa94116966391255eb8b9f50baad87c9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
37f1e65cf58ea7f8031f77e25f8e5013

SHA1
e95b636b81243633d0cb2927021918f6aeb4c5c6

SHA256
d9c70f41cedbe6e25ab4cd3901212dabbd974eaf1f0aaf7fcd3691a19325bcd6

SHA512
41b1d3e63e131a468514cae6538f6dd5a807b93d78acdf223fd3619082571bc63e3e01677af6689855ffc5c465ac9c4deec94e71a7433f8dd03874f969aec482

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1250d0ef8c1b07a41a8b2b004506813c

SHA1
86c1fc00870a1c51b39f5ad61156a003eea84e26

SHA256
abcdd354c0b45d0cd1d5983ad78d0ae65320c1a740fce24c00c60af48f469586

SHA512
8551bd1bd647b640b1eb7694f24b10e266828c5f7a7bf77026b830b766a01236da3a57b361e10a70bfcb2cdc7a03dd73dad0349430dbd68932fcbcf6b9e45711

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
14247496dd3c9ac9340492441b2905c7

SHA1
e3f36b7039b81ee32ad086a65417a521a9024815

SHA256
0bcd01f8f16794ce001348fb901b763d19a6a6e0b3a86ec18ae90116116e7f1e

SHA512
b86944b2b741c0f33782439bdb1d3e5f874da4549a0b724d51fa89a1ab29a441cb5981227257411578add7bd653b66acb2b7e839f4f30b052ee3abf0b0c4ff76

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4587d22fa2c3703a74186316d9838c7e

SHA1
8643c81900f4ee59db60319fbb537ad4b7c49be2

SHA256
d69ca7e1218ef28687f7d3e7248d2d48c975bdcb92a176ea6eb1a8e4c650e3d0

SHA512
9102363bc66b4ce406a5009b006b63bba21ed3124224d9396679dfba678a1d41ab21f9fab6ab5b1f5f4298784de365c65435a0bbf4487ab41223a3365a7b385a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e6858e575b6f6f77738ac01b7da36ba6

SHA1
16dbdc06273f7f7dd9aa39bb1d9f69f783d354ea

SHA256
d9e9f33564f3dc5db2240a01b412e463972d8f8992fd072516f9262e1829d314

SHA512
e6ab82827d40e28624ad5eba31764f3acc6fc1f9c95ce13b497c23dbabb0742984874149fe67e3e8fd9f3ed6a88834393d4506722b0d217b185a34d50a2fd2db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4a987cbb5a03089002b1395ed4334fb7

SHA1
de9b8b3b26eeada8e98241dd9d8f2b9975e8556b

SHA256
ee173de35369e9569f9c9d26ae4a33e595ef32622566e7cf93648e50a82facd4

SHA512
7fc7dc5e9cd715000c031519f3032c5694ba1271a56e6419b81ae9c607a92dda00e91b3994ff6b95fd205906173a340f04183cb0a08605c6812a7766e7960f05

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
19ea948a457eb413aa5764f98973d913

SHA1
af54cd7e8fd068da296a8b60b9cfa497fbc42e67

SHA256
c7963a022b70ed6f27e6c9b8b35e1479f6975a89fca2a320d2d9292788f27ff2

SHA512
508ca1bb4508373c34a65d6f22fb7e9c8ee7082931e6d8f21e82eabf5f55688cc0f7fd0f34413a7231903d9975fced3c0e179c79e8c8f503999467ac4c66a69e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f7996586d4c3d17f517ca478235163c5

SHA1
c56f9240c7628ed9ca07b6cf9cc8ea966f7cdfd9

SHA256
f39050c42025e87accca83b010b65ca022dae8711c03ff9047ca99465cf41f69

SHA512
458bcfea4cc2c4a87d06e56ebf4a5b7c88bde249a8b4f5e16b194aecb2dec7380f16644347751d214a81db8dc3275bbab2db0d1a96a28b338486d2ea4de39f5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d499aa0fe5042123050007a15697aca8

SHA1
f135158356d7de9d26c94c676a2bcf427500cc5a

SHA256
55fc66aaceba4948ce8dbb7cec278e5816520377e41891867431b209ce341566

SHA512
dd79f91b0c119daf6e46029b2e3a4e7b538030307cce0690d1b9b678335bb24838cb285d8ab8011f92c28afa2eab6b9f6d519d2b4c9dd8809c7deca5128ce8be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
674a2093484eb5c3c61407ec61ec729b

SHA1
b19efa541938ba10585c4a4689ccd1c114bd6b9f

SHA256
e1ecf9a1671898720ec0a9e2e62a0e89a7e0d8a025a1e3dbf1730cc20c41e145

SHA512
17f3b4d781d440e2532faa565496dd08b1a3a7949834e58ee91e3ce09e28ca570388c94f6273a6b212b779347fbf100091929eadc1b98bbc8e618cada112be33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9b39eb3a17cacea243999f1764584e7f

SHA1
e3bca3da0c2163d0125c23e029da2cbfd3cab720

SHA256
7da3959d903284c08f23fa33706efdd0dd858cb4f6c7d7f7f123f964994de746

SHA512
653ac3c8012622ec5c214f543c8695f4de5fc718f1541f534fd48e926e44b897a3ca565ba285e7e5798c4417fa259e817f0d5dc676137f9b21729a53381da51a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a502de468fd2f04549a4b1d377cc6f05

SHA1
c67b4a6cdaea55b034d3b8425520e8aff0bf0aa8

SHA256
068b3a406649672ad5e52d87bb5143c60e20816a27f5d987e6ff21f362d03620

SHA512
5735dc0b56cc87f2f16cb6e36e2d87063eb99cbed519cfc5c925046c6a6a57ec957528cbe2b39be3559ddf01658dd38177891ca549ea4dda8bd79ef9de0677e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
65756030f93ba9884f9da7bafa6d8161

SHA1
e87f7afa1543863392084a7da9cdf3364fe05d8c

SHA256
af318479f91530d739d34e8e44cb98630cbeeb961794289f5bb9269abe680e87

SHA512
221186602eb50c6a5ccfd21f48669486cc95d5053785f2983d25e2b69cf5338cc479c1e70fc908c988bf09522a0c8b811be00d9308685f86ee1dd38b677d2bf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c54c3b7e52d3ee5e47fd942d0d1979bd

SHA1
2798dd0febef2b01ff33ae4f14d6aaa3089d0b30

SHA256
6e12b26982d66fad9d30a25cf00003e415748fc8d6ba46ed7c9a20d61bd0fdb7

SHA512
de4bd88e81123506deccc49ca63a45ebda56f991deadd50d675d4173643d63d81617a57da9729f624ae3010cde896c9c1bb858e5e57072fda08403c466b724ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a5278220dbdcb0203618422df91d2cf

SHA1
503cde1105264cc89b95f407d36c3159e9a14894

SHA256
c9ea91f88ed71ae8a622bd8b6eabf848e2c9e5e97856929805f33d67eb8b986d

SHA512
53cf3954e74d39e03c3c0366e5d369578083aa3b7bf1ff0211b93074e558d735eeae2dcfa2f9087e90d39cd235a16c14b07fc42da4bd999bb6a17b61a42c738a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
965de7510105a47ff3826881bb108b71

SHA1
392e6d6f1588fce36c3185a118b61f39b3e5d1d5

SHA256
a638a6b7825bf9dde546d8a2ff85e58d3c1254ec126d5f88895aee246d184539

SHA512
4b7c0c1b77cdbe385a71372c5953cb88cb49179dd43cacb58f28f6ed6ccd8591888b95fbffaa43eeb63a5de8180cfc4240f51c5c1a75a591dc2beb88e225321c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d89cca84b46c948829ba7c72af21a9a1

SHA1
2af15f2817a63f40cb6ed57ac5393cb0025fddb4

SHA256
789fc0d92971934ad2539b2d6cefedadc3bbc1b71e309800692fb6048cfa1b50

SHA512
3c58a0c334da88e113f968cd4c87256337a362d2b21cf794eefef136358c6f9efeb5fe0340014d38468bf01ce30fa77c68ba86acfe0452b5d63c7fd80bf16e57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bce89c3582f0fefee9b20b1b36fe93f6

SHA1
2e4ee331b6d05e5ede6d4700377c5249e7cd93dc

SHA256
5a0d2dc796a72b00bd7d2815931d87ed2ed1d06a9199b29c571aa242c06687c2

SHA512
729c48a9a2e1bd0be5ce0a120868f9fb449dc9427ece321aa27c6cfaa6e01745565f22aae4b88eabde3a30fd56193283ccfaf67bc1bec2b87c150c30f7db3222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
03537ac1415a25c0df4eebf7f82cdb9f

SHA1
273c2ac6b7fe6a40aede05b04c73632e68bfe359

SHA256
2bc99f75734283d610def24e38b987fe79ab829e2bec55b383a513e36762ca0d

SHA512
2f817d99c7689e816ad03f0d491d466126a8e50b54ad3bd7c972a0a67520484d677959a7b27cf2d9b9c6368609c1fcd864cacc4d1390baab131b497c3859dd0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
af70930f8077437a9c0f73e3fcff730e

SHA1
f1ebfdcba70602813e44d4c2d2e424cb936199a4

SHA256
48b1512bfe91b808d53bdd28b3e480f0400ba3424ff71e74d3def89c941252d9

SHA512
09dd2662f5299a4fbe129fa1c1e29be3e9bcbd3f7d32433c97d2a6016f0a8fd091190f322e221f41a6ab8a05e85729d38484b4aa874cc5b5b2ab5172cf9cf496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
867dc5267f6a40ee19e46ac13aaa6bd9

SHA1
ff21c1d27e62dd0c2a2ca9905ab86849df788542

SHA256
2634328f2bf8b0ab1b02c4074ac67b01592b76ddfa7cfb3bcf40ca1c91a3d1a0

SHA512
a0dcb3532694b889758c2b9899e93661222845adfb0e36c5c10fe4e3ef85091f7341c115ffa0916ebd33b45ea3c72408449bbaa91a3e20033e7e77d0932bae22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4fd89f4657f1215fc6f318065ef6ec5e

SHA1
f697059d7bef6d9dc1464015876230b07a451860

SHA256
bcf00076e82b678297558451bbda184c65949a2d6497cdadf25a80a2b03cdce2

SHA512
0203df12f29e4053bcfbe6e2dcdeb8ce3d2a06b34d4db551e986363b07011451b1d41060b03e3e2af56b52ccc1fc62f8462aa28a62622babff7a76117893aaf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
32a5797b9f50e1ae7ca83e9c7ac1473b

SHA1
c165577546e67bc666166c8cc2bd5ccdfe6e6cfc

SHA256
d486d6ca4cea0e4ef838480a496b6de552eec7a55f66484b023e7a9d39ba9ddc

SHA512
e62b85d23f1c162b3b9b3bc66cb7065b928016c198b5360da6d10793ac6f908ff342131b689b3b2f34710da9af5ea61ade790b2c646dfdf2804bb760984223e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f45a800a0b63cf37a97463db0c37c438

SHA1
af581de6eae790f60d749edefd0469889ca248ee

SHA256
faab8429eb44c5026e14a85a9d1969e8894116bcd0e9b22d8c206af0d3420880

SHA512
55d3daf51bf9dfe6840814d4ffd7339704b3f42bb8be6afa46492451fbd7ea259ba2688632418c84b6d6923c1f50fa1aa6a35d871e971b27f02a64eb3c5c11a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f871d3f1c71bd4521b784e583b7f4fbc

SHA1
2fed85314f4626053363a45a7bc1f4d98a334087

SHA256
337098e467cdc02fea0673e15e753f998ff911d59f3ee8478f759e40b227558d

SHA512
50e486e696dbcdb3a6a5bb1280d0c3575c13e266cc84be52d16ba781f36d7ce3f43ed6d5aabb67c6cc14911b4ee0d5c5a0043125ed8667fde6514aa4704b3f05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
dee50e324c6b35eb3ee23778173a25ef

SHA1
dc38b2cb59360d223e6e6a46f0062983b898c337

SHA256
a6817d492d3a5a8f94ba2cddffb47c0a9510830497eead4cc6fa87d4f298f103

SHA512
82ab5f85de11cd5d1fb6808dc4b35f70de03122c6393e5cb5309391ca84084df3112da362fa569cfbe53e58029c7f3918dc53a04656f6307d5b5b608e3c862f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0336d999d7132c9685d3beef78ce86e0

SHA1
ca284f6b9418161f12e79ef750492de28163e7a6

SHA256
8a6f3932892500db67faf805bdeb77f39db81fb36056b790803bfb97cf622205

SHA512
8b25984172a27a749efffa22a99e7f845281cac6e127de8f576c173cce22ba5de9d286d12ad743a1a4eccc6b551153081b352f783a5e1211ff4365465f7e6458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
09a3e6df551318af759c3531fcc6e62e

SHA1
bb66c78b87f4b85c7e0b6248c98b051dbe2b20b6

SHA256
b9549787aa08f28c807dc53b9673cad22fde3ce7ba3d0db2ba20a24753058245

SHA512
11ba82a93d4a7df900942fcbf87c8ca39808814076599bf2561ef5d2990d2882c95e39182e5f90b3a8af24aacb0d65e071f83a3802fcacbba3a7b6f6247a1288

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
d23c9ebe791438aa4fbbae3eb086fb8c

SHA1
5bd9061e6c080b246bbfc3b0029b9455424ed277

SHA256
8768211b47b366b6e60e74220b5fc6d6c36a8e4d1b1f60ed4cf693a36039ff9a

SHA512
b9cc248e0b8dbcb138133900823b15e3df5fd0c5c0fd875fff62ef7c3deccf6eebb9da5ad831445ad8175f33d1fc60b97418a872df49f7c200568d1ecf87a7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
dbf9c0a0c4d98b4c3b827578529ca4e3

SHA1
971af42dc0820c492a2af826a3c6e9ae1faabfe2

SHA256
5fff5461f864951f1ac1f7bcbe5c31b173ccd6b0e3ab3ef9b9e63cc1f168f095

SHA512
3be72ac5d3985d4a6eb32933575c4fb53035d6bea7c4e314410c10e51792c43a4f067b52064fab93b28137c5e619605d38360aad2031feae83ebab48cd86e4b4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
58b090c906ded8eecc1d38f007fb3529

SHA1
aa16983c78718861b8105ec3ea8128f972cd46fc

SHA256
e85962339afde5269f38458a2d41709d2240fcaec21706ce8950d2872c816ee4

SHA512
c6092b9946a170c032a1ba1b24821e3f5a115c443e161098dd28d0a841948f2b7f5ef42d39d79adb15e276970b9551d5516990a8647df82eea9dc11969761d39

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9e3196768557dc6c4776d18c9aac6f67

SHA1
035a6290ae9e4a9af7d73320204785ae2f758d9e

SHA256
f2e4cd942b3b4c1b888e15f9d3a9c4042ab435c1a2bb7e1d373aa589233c40c8

SHA512
d5fc4a4145951c1cecd29258f9f7930c224af14d90234bef596f4fd61112d551648421cb4356c45477bac87d5ec5649d86bf464ea44787c9216f294922313423

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b9a308955ce72661fdd151120162183

SHA1
be3afb9c8d1cd4239a69f20e8c5e895a3b780964

SHA256
643b4c8a4095a8577445594d4059be81bb25b1ddadb38f03eaec512246d308e4

SHA512
3301a91146fc1fa952ebf8050a845ea7701fb4338d8186c28d76036c2c29cfc80aa2baa0af9f69da046e93fac8ae0369e3e50ec1f9cefed960bc29043f3bfad3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2bbf88d919250315772c0befe9e07f28

SHA1
d9f4ca976ae3f345b3b9fdf20b2b7e48ac886d93

SHA256
a30acab88ce87a361b70d210e559e8b7d3b3f678586c99d6d9717bffb35ca188

SHA512
c126172fa4f07f4f13780bfdc0a01c035435335ec875a8ebe72f16ab2d3a41fa5e615062e0d5ab95d4c69b87af6fbfebf0b5b5ec3f601c154e0676b266cbfc4d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
31a60843ecede1be8ff1c42b3d5916e4

SHA1
6b42666bd8c9eb661affcea6183a2b4d8f217095

SHA256
a7adb5a44f9ef9322919ee153b560bf336171163211133fede7cf68ab910d9d6

SHA512
9785605fcd92541e113dd6beba7c856482adb80ac8857585261031ffb20373ec357179610088d6c6486beba54bd8fb7c486115479b17102dacfe289068fc370d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f1b2b5ee10d2102e36f32adaf5d798cd

SHA1
42ea8fa6f202b7a3e576982b902a4083a10c887a

SHA256
ef5e44ca71bccb667fda7caf867650340a85367800cbae879f23dfd94756cf64

SHA512
d8a73c59fb513eed70c5c63b63b32401df35115e1c84efb4850f743f8fd10907f0c14692ba408bb93d0a5c4ceb01e88a97077153de83b17689d80b08773bc571

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
60751776bd101d1f076bd11b4b1190d4

SHA1
366ec29e859e130f990a98d332894c2bec07ff4f

SHA256
e79923e55501bbb0c26e58e25e17b93a5fe51f635a653ffaf07ebf19bce074db

SHA512
97d1b11fb46ef84e82cb0ac4db94cc63340ec5f50a58a1f8551eb57339d39b0298713a9c9331045daf38027c1b5983026a98362fb606f748b7a3a7c361bf185d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
aaeb5ea40a8c55e868d9d23d9a9a6f99

SHA1
1e2072fd67e09425eebd92ecff0417bab728df33

SHA256
7a5f0cb4fc153867cdf33d3b973a9ebe6ab7c3d526aaae1e11d6979b9f2338d6

SHA512
bee7da8f1b1796b16b22a1df72978d0acb94b042539d19083ffce81b2768ab5a5d9d305ea2fefd5dda3f646955723cd69922839b94edbc0045e492d2a811f5aa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e2feadb5a3c0a3466fd1eb9526b6486b

SHA1
84c22f9bd680b696b1abc8ac4e75c8ada4170a24

SHA256
22d40283cc523d09a6d2ce66baf1a8c63d6fdceb1f9fd995e3ae93b8c61cd59f

SHA512
d1fdb894958605f4252816b3e293717a34bff74f35b9ae9b37426e65672f9a9d29e9ea008b56a62a88c412a326ad5fb8c1c25dfaaef57896eaf4ab0cdc5df38e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
80cc342ec3fa6eece4b37dd6c6c4b123

SHA1
c79889d507c7201255fc0430f99eda4176b904c4

SHA256
98db8f5b01efbe3001e803f5802ae8d594dfef775ee7ec29db794b62da3449ae

SHA512
f83a07f465c0e25a5e8c67909e31a3593b6247bbc742937beb1394cb83bfe16ec779ceaac4ee4abf747679563ebe9fbc28b0dcfe98de4e93ca3871c5ed47dcef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1cc6183573500140557df4f40c5e6cfd

SHA1
fc124170b87cbb234e7f2dff603ceab6d931468c

SHA256
ea768eeff3dade18c664438cfe8041813a84547a3b5cc1dfb51ff83ea545600d

SHA512
ee99a85a5e16835ccf55a3963f1b59a1e3ed0075cbbcabe9ccc72045529ae6120920c515948403654329212b99d3ff35e5475fb477c54e74c2a60d458c198045

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
76f5b9e85d087839b7a2af7ab571931d

SHA1
bf7d6b6f0b35abbc9d392c34c0ff13bb8fe042dc

SHA256
4028ac70fe2f43e92a7767d4e33cc733001ed95956c176cc3bb5433da792b624

SHA512
83d65495b9a24b8d982d89ad4564b6599a655292b953e813ed7cfc4aa226ee50fd94aa13abffc3480137f869c681ef27a89c5fa45d911e5b89fb0d23f6afa62d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
febf2fd690dd783cac0e5109d895ad82

SHA1
c85429d1d8181c8f270b55aa8840fb970defb396

SHA256
36dbd4b06ef9bf736fd1fad37fcee36d1ea31ad9ee5b1eab3aa75e90d35f7fd0

SHA512
f32a87c0936ff599732110c6f1ca6d625343f0dbdf2e0f1105fdcd8705286e216ed508ceef4d6951205a55855da4d1a23d81426ec004c204bad0281187669af0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ce8efd47d129d94c28fc16531604f2d2

SHA1
9444534adabe5cdf6a12e0112f749444f3380e5a

SHA256
e6d7f2c43ecdcf2a85965d952b03c1393f1eddc9c62e5eed227a92381c16e9c1

SHA512
c136ad21818db6f2570f30885df58a5b4e742f8b5add750bf95d097211f5477e64d936c3a0eb4878fe44c04e604d52c702bc49fe1d10249a325db88adfb70075

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c95290153b1c9943609f813d8c2490f2

SHA1
0cb2d23040360fa5c5187f89e86f96d50cadaad4

SHA256
b94c54e303af917b240b7e26fa4c14674e58459c09716bcdb29a92ca697c50e3

SHA512
2a0cee8c9b22b7b23f1bce8594ec27036a3f6f2712c4e1a53e6899ef871ab0e0b0e0e957ab60a4d0141cd4b87e62ad9df1331879edfd557168042e8d775a29fe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
26b6b6bca0ad27604ae1eb6b8411c880

SHA1
f24b183adde34cff6b0795bec92c37ee0d8bbec0

SHA256
b691d55951ba76f59b8a514ab0c815973e50e93f93e9d352e671138cf8f3dea9

SHA512
a91ff4c68e6c2f7b5f6cdba239401802554484a24eec0b6470a6b6d97757e640cd087a5c4d6f9f4fcb13f314bf8c25fbeb0bc45ddc5a53a95c44f45c7b13d68d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3d19a756d29309d3009cb0463df787e3

SHA1
d398f212ee65e6933ac0dfb22067c636b7a0c713

SHA256
7eac2cd59a0ce3bc911938678e1346b44bc3a2cf754c351c3bfff5f89b3ae781

SHA512
b55d096168a0ff819ea8dbf3bbbfa0cddf68b165b635b4671f65ac7ede934aa079e409b0cbd876447485345ac3bb2dbe714c23ec1a196f0ec818490fcc847989

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c4bcecbfab09052fd9524b5f52d2ee8c

SHA1
e5decda265a409bd5d245ad2606444b00706f568

SHA256
ae3881b47fc6b12deb8276c6d470b9e280862c5eb564678c9af340a704c7a866

SHA512
cd85a7affcdc6a670ba889ebba76a7acbe56937df7eaf8ed3f7285dcc115a42e072c6ce140b19df60c648aac9d661b04f0b934be23ea5af3cf4ebb5209ce7607

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b94f666ab47c71537b41f230811f8aec

SHA1
f9133abf78b49035e99ab645d8a929239a68299f

SHA256
5186dbf28262de84fe4b714dc9edb760e152b843d5a07c19cbbcf19770169890

SHA512
3f7fe0958e20a9c34779e45256666dc50bebe5889ae19aa42cd1af12bffe617de2e6ec5c7f101b257ab621b616f9cf62266ba4dc77af1bca120d7aa0617a75bc

Download Submit
memory/380-320-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/380-523-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/976-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/976-404-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1188-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1188-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1284-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1284-249-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1284-243-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1284-354-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1316-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1316-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1316-58-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1316-49-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1316-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1564-45-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1564-37-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1564-46-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1564-236-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1580-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1580-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1580-71-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1580-65-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1744-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1744-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1852-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1852-630-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2044-280-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2044-392-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2936-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2936-417-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3060-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3060-634-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3620-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3620-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3620-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3620-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3636-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3636-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3936-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3936-380-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4072-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4072-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4072-1-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/4072-6-0x0000000000AB0000-0x0000000000B17000-memory.dmp

Filesize
412KB

Download
memory/4292-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4292-416-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4468-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4468-254-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4468-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4468-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4468-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4728-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4728-26-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4728-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4728-32-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4748-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4748-633-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4748-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-635-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4860-355-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4884-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download