aaf7b142a498e982a9e887ffb6689936821f652d2f7eaf0b8c69cce522d10c6b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354bfa6de7e38127d33663ee37680ce0_NeikiAnalytics.exe
Size

1.6MB
MD5

354bfa6de7e38127d33663ee37680ce0
SHA1

d48e9531f61b740ab2002fdc07a96b68ad075f9f
SHA256

aaf7b142a498e982a9e887ffb6689936821f652d2f7eaf0b8c69cce522d10c6b
SHA512

9898b4f1f86cf7c9f27b9879dcc097e7024769f9deb1450ce5aeb2cf5d8978e1be91df76ae489f8dbaa979941bfd5b9fa5b2fc58b92f4c999d07c8322165a906
SSDEEP

12288:UvXk16Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:gk16sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1460	alg.exe
1384	elevation_service.exe
4780	elevation_service.exe
4280	maintenanceservice.exe
2724	OSE.EXE
4892	DiagnosticsHub.StandardCollector.Service.exe
1668	fxssvc.exe
232	msdtc.exe
2964	PerceptionSimulationService.exe
632	perfhost.exe
2012	locator.exe
2096	SensorDataService.exe
1948	snmptrap.exe
3320	spectrum.exe
4076	ssh-agent.exe
4056	TieringEngineService.exe
4524	AgentService.exe
1692	vds.exe
3384	vssvc.exe
3564	wbengine.exe
668	WmiApSrv.exe
4564	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9d205408c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	354bfa6de7e38127d33663ee37680ce0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e41844491a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef698b4491a4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096c9ac4491a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dba5b4491a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045848a4591a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b391734491a4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a05a84491a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cca6484491a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ea4864491a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e405894491a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efde814491a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000813b1f4591a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1384	elevation_service.exe
1384	elevation_service.exe
1384	elevation_service.exe
1384	elevation_service.exe
1384	elevation_service.exe
1384	elevation_service.exe
1384	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4708	354bfa6de7e38127d33663ee37680ce0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1460	alg.exe
Token: SeDebugPrivilege	1460	alg.exe
Token: SeDebugPrivilege	1460	alg.exe
Token: SeTakeOwnershipPrivilege	1384	elevation_service.exe
Token: SeAuditPrivilege	1668	fxssvc.exe
Token: SeRestorePrivilege	4056	TieringEngineService.exe
Token: SeManageVolumePrivilege	4056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4524	AgentService.exe
Token: SeBackupPrivilege	3384	vssvc.exe
Token: SeRestorePrivilege	3384	vssvc.exe
Token: SeAuditPrivilege	3384	vssvc.exe
Token: SeBackupPrivilege	3564	wbengine.exe
Token: SeRestorePrivilege	3564	wbengine.exe
Token: SeSecurityPrivilege	3564	wbengine.exe
Token: 33	4564	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4564	SearchIndexer.exe
Token: SeDebugPrivilege	1384	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3832	4564	SearchIndexer.exe	109
PID 4564 wrote to memory of 3832	4564	SearchIndexer.exe	109
PID 4564 wrote to memory of 2248	4564	SearchIndexer.exe	110
PID 4564 wrote to memory of 2248	4564	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\354bfa6de7e38127d33663ee37680ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\354bfa6de7e38127d33663ee37680ce0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4932

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2096

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:400

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2a02c19ca18f6b379c0ca6b841d3acff

SHA1
aec007c820cfad0a42d2c79a462ad28c459a51e7

SHA256
81da1a55c04eea629bb2b0c5e20a39b1ebff2f7615fa0271f8f2315d5ffa24bd

SHA512
1564be73a4ecd34c79aea94f106daf011f48745421c9962ea573abe392396981cc3570eb34eb2e063de5e066d6ad40c39d667e5e3f0f3a77380d01fce3a64c37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
d6ef8d241c4dc15eb59497c6a4ff6683

SHA1
33d4b7ca355f52b084a2fd46fbb807f534612d8c

SHA256
d6f9fc897beeada2927d3e7651027f7758b032460a6918ebc519d1dae17fbe67

SHA512
975b7734e123608d478aba96ac2f86d5fdab4d3c0d127897be1aa0a41f4ff839429de84b3ed2312cbb9e6c448a0aa5e24b914b37a64ea55a7609492f69ea0fb5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4da1c2dc9dd012c534995a816a379fa5

SHA1
05347c26c9a947e337862877fcad719acd5b4a69

SHA256
c68edaa202eb68c6772b70b799f3589a3778b529b36e6cda6a64406dd409c4a9

SHA512
5c028e4c0c38d86bb5b745796d34ffdcb2726cee00221596eb6a7692da66d4c041e1f564f0966552a95fcd1c1e444517c7699ecedd20e83606cf447ec34369ba

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
77f1838284968158cce0d4f59e0688a4

SHA1
0bb652329b8f273dc7aad7a716a99beb596587a3

SHA256
d895eb3cf42a192b953100e28fda7b18989471e1aa2223432518a7b4ac4d7c22

SHA512
4af764830d1a708331a32c66de544cb5e644eedcc98fb968a86d384a65a04e9b445fb2295479bcd82dd165e2b29120be0b3e01332bee481966652b88295d8271

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e430ef0cd702effa26012d5bee0a0833

SHA1
4c6b5d903e82135cdf8418318568dc74bbd1225f

SHA256
4a2f13c0ce0429ec4eefc545bf863b49c4778f824403395bbe29381a139a11e3

SHA512
a8e6f2e7cf505f5a63a2b586a124a0c6e29294a8ba97e73b941d0598164b1fb814d081695a44bc6c12046733c3637409ad5fbd51c4401c4aaaf7e1969a205218

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
52e99e382ec797e5153dd2c87a54f0de

SHA1
37abb09b6f63c9922690e490de221373f2229f36

SHA256
d3829eb5beda26172b68a8fd4af73cbcfcdc57ad099ab69a4204bd34b1e9173e

SHA512
518de9419e006f104f225e6786736968e95f94678a77f253defda2d86be779e0b6195253c1a1888082db58db13e45cc3f452b8c25d5f2bb530da907b42b0e370

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
91680681135a79748f5d73136ec3f958

SHA1
1cc45f81b8997b8b784e6a6eff404e39b00f2ceb

SHA256
d6ba3adff1f599e0462d70fcacf8485c4daecb0daa0c5474f0c25fde8634fb89

SHA512
858f58acf86f4ef1580f6d85f6186f233ecd7678a852fdaff3efd4445d375c7915861474ede826410f86fd7b086bf3079a6bc2773c24a834816ca2d90f4d6e59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b16ffb907e696d3d9964938f885499a1

SHA1
a1532c46a4ece1d35eb84b7a6785989e0b5b20b4

SHA256
b6f674f08e408dab67aee289dd64ead1d7228d96bf138e0f866bd7e9c88dc4c0

SHA512
f7728e8ab0e8751c681019a257d9dc86096d181a7b3333acf1d4259915708db569b45ecdd051ae30b116f2d87f0c1f33d85d8057181ec16406442a3166b0574c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
3adc76e8f8bfa4bbe53bd61ee1d861fa

SHA1
b084e51bec438d03019e1d1af5b23f49c0adee10

SHA256
e2d92e8cef443294f735675099ffb21658f2f36c18ff36c7fc18b37f821fa157

SHA512
6503a170bbb50c26cea2d32d3558f515eda03093da4eedbca13020956353084622482539cf8361335e3882f647ad19b1cda84384bfae6ee3682a7fc3f5ffe7aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e79f85d07b0833d3e0fe18225151aa3

SHA1
fdfd6a215cbb3d8fa6da24b12c1db831a3a12261

SHA256
dc5b6e2e6fcf2659c38bdb698734af3e1b90d9bed32ce6ae72eedcf84d908dec

SHA512
dd0c7bcc8d7b7d90270f8b9aad6ffddaa03e200e2e07ccb9187828c96a93b74e54ca622f8362bf5962386ea9c7146a1ba3c983d692d6936d434a1dfda725807c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
714fae13a6a7c6ee88764d9e9398c86b

SHA1
1c63ce25957cbd4dbe711422876ddd68ec565a1c

SHA256
080f45d44777e59713e31d5de2b2a1be9e386328e22850e3b05fbd204d6032d1

SHA512
e0dd12f11fd9d3baecafd6294443e195974516c20ec95eb1614176d0743d1b4c3f88ab9e7727e8ff2138f4b518de26c4f809713be28428cff7c12f7269313558

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7ad5a7faa2b8b7a1e5a3740e24a61338

SHA1
e73a7a2a9c2b228aaf81e7a1efdef09adad97b56

SHA256
f79b3d0e796214a2c061f948a7b726ed032290645f0d573aef1888b82907f745

SHA512
012ad0ac69aa04c6341411a5797717264a4c08ba8ebebcd83c38700f271a9850e498cdfea5f3c8eb095d15dc86c909d75bb668cd37c0a3a835e82552f0efdb5c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e221502479d1c6eda3ec194638788253

SHA1
3d4ddbed7ab503cb86181613bd99797d95db8640

SHA256
dc77d56bbe88102531ff002401e1a9b61a3d68b1ac6b0406c7134365b32c554a

SHA512
213f56c9c8adb5e1a43c981eb109a54c07e530d70a964b13a2abe84076595bd9dddebfd98ef34c9dcf5879c00591ce39c1ff7749865f0a1d40c0cb76795004c2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
d8a75385932b4b6862d94a0ebba43882

SHA1
94ea77712eff64b1df6ab17b87e81cb2416d522f

SHA256
58d68f84758123aec3855564e447e892eba07134d1ec89aa13526a8cbb06a607

SHA512
b8a13389f877c9833eb459a2cf50c009ed078ef64c4892d3b69abb69db1c10c61df0b1598acb8609decba9982a964b59a8a5f273bb77984c2f61270bb9e37d71

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
23900a99c13aceaab9a418b48ef60d34

SHA1
b30664e0bbd03e826bb4d154e89c1baa4168a518

SHA256
204526695d228de506d8e6cb9f42bf9463615f0fb4cf3843628937a0292071c2

SHA512
232d5f6cf6ad3f69b9389bbbfc5bcfc712e60d212a6bc2ea0bbf7875e7e7a93d6527e118f61eaa8e615cab2a8e609c82427bd447a2eb9ec3a997f1e8012207f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
316ca5205704a99654ce1507b3e60cd9

SHA1
23023bd1682246f12fbd79425e6f10a3dbd87978

SHA256
b0ce57e39710dbef41fc98e1dae5505223b796579cde1a6838237ba9d8f807f2

SHA512
5b4fa7a058e990030a2a6d793cf9c27cbfb48028ed9cfb54180ebcac8afe3d5680c50f7a9acfa1b379879b61c37c9a823b72a65ecea23e016f221a1c5813917f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
251527d23fecf95df74fbb3ce08a3135

SHA1
ee0f48658ab05d05bc8b2252f67cc2f48eb37d42

SHA256
d453621addb56da414cbf5af345ec6d3c9d78a41b1311be75dec64007a383cda

SHA512
94bd8054f857fbef62d69c0af4ffdc810b841c1661d36658e8aeae6c652b7ff8cb648c598bb3a767ca36563d2c5a41819b750fae592305b6ad85caeaf88de1c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4916aac4792b0fc2ad67b8c97cb96199

SHA1
d59c48741d294176487ac6c27ea455a8cea4c1c4

SHA256
f36b9d96dcc5c722b2f9d280facc9b8c1b42b062d913633465ad09c2b5608d42

SHA512
f27bda6d7915db19c04cb74b6415e630651e6ed7606f90a04a4c0c0a71eb3688bb8e1b17453655488bcd380127e20287a487c905116f66b6a51d3325a28fdf90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e3f077fa5fb25c3484db6efee7669b59

SHA1
1ef429d7a00c1a5534afe2a759b58df85f25d0e8

SHA256
cca4c7e7d24952ca7a3c4c1e54935826f9cd64eb8c50af028c2b9f8d1d8041cd

SHA512
9faecd237ed690270301c741f05b693bcbbe9aa966664dffb72f4309aff280f63c1e731203dbfa337b4981a90ec4c114fa0f603a3677c3a507ea4dcb0d0226f3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e1eda95a4dc36b04b4da4d8a2ba273cd

SHA1
22d8189da6f736084b30db0e6874c3dc1ed7e493

SHA256
6eeb86cac177b0cb48bc7bde11907529ae2aa5fb1a80a7fc862331a4e20be3cf

SHA512
8a6a6e5673fcf58a1bf1c35644b21b542715e8c618e19cb6c62faf0b933c29d2aea6b4b3a669bdb5b05915eb359591ea478bbe2f32ec3cb6ba3bedcae8001084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
9caa72e92a535ac9653091870cee4829

SHA1
cceadc6c4dfa0d3ca1c8ccc7c1dd44947be9956d

SHA256
5add76d5ffa60c6ca20604c21b5f5d5bca4eca7701e49cfe3aa63ce8d566be3f

SHA512
cb13fad5cad273404121859d45eb8db3fc5de9d24a2e8adce75b98936acc2037e51d7d6d3356c6ea95906eeb01b400dabf51c9612c5dc6af724412de22dbc047

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
92571cdecbe47045fccb9d7baf141481

SHA1
800615681621eb18faa2dda52243f6625ca0b459

SHA256
a0386c13fa8c8ae544c069b946dc6dd86762cadcd1974f7d453a60fd0f0d9f2b

SHA512
f33adf21686b9135622202edd1a0471ba13c04b3b0a38e1787068e6e279a50739441eb28df2624a4701ff210fe1b7f96b0602a99d2b50a1da4abcc6d8e8e6174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
b9c8b07a025ccdcc2e11ebf35134f0a5

SHA1
35a7b6b9ef8a66e736d7fbde04aa3d66d1621bc6

SHA256
db947c8d291118445c26948ecdd10229fa5605f2b4ab8dce66ca39a066cd3bfd

SHA512
ae78b71a6f26c1160a5e4ff7b72d33ff2da6d6002dffd5c6eb587c11533803eb38bc08c5cf373fc6fd5ec0a5a2524d52e96f6456cf4d433d3ae8c90e44b4ce71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
e0eb73773cad2c37c2df277ddbd76fd9

SHA1
6aef65e3fb5ff26b5a97e15c32584787d7e4e656

SHA256
f89180e2bdbe345b089d696cd139d1308201b82ed77410e0213c993b2dfa7dfc

SHA512
6a3227d4941fcef9cf9654ee7a85a812c65520db6dc6d2d7f9c6b3012aed23c5d81fe67e739709ec648c3878a5ea8897f65488172aeae45f4b76dee13e01c711

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
f89a22cb46b9373e91eaed427aa07a92

SHA1
b718609675ebee202f654b894d0fe17bad56dee3

SHA256
e604287972a9e0d53e4b30a3bb1df7b791483eab9deb13359fab3392e226effc

SHA512
bd1c16d56d15bb44612b4ff968c41a203368a6abac0eabb6cd2299a623d341ec4b38c2d1f1c297f3736b670626cb9b96f0d8e526017b655c8e68f99199b00f99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
17412863d101788390c07f03fe60d91b

SHA1
39e7d7a4cc71c4e267a3d3743f97a15e21fa1d74

SHA256
144ce9d2f9259b98fd5eeae3ada9b6029f361b5729f89dd205db0cbadae3ac19

SHA512
371aeea5848706a5dfdac26b57112348c12550955dc00f573ca938d7cd29ad10d514836a5d58808ff242990cdf040a139874233896fc52b68bfba9d51e3198f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
dcec90456ec3e9a921047ccca22bd503

SHA1
c7377d6f31ffd527146e674fcdb0b2866b2e639b

SHA256
9fa0557ff01b2a3c862f2d54294dfba662613c6246a871e75b807c7af32b9393

SHA512
5c474728aa3de3efbb6e2af1d83454210d106234078a4854f6bff38eeebed258988879842d800c6d22cb985684adaa2e36d67c54092bbc7a931c013ad8f4e50b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
233acc6a15aadc6958697a24db6d0d53

SHA1
6076327e04552d2ebfbe2128a7e105be4777f103

SHA256
9e89895f4b7cfd4db7449be0505983949d203a3a7534279797d244826bdc8f53

SHA512
391fcf34f0aca41f2fd3e84f590b5f85601ab790e78965824d3eca4019613191bdbc38683e6fd89c6d465fd717ad32e85aeb06265bf8add84edbf9dbe70752dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
c7a343da039347c8c749744ca2243e87

SHA1
2c2e089c54a70fe66584ea2365f126effb2fade6

SHA256
f6359d048462dafe25bb8d7d2941923287fa9bd4f4caaa146bd323ab420b9130

SHA512
bfa1b50e8bfbbba3c79037cab646b879136a8c46f1730b3f241b31e322e5faa71393ec64431bca8f597d80348a755df1c8f583f7a653124179a560d3304ef79f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
04d0808ea92a1976e52366921aa3af05

SHA1
0f5e20c379902205715c08e285d18928fa55df6d

SHA256
08c454c39caf741d5532bf914cf0f3ac642d3d44fbdc108600ef05817d65eeaa

SHA512
422cf47518018bc85c0cdb64d5e934db7fd70164e6d620c7632026e42444cbc7dd4bc299200d30717682a9a5fc1ae1bf432b10925bf5b0bd80606104c17386e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
78e5d5721039f9689ecae6a8ced67897

SHA1
9fbafaff6ac740b41d97a3ae65c7ecfcb17750c0

SHA256
b477fcb51a8268624b6c43fc52e1dff27d65d6085844a950b9cf2ed91a6c9060

SHA512
261aa33c0b050a4c310da85c931fc9effa635e34043f7b09e99fde354ebcb73580f5559b432f0ad1984a75af0b3f7e919bc757af6e38641189b5370bd79937d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
29b1794e4daf9bcf8ea6bdf9a975f76e

SHA1
de1ea273807bfcf5f011bac2b309226db89c7baa

SHA256
e89143d3f23248a653e1eaee818c0c5c47789d696debf59be4904879ef038aea

SHA512
d503a6ae9f7082bc7e3b1dd620e56667fe018a18648a2f30a4621dc413cea4610370784b46bd59f2377c372455371452976b8ed986ead6c98676294e48a7fc1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
77358fe9f17fd37ed382e785bf1cf983

SHA1
bac05b33021a2c9e341d35ce1355f1869741d879

SHA256
0b035fb02fb56a67aff0d202212f609886e922a861b04028d3cdf2e99ea82059

SHA512
f24e1ab0ce808fd3e5b370a36af6f7ed0ab6c002d079ff52a5f942aacebf9fe21915a8f09cfd2833a22992493d3f1a90761ee19b4e5851466545211747dda5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
3f3d26737f29e03879d2317096321e7e

SHA1
f823b49649c67e9b2a34bfa87ee889692f8bbfae

SHA256
31b49b385fa1ddcafdb5ea1ca0e0828803d340e1f3a16e15546e6a6350836f2f

SHA512
02d8c4fefc1c73217cfe6e30675e8f656adf54b03089c461369557585fee42854f073b920b21c8c7d9fa959ff2a78677fec14f33baa1b4f192ff98e8d1c63600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
a962cafa8acecf9f91da2c968961d2de

SHA1
8f7c120bee88b6400fe6aed9207255554f7bfef3

SHA256
1d0eeba7224e69b4b8b206188054c4a753bfc2b691dcc7e3d4c28df0e0579167

SHA512
873972675e9e047031d2f0d1eb08e4ddbcebe291058772ce1261b5e89dfb98276ac0e0f1f0f714884e47862222ea65ed16c0586e79431c96279b1f87a516d84f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
1d0299b80d893ef6730e8b119f7d3227

SHA1
10e03e0bf62481706c60cc52e02c3cfa5c50ab39

SHA256
d462dc34cc90c94818671ad03825bc19729b3c16de7af7a117837478b709da3e

SHA512
0c47a05885d3769dfeee0673247d2e3f5d3c86944d95509893c49a87796285e549d7dde81adb84b17d4ad3b75cc9f0926b41e0615645ceaf42764197bf68ef8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
8ca3c6a20f39b7f54168d7810437fb1c

SHA1
22785dbe8442e70065f2acdc0b4b8cbbcb0327a0

SHA256
93b91cd93f289394d6290d877482b1d7aea0d28c3a220f0f9fbc1a8863f27fd1

SHA512
3c3a4def524a529c62cc8b6f416b1524ae5ea4483a6d8f2597335089a754adab20a4ea7f114b521dd5de8deaade83eda4291552cda42e70e73b829fe679b24dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
0b5dff6b8e414310a279b8f9841f62bd

SHA1
04af5df359b8cb887ac828376c1fd3d8ef16cb90

SHA256
2f30d2bfe812617cca5294ab3286ae657ce5412fbeda2571a951e48e59504449

SHA512
51982da11f481c38a269dd40beb762e34a9caa3f583cf31dcf83ac750ba8d0c89f99e0162c50d698d10c0174452f4559a67759213f5e8ab8e01e4577bc215a1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
3e7b8face09e50f4ed06193487474cd0

SHA1
932665f1218a5e07e479bbacdaedcfd554d0032c

SHA256
5fbe332b6f6a06c6015a70cb909327dac3f83bce3c14eccebe6339e9cb24cd96

SHA512
65d60adde1460a16870565c7f3122a776162121764ea62aa1759b883d5fdf65d457776349b2807543779274b7c9bf66fcb4b243a147c24204ac4ae6f8e1eb466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
2f00389d494d8752d7820496aea3deb5

SHA1
d17708a2fc8bc6114159b5ff66d7eaf12cf06fd0

SHA256
6123f6bdb64767f1d8c44329a685b3310c0721b7c42089521020f09af7577682

SHA512
d360727ea83b5720dbb396112d63477a2b5b91a3fef909632a36a0bcd3d76c5fbb78c0c901f653f792fcb82187386cc06555948a3b7ada2535d3ec4cc3bf75b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
8f83806e23e0e6d9658350bcead7ccb1

SHA1
3dcd93df9d153741855818dfd293e28012dd427d

SHA256
feda18a8f0152b9f151012490c6a5563e08470788aee6cd6bc3b386e999398d9

SHA512
655492aee2faec08c5ec2eb076a06cf85f19b6425260c52fb1c09c1fcc427920a53ff9904a7db369d34f22f4fb38d79aef4e5260f47253f9b2ceed59e099613d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
71547637131d93411b4422d329cbcb1f

SHA1
14fa103125acf61c5df8200478fe367091b0d8e3

SHA256
11a17a932703509bfa9b10e9251b35151206d6102e133635d892634facc3732d

SHA512
ff4dc05ac794a1aa24ce6e395fc684e331217a76a13093e29d97a6a7e7ada0705f5fc7eeaeb02abb4609ab2a27f3072d734da04b96bb5102983fd706baee5633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.5MB

MD5
30426f8954eb91e91058cec50d2f9644

SHA1
e1409f8c48a99245f9ce3587ce335e12f55efc96

SHA256
c3e74066aaac6307084d8af9882f6316d8c9881c8bb6aae406f987b2e9bedb09

SHA512
519c36a21f86b4cb02a98a8cd2284f37692fc9478abda74acafaaa4b0c65dbacafad2f9a7e76e604e3cd44019a15a4a59e779bc13674c36c1d677af784752d4b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b933b4f5f514de5e99dca998904b0d4f

SHA1
548b5d98c0ea887d1d20012a217f54b5656ea00c

SHA256
0d6cf901620ae20b6e2f007b6e9b45718b951f1ad745518333e0d7c4d496513a

SHA512
5546cad896eb914f03d8d61bd073948da40f88a737f2c6278d49e852b88ea49e36ef0ef3ecd4234783c57aeda85e79a30f91ec56f6f21694ff5efa65d8ecb2c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
6e71894e5db6d113c90eeabb745dc835

SHA1
b0558cc86770c4257d1e02f38324bd5ea61f0a3b

SHA256
1b1042a6962835194f6e226f5974b61450f91346470ed0d5945a6472d56e4688

SHA512
19a59f0b8e9c1a0e43525970f36e12e681421e09e3f46d355cf7d315cfd78d6655dea8b06663e858d65a09ce12abcb7fbd2f67d3912c838d5a5d9da3e56f611d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
60b8caa7fba84fea068cebd175e1d862

SHA1
f80d6bab63cdbbfa23824f69af11a8a21d34e6d9

SHA256
f595d84df376cea9497ae540a75a35ccb7288d00aa4ffd0d3eb0e9343fec2159

SHA512
631a372cffc5d7d885a694d0157d0281246c8a9a716dedd18e37b9eaa056002d425d7b6cd74f82904622d4c55f4f201c9e8145dcc9f31c4869650bf5aad7d7f3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
1158836406cf225efe64e7fdcb7b175f

SHA1
4cdbd70e933a7ef2081d62b245b6a286f67a5772

SHA256
df2786bded8464667835235e6c32adca782d4b21cbff354673caf15810c2748d

SHA512
2138ba56a35f84ea3a6356ce0d94e13fe2055db59d80144c744bea6e04ccce18ac4e818f5f5d10e682e3bd28460576334912d081fe24e655a9ae6be2a530d57e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7595e392416002cb2e4496d23cb5dcb1

SHA1
b806e1c0297af0697ad1a8eba8cf27a0e4b1ee6b

SHA256
1a7c46accb7098e89c0874f01af48a889f378a7f9d2e7b4691586b4ea64c14ac

SHA512
69c33007b9bfa657fa735d6557d94050f993acc8376122ed8619ca227ffe4a480fdbbcbf2b8df49264ed156a6c3fe7c1dc2130c6d612167a89c71ff59f780c5a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
a86dc632b15486899ee5b2f881077a10

SHA1
55d1f12b28aea75dc5542045e26bfd7b9608612b

SHA256
95bc3e9eb23f2ba0620cc398c5bb0689c92bfe3490d4a229d521d0c1392f160b

SHA512
f33c74ae7a3bd0434a609d06a59dcd452e7ac74e83c75cc5de55fce854f923c5178fadd726cceb22878fb33b04acf838669ee3035534db405698532db3d9f888

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
18080d1ce05d9b3c14ea5bc345d0b14f

SHA1
622e62f9bbb9ba2eb46a3339613edc05a47c9ceb

SHA256
ed5c1154c6642bac96f9ff9e335cc61c219c033c3cb59f00e82660843068c0e6

SHA512
300981316e6856ce283e2aab635f1c98f2c45fc68e5f336f950449358e4b499b55176e9fa0b50c9a4d9bce515e11b42a58fc44bd3bd13f145b262c028827d3bf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
aca973779435cf9f59203d31e3749243

SHA1
d5bc4b6a159820a6a3763bb695b2b052186af200

SHA256
77cf574d5630d23016253cf1b7c7b399ea8c067fabc6b7e11a7ed950bcec76c1

SHA512
8fd5a4cd0546131fefa68ad573f967f05305df4033b5ed78dda980f95e64302451eb188e5d4bdf2b78c9489ca77b514caac81c63041fa9a0a7a61c10880b1433

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1b34dd60838515caac4c3a003efbb083

SHA1
54669804faf7156c751cd1ef1f8370f11b03f597

SHA256
b1c65a014abb15d99c8dbc62d8ae35ee27894c10efbe2156ac0a3885a98db6f5

SHA512
f2694a3c414f2d0164ce73b65daa14ad65ca8e17f640f787e571872e1bff6ff98cbcd0b4ca50a655a85c4b9b40c173fe08dac9136372dab49323fa787b573961

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7c2448042d13b8701a7dda5f78bd43e0

SHA1
21cd256a65bd4c0d9bb5c845ad4753fc8fada9f6

SHA256
78eaf077cf6de7a5fa1967da032cd1dbe59e9d01eeb50841f0c755f4eb80ac7c

SHA512
fc67c1710b399b79ab6f812a56492ad93fd35a270bbab98836c598a374af6260fdb08b4a4185be5b6679e65c3f2d4b3ee31adc02f0aca3c972752ad94a57c864

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c4b98acf5ab532b0fd83d9302de2bb12

SHA1
0c238e125907c4f359a77ad706e06462d1509e42

SHA256
035f87762d78c096a4bc49ca747442d5ec24a5485f33d0cbfdf56f57990b5abb

SHA512
a066744dda4c257dfa67f7eb472bc4d1868e9a672877ccb1ecc59bb270375f0d260759e24c7a3c4f8b69dbc5b4de9207057db0a8fca5396e8b77c1148e401d9a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
829c61ea2c9a5de85474f0f0dc18fb56

SHA1
9042873d9642326e776e30ac7773dbc199186668

SHA256
cb1f8b444a8f1766157c6d1b4c548ff6bef0a2b084f7365930078b0643cd51c0

SHA512
e545763c26412089b8d48efb4a90a0d401c20689db12c816ba0ed249d86d8fc9f3ede8cec7af2dd5e544961fde3a9101c87b22f4409b3756a594c333196c452e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
035b04f574fac9b6fb32660d6e087b17

SHA1
5c0a35bf1bb25d5673e1bf1408fc6493e1cf42de

SHA256
952767e7adcd346463898c3c62c5f045e8711206124e08cb67132800f8712c63

SHA512
6547ce43a533efc55cb987df8dd1f583096359238bac31a18c4e614b6e3455fab7a0b96ed3e893146fd2baa0efac44ec6d713376a5ec40fe0d0d3358f3436683

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
9802770bda428bc4b43260270896e641

SHA1
22c681fc186ee3093e90861c45e04950db9429bf

SHA256
bbca8bfb1661b047a5e5e8f1d6f526f5b0f367076f36b9ec5ea94a1ab66ae865

SHA512
da992a7bffcb829226d51bb57f66dc8e5fcf39afe11f74f9e58475fd4369de793e782b87b1b9d1152092387de62c7fb32019db2345c09b22db0babf41c1957d2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bf4cdb92fbec74aa9ca71b06d821d8fe

SHA1
71c6b379f37200a6e75e83a8722e360b1fe9e6b6

SHA256
5ff64113b738a3d8b77e5cb9063df50adb3d9edb57d110f18b1dbfd9832cb3e4

SHA512
c930b9c4bfe777b83d616578ef0f2e8caf46dd4bf3774f00fa1644b2c7d0ae841aad7943185ad9baa5b96cbe71f0bf82b93d1c2849409d32bc4eede067a56ab9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
6acc1a9087148dd7cf6786bffcc5e53e

SHA1
bc7e0bd20c9ea98d8eed60133441ae07048e7793

SHA256
6f7c6f9fce948dd58f2ed8b5b7d5cdd17066a224f67778e5c07f2d10002bdcf4

SHA512
d15baa144031d273c8aa495320a250d7049187cc19f5270f307fd7ed7a47b830e5e67f919b16cceea953d2a408a1efefd0a9b5b46cc5666186c45d35d4f55c1e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4d55b3647c8e0f568cbf7b265e46e63

SHA1
8e79d564ec891fe24f642e07e5944a3f0b58ebce

SHA256
f18f8ca07209f2a60e33f05dcab961700066f4f8cdb25b0abb364abf883b7b31

SHA512
f6b3a5ca3dafae66554264fc6fcd44c96c753b483bf78aac1e4edbdfaf5c3a461d8b4d7a850b401b6df21d9df9308286f9f41ac1c305b94948d58400ad934066

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
1cb4788c2d257dfa07f20fb9a36590b4

SHA1
f464286de360c365521a9a74b4c942a7034d40e2

SHA256
aac5598321c604511dbe5a016b99672079107f90670b7c1d976d2086d9d1aaa9

SHA512
71bc84b3b96d4b1da28d73430c5ffbcbea503d23397bc707af13dc7c6657b72c94e0b602681a5fde3f81418e171a534f3b40fea6f5bcf1cc04dcf762de6b9b40

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5020f76867df98b752cafd97a5fb2c34

SHA1
f32f80e1e223eb320d2aa79168e595da99f92c07

SHA256
306bd524088b3c70d310dce02b1593fed2b077e5a3b47b1851f9d567d0cac62b

SHA512
b1950c240d8125e419fce3b51361f2a7795b72d19c5dbdba5c583fcb74b6cdb9c2b46784f7cd316968b20014ac1178220b4d19bec683479a9478dd1c646bbc84

Download Submit
memory/232-380-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/232-268-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/632-294-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/632-404-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/668-646-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/668-425-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1384-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1384-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1384-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1384-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1460-232-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/1460-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1460-12-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/1460-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1668-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1668-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1668-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1692-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1948-328-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1948-568-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2012-297-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2012-416-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2096-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2096-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2096-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2724-65-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/2724-66-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2724-72-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2724-237-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/2964-392-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/2964-292-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3320-636-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3320-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3384-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3384-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3564-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3564-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4056-640-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/4056-355-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/4076-343-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4076-639-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4280-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4280-62-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4280-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4280-50-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4280-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4524-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4524-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-648-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4564-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4708-8-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4708-1-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4708-24-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/4708-0-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/4780-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4780-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4780-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4892-354-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4892-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4892-248-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4892-250-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download