5a22d224fdb479de727d887a6be5bc3c147d096ff775bc7b5c90adc5be8e59a1

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25850ed9b7653092dd9ca0753ea2e120_NeikiAnalytics.exe
Size

2.0MB
MD5

25850ed9b7653092dd9ca0753ea2e120
SHA1

d658de215b02a2797cec71edf03c8cfd1d7f9c89
SHA256

5a22d224fdb479de727d887a6be5bc3c147d096ff775bc7b5c90adc5be8e59a1
SHA512

c66035f651cb5a61c7307c78e60ff8fc75464bc29398d0fab9c6f891a840c6857537f1b6d54e956703afb02ea4de031f5f96d084e98f1bee942685c25b4a5848
SSDEEP

49152:QHoz31weaIOyyKTAwRhOQC+kgDUYmvFur31yAipQCtXxc0H:tbKeNU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2164	alg.exe
5020	elevation_service.exe
1452	elevation_service.exe
1900	maintenanceservice.exe
4288	OSE.EXE
4452	DiagnosticsHub.StandardCollector.Service.exe
3364	fxssvc.exe
1576	msdtc.exe
1684	PerceptionSimulationService.exe
2468	perfhost.exe
3540	locator.exe
2320	SensorDataService.exe
404	snmptrap.exe
1656	spectrum.exe
60	ssh-agent.exe
716	TieringEngineService.exe
640	AgentService.exe
3312	vds.exe
3188	vssvc.exe
3364	wbengine.exe
2920	WmiApSrv.exe
3248	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	25850ed9b7653092dd9ca0753ea2e120_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\658d823992be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e9487bcca7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d89a1b7bcca7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000080e507bcca7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe
5020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4724	25850ed9b7653092dd9ca0753ea2e120_NeikiAnalytics.exe
Token: SeDebugPrivilege	2164	alg.exe
Token: SeDebugPrivilege	2164	alg.exe
Token: SeDebugPrivilege	2164	alg.exe
Token: SeTakeOwnershipPrivilege	5020	elevation_service.exe
Token: SeAuditPrivilege	3364	fxssvc.exe
Token: SeRestorePrivilege	716	TieringEngineService.exe
Token: SeManageVolumePrivilege	716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	640	AgentService.exe
Token: SeBackupPrivilege	3188	vssvc.exe
Token: SeRestorePrivilege	3188	vssvc.exe
Token: SeAuditPrivilege	3188	vssvc.exe
Token: SeBackupPrivilege	3364	wbengine.exe
Token: SeRestorePrivilege	3364	wbengine.exe
Token: SeSecurityPrivilege	3364	wbengine.exe
Token: 33	3248	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3248	SearchIndexer.exe
Token: SeDebugPrivilege	5020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 552	3248	SearchIndexer.exe	124
PID 3248 wrote to memory of 552	3248	SearchIndexer.exe	124
PID 3248 wrote to memory of 860	3248	SearchIndexer.exe	125
PID 3248 wrote to memory of 860	3248	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\25850ed9b7653092dd9ca0753ea2e120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25850ed9b7653092dd9ca0753ea2e120_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3828

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:552
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3354e81ae35c37010a6f73dd04cdbdf4

SHA1
28430b8c8aba60b821ee9f24b29d9e087333bf79

SHA256
d8df20b8d3347786906df50bd7a6e1343ec4e563ad7a9b486065fa008ffab6ec

SHA512
95f104ee804067f30df485954a6a5e287a7344e864de28168731258c0af2a09094aeb34b45a109174c89a5a040ceaa2ccbe3e6b952312bccb99f8bed09e279e6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
103953c48b1524377329262cf6e98e54

SHA1
b524c2f85c5bcd06cbd781e93b5f7e00018ed075

SHA256
557da630fd81df6b18ebc972d0afe4452a734c4237847c367b7fe2cec69f32f4

SHA512
4be9606fe5f597a34e80daddf225819606794c030de8a9014a97063a6d0ffb07e02de6e8ab0d8d4171e1d71bc8a6bf8f53a6b8fa1c32691b827000e6f3c3f7f8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e5e800cc9ebdc9e5b7f325b97f4e5cc6

SHA1
c88bb5d612efec34ef3de8b9a600c17e190e04ad

SHA256
e06dabe7e1d29bf4708bbc89aa2c892b6e7c9db5c6986dba5a866f8caec20ad6

SHA512
55e4817e376698aaccacba5686e0a728318bbe0bc072f3506eb52c99c3e18560aa9e3a9dbcac2c00d7432416bf31385857ebf6c58a6af1d7568ea135c235986f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cca60dccc32839d8639418aa6f78454a

SHA1
01536d2daeb167dea76506d8291a00893871ad19

SHA256
ef3d52a12a2d2c9d12be8d08d4de3971ee652f4b8f4068b892817f3e37e539f7

SHA512
2f19e5ea87750feb896374dd12948ef2b4448753dee78ee18918e8414a437ed2753423fd56851b2eec5d370e9ec75618af72c9e77786a24d5d7d993746591290

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d742b63443b8852276be3fddea339695

SHA1
98b63792fbd1f240da54df8bb774d5e81327b784

SHA256
5a065e79bc487bc535451bf5139fead2c222c6310e8e39623dd382cac70e8277

SHA512
fb1436ce8627b17355df2da1473903051b5c5084c584978b8d12e79da7ddf5fb9a42626f76ff303213cbb32171c295d04a6c6f4c778be95881cf43ffe2673222

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3d7f9c4377497b554420115801817a73

SHA1
38f132fe839a9ed20b779a17dd81e0f924f2069d

SHA256
1c8cba852f0b50183dae08f5a401c67a396e9aaea84f79a0d96b94217779f0fd

SHA512
f62f4aee7fe67af5c810fc51f805353febd1860090bde8f6026e9ac77a750d794dcfc465b5ab0b6b6f5e8cf32becdcbd4f130e3a0214188147abf7d77805ecd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
35ef72f0a41ba40a9a8e6bdfe4599825

SHA1
63b62366f7c9d843a7b0a13c2cb6955fa6476594

SHA256
fe7b291e049516a70399a062723ec6041b0ee29170b34f7240054d1a8c1fe1f6

SHA512
5c03fcd6afa51005a203e93048dd80617738d3a1a2b27e2cd3e343bf656d1f94c8062f2e361616b743c2739d13d2c66c283d4fe4c4712020eea5377c4dceec60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e241734b7ba2bdab565a5155bc68b958

SHA1
8102e3fcae07b63e391f909d2a45cf91cf15f123

SHA256
246c68c0aaf51113cf3bf9a78b0c93c46802cb88ede5aaaca7e80b1aee1a75f1

SHA512
b068ad67c98d3002d6b50d8c6646cf9e1c4241436b14bf494f8a22fbba98c10ba6751fd9ccbc8d5f21ba35b272a1019e3e0569ea2ee575f56289349c062c7b13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
8b377bb91ce251df521ef0cca3cafe3a

SHA1
e4e9035d27d4d47eeace82e44687ea0c7c6590ba

SHA256
e038c2cdcf187fc6eff157822de0c52b8766f7c2c16d28265b356c74dd6d7777

SHA512
b68b5c4eba0fc25c6f1d7fb3e7642dfdb746108040262de719069255aefe73dc43379b710dcc027bf9f9877742910715b213e5c92c88280816d8048658b009f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b138398ef11669a284aff952294e0970

SHA1
77dbb252c52cc9efc7b2f619ee415ec5b36645c3

SHA256
b2b435f3d3a1a6d766b0b3ff3203f0b7daf8f773542c090e792efb2646e79084

SHA512
e69e33420793680e39e90e56e5e9923bb7b93c0aa7c505eb7c0276d5ca7fa97e4a4db04b69ab94683a4a3bda025879cd8946d3ed35cffc52789193b204869bb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
49c713950114b289d5bd6e0e64542364

SHA1
0a233942a600b4b3b75bc2ec66e2cd6407900b45

SHA256
fd7aa15318dfbd87b25f9c2a4bb14aa98d108604b763b65f9480acd8c9d5a96a

SHA512
cee748c8cc88f6c86dcbd24449ff43d5f480dffedc9adf2b0aa23cf3a20b290b8032aa1be78f8d14dadfba23c133539416a6aabd78a43e2637e09bec05420a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
558a02f530fc346ca402ef775871f744

SHA1
0808ffee4227b461efb0c57636c1679ddb54d6c8

SHA256
2028fcfb1547a8a77bf330aa326b82b895200ea76a785bfedc48a7ebfce72a6b

SHA512
1cfd678d3f996eb583988ced3ea86ce581833322632ccc456284717f8ccf92c8135a35102d8ed2c70f65849b1e8d676c8aaa4f5daf1d3ca32f004c134cee3c7d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8234c845caa2f05961cba536f273ed33

SHA1
874391b4cc74e6ef761d9bd57ef6636b848d4884

SHA256
3014352c1264ede3c56edf4b9143d096b8aa69dbcb6fb5493e9739431bceefbb

SHA512
9276f0b8ca6da99898a4092ee2102ba02a968ad0ba841a543d041ae3c7d200e716f1290fdc8beb8472f6c36e209dda0ffbc01209403393687fe257a1d57633bf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d85332d01d9c0f0df456916804ceb8e6

SHA1
5ed568d93e979986475b06c458c7e9dac4680fb4

SHA256
c6fc8b326703cdf9b13f7329acd67523f3e8da88e635768ab23f9d8122cde9c9

SHA512
54cdb578a69b1bf716ba83833829b7f5635d60a95d79bc1d0ebf72e0bc140982a0af642deb59aec9d2e6d4eb9a7023d578c7c7febfb90fc9ed2ce018dd6f2598

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4da604aaf7c595bae1da1a3914b6157a

SHA1
90bc0867c24852ae6f2af9dc528e25ab783bf0fc

SHA256
7ae5c9a1753887fa68c5c7d85a604609cc02e435a748cceb2a85b0eab996775b

SHA512
172cd688557245ed6e837a97db8475bac178e1cdb26c3e240f22e835fd459b3bd1a64dfbc1d6537e46b2447c8d6a542f1784f70a0f799dd8e5f31a84ee4f0f4c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
52efa89d434780fe16ed1208f6a99f2a

SHA1
5dc4cb514c580dede69f029e967a6c3b91d67ade

SHA256
c7744ded569bb2b7c054b53e0b25b853b73e07f4eb483466b2dc5dc8205e8bbe

SHA512
bb0ec90dd269475534f29f518e3d3d81dc3bd7ae48d7a34fa9187d8953e0d18747fef32b40ca7c9840caced54698fa58440625d286822398ea391e8453970300

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e268f3f97d664eeca80b18aa289d537b

SHA1
c24c8bb7936271dd916390b99eda8e38b81a5215

SHA256
a53c3c6c64dcbe9c80b8033b8c7c7d6699900e4d64813e169d86bdc25b761031

SHA512
f506e622948779c0a33eac1df5d2d9969337ec4af68a0311f1f57a5957835e3b96b8ed5065954e2f5756daf103b7770ce6e8400decf8c89e61803a5219eb5b18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b0bc4f686ad08e3307a610e110a48410

SHA1
7269336c8c0e2c5ce442820c0d19eb5bc2b15411

SHA256
ec1351debfc65b5fc574985adada8c9ed156d1bf6b05aba24f6cf94a67f0b0a5

SHA512
b45de9f3a2a0d99226c345aacb0b49af24ae2cb2d3f28125b65547381c7305b76d6042512f275ef51961fd5006f3a136356329a6959319ba70b0fad75276e30a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f2f0b5cb022ecd9fbbca836841048689

SHA1
d4e5aced1ba3c3b2e8262623fdaa757c2b1b3c45

SHA256
9311ad0b0d48bcdbcd4e6331584b3271886261477bd35c0dd3e463d03ad79376

SHA512
030bb2b67272322d142ffdc406c37b64fc8ae01051defa39f69a514074fd5a26fe9f4557ca4f2557a0b6bd8e09a2f092f32a97fb20ff930422b56e9fbdaf779a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c288403a7343a8aedff1bcb39177f2c9

SHA1
e84f94e4469dcba1552cab3da5eff36e30a384cb

SHA256
01131d9817d328297b4586161aabe700c33f17c8e4598f02250cb92392fd64d9

SHA512
33885fae50ab97a9a901369d44662f761e9c5c23f6907e3222a315ec404a54c4c66074e060c5de542d863fb3532de8f212ea40c71fc3326264085c79d05c11cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3fe31a985d2027c823dbd89d96ecb885

SHA1
b78c42d12053cb74c78a942f5d9c564616030bae

SHA256
9d9fff82716341658d37c4bf7002c8ae8e72680996844e668a3e86720341ef74

SHA512
09789ec934c32d3e2ad5cc66b7b5201be32146f687878e0be78ee2ddcad92f2bd21de1a938e099f313a9df1d831135bd958bf597cc2d4f94bf377f1c3b1dde42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a65db7361656525a2574f618ea83e201

SHA1
c4037f51df1332ca5db86c63b2d824e5e7bb3d5c

SHA256
155b2de3c033779f96e607dd9624487c44be14ecaa201d55cadb53f572a3b18d

SHA512
75ade29f812a07a61cd109c9be49db96df044a0e3e45c071c5c9dbb3a7a50a824544f74512da6113fa38b7c42d56bcb9c2d5bcd614e442cc0e40013088a56859

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b321c29139b5474d7acf7cf65a52299e

SHA1
093e051cf2fbaf495dd1b965f5c8ff588b404e9c

SHA256
4ba7642c18d38a1846ce6b41906b1805bcbfa939d0d99be2b5b31d3d23f99c57

SHA512
48c7a8c3e29c05182a80e70fac2568f98a667ad15f4a5c8a4e771cafda0ed748182c1eca9dd6403f101ea7a0f2c2a967a09bf53e45d5e8c8a4288f785976e023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
f655b40886d6fd3bdc7d7bae797cff3f

SHA1
13dff23c7e7b7a85ff35062b10f2d93f7aced0b7

SHA256
0374708b249ee7f06b6d195752fa9c4817014c62c5599da23b13f9778153cbe9

SHA512
356def3d0ae2b1d451c879638b9786e3e4a812945ab58ce9f72765edb7a51972434e76633ac66e92a1a94636427127255bf4e5943adf0cea03f5b38ddf18758d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c4837d33002bbfac1bf3a933ffec4edb

SHA1
b8503bd870af12c1582f034269c8561f0c765786

SHA256
b3373daad0413ce28a304018c312009bc9756743a159b9a87cd7f5141a4a52d9

SHA512
52d26c32f5a8f3a698fb2390058f4a64ba79a1976a8b51f89ba8f1959be47839b7d9d153e1f91e8e56101d05767fae14a3384e039773a1d807837ff11e7601b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
5332c7a71269f638f4c31b0243b9dea9

SHA1
7d412e34b1267f369cfe8947b7cfaa2689eabbb8

SHA256
bf03ca3b7f3da37c7fc9cbfeaa7523f3df98c65ba489aa5c4340298bdf85524e

SHA512
7ccb6f4fa084337232ce2bdfa10ac2c0ed3cb2735c52068649778f13e19a5ebf9a5012aa94748844cca687d082afd7e05f4cf883ecc68004c78d1d8c31a16fc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
50e7297e2bfd6edcbc7128d2f11c0350

SHA1
c24dc9d179f11e3bad5d2b2719c0cfd3c8b3293b

SHA256
ee43f714f873c11ad6566b40307bc33f0389d06d13d87ae297bd62286dbfd6fc

SHA512
edeb946452d2369b02711abe5f264419104f3dddda7e16377b4044955c0e3a498db1a089850204d5d840308560af51c38365e281fa39f1565b194ef08bada024

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
de861e178724ffe359df6622f65c7d85

SHA1
a993f65f42a8eccbfe101d7d9437c50c90f14d4d

SHA256
b6bbd821af3e7d371019d17e1ca78615487f71dc8b73aef08f7170d852d7067f

SHA512
d20efe896cf0d526ad218a86ac088c625713ce9145cab28495442853b3908e161e20279481614cc95d1692991cc1663119e6d6aa440b03f1e34099a756d2b620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d872d51e82a083b4ea401b9212540f00

SHA1
3748c3d37e8bb41f99b598ef223e372d64e12e27

SHA256
20a559b50e9e01e152db184a4b32f454b4a1e10dbc46188e87c0ad2f3584440a

SHA512
5fe57e83f880cdedca44a69f4965679bdc3fabcc663a74db5fdac0c9c28ed328fcdbe2205269dc735848794f8f3121fe62d581c4af522df4ddcd086e60b5889c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
31f55674e645a4620edfae84c8eed571

SHA1
7af9862751851916fbab9a23b2a11cf71fd90bb2

SHA256
131ed16f04f26d856d6f7d213bdfd442f7b899a404c13ff94a5e26343f9a5c0a

SHA512
6db17a64ee58e01be428452e35d70ae4d91a513ba1fb92f1f6d08a2450dd0c5e6cca9f3c325eb69afd69296149268f6fd2c7c8599ee5291ec5f1c763b4d7522c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
826c56b399e7385a7f2b058a7e95cad9

SHA1
732e1f17d9c2fbc710b32912c4e2622e8d9fb43b

SHA256
888c1901981999159310f8f890f31d249daca0de43ecb8b62f818b7aa16217b0

SHA512
0f26632b8b75e194043bb79dc45b78f4cdbf230ea5ee11edc6180f93def368a04ea16abb34798cf505ef1dea03c7a3017a00332c59ff29f1211b71760ac7271a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ed4c8bdedcbcc6e3808f8e4bdb1f681b

SHA1
71330a64b5a4360036c918b0795378f151ca35a2

SHA256
3e7d427e57ac816134f720079849e443bd3f6dc7eadab7ae5fb35c9598cc80e0

SHA512
902fc0e2676508bea95cec72c7b60a1d0ff092bbd4d7ff4ff99791ff0d6dcf237c9515db4bdbd4a17f9d85ac4c87df5d08497eef4f737b02b55bb9982d5dfa8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
42d2f642b75c350582ba3b1b5c8f5568

SHA1
441a9bd3b088f15797ad967e77509ce9189ed9ba

SHA256
f5530dcfd870aa96735d4f8acdcaa4e6497e5bed15a40cbf8f1e3a563f3ecda0

SHA512
72c534f1dd2f06fe81ac6a236ed4e12fffc4dfcb4ff9c73ec755bf27394ce77f8fb376d5a2d1dce1968a8c1a9a66d44e534ebf8e4b861234ccafa6150cd803d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
62b1d4edbf09aa392bc354d3aff4f23b

SHA1
c9ddba5006165c52392c8319e33e65d5b0ee458c

SHA256
3d889d2a9abe57624afd1f3a89ab708c5017668cdf1083fadfb13f1532ee57f0

SHA512
41bbbfa8dfc9d6ec7b3b9fa5a736d8755cde3b5cb99e677c2f7f5693a1f5f792208726aeded6261512958dc8a657de7e220f63b24f8c12e3358d8d4b31ebc8a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
7b96e5e79769df19b2624a1e223fc6e0

SHA1
6cea465a73bfe1f358533dc5d2c47f089f5f9b54

SHA256
0389757a95a060ebe944f4846516e5640896c76e7dbf181d17c4e0b607ef06fd

SHA512
947c01d348dd5345dae03ceb8813b06393126875ecc91979dadefaa5d206cbd0e055e9f45f4ec9e06960258c81fa1f63e451521a10984744c1721bcd9a4e8ae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
738be7763cd9e3d6072761b63ddd437c

SHA1
e354cd392a0fc0943521f8e5e19eea92c7f530a3

SHA256
33982f51155ab12cabf062185e44abab67801cd324441dc2883dbd35d65a83e6

SHA512
d529554a87a87562cae1edd1b26f22b22c6a054feebaf6ace2938d24152c40e7e237b58f5d8bf386d1def128e4c8793f885188d1921513966131cb1357a6b86f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
9f93af83e14e11cfec38bc010b43e110

SHA1
f5693fb9b8b9a8eb46ec6432a157d8a7142bf090

SHA256
ef9c6a9e4c6abec82660273e085992c42258b3c8b6ab5124b4a3e7e18525c843

SHA512
145eb7297e6b617656537fc270e9ced2b736f5c7046503cdd31bab9875da7935ce46870019ed07bf8fee41b2e58db3737cabb83fc812daa8651e767d813974db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
78432d554d61b657bd74e7de70ec1b90

SHA1
65eb0234e9760e2652e64c7d937c7cf41b25fb38

SHA256
617a6ddc6ecf19fa5e03a8e5945f78125c3e84d54749bc2b630af8a2e0fa1643

SHA512
3282dad61022f450f3e59e0188d89947f88623a3bcf634c0ee52e036bc2de4869113c3e1225832830276de4aa36bbe30e62c3e57231a0f37fdd531329784cf28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
7cf7875f174a0ed875852d0755ef77f5

SHA1
b8f9a4e706d4942ef6c96f317c4632969caefb1e

SHA256
d75c35e95d15a641c2c2573b4e8608a597e3ca87a0879718b78ebd80884901cd

SHA512
ee39f1190fc354d3393d8a2ba280f0fc9a9aa8efc740895196c23e74255f5a26cb5f0ef460e759d601e48530d9287ce85049411c0519634ba9c3c092a784bb0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
c9c458ade35102b1794c6a6e354dbbbe

SHA1
902fef0cf2b92363b3750d11ebf0dc742923fc64

SHA256
b358f2c5090830341a72e7a5d58a55331eb01b331647a0afcd35edabb10c091d

SHA512
87b8e094b65165a5a9de2ad90ee65695a6f501383ae78e160422e688c3597c9ba7925776652b90a21dcbacbc4ecc07e554d798d5889ce6e84be6b2c557e91703

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
6271daeaec651c72c695e80d65693107

SHA1
067b112f2fa62bd617d479506aa6805292fe3b38

SHA256
edd3aeeb6c2eb7aadb1b72704f27af209f177e2dc10dc679bdbffa23925d3c19

SHA512
0c2cf73b03ad39d87e3c7951d835b83521d4eba84681f0b34de174d15f71c9a04c6a3fab82d07d1fc0be2331d00cbea9b742a9665c37ff9996640f88ca503750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
639af104f7532b13c207a53b4003a8d4

SHA1
90d5b18b0b1838879c651899b8cf1c5f0916e28f

SHA256
6f834059c6eb6a3640095bf4a5bb6c6c19991c5ea962d4628d186da14f1b9f6c

SHA512
49c829a47b024afc9fe9deb183bb63d42e81e0e56f1b7eb8d8ab4b99df96f9ea37e2bb3a41db36d046adfdb329df7bd81c105c2c2ecaf2661421a4d595f962ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
56a46c292bf36274db88e69658a9bc96

SHA1
cb195d2d3fdd05032ec5fa6cffc93e4ad5e72e8f

SHA256
6ffe5ac464b6394465f57e8612a57d5e2e38fbdf6ce56244ef95cb527072660f

SHA512
a21cbeb2de3e2680f68c1d431a16fabfecf01e7bf3f11640f3581f86ee68a7bf08d49c91a5fc8d119529b0dbc36d57c1f18a3e708d419ea8998b5db1af74f362

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
9878fdd94ac153a5061426c7267b60b3

SHA1
577185972411a913669a85130d35a9551092c1ea

SHA256
b0ca5545ee850557297095b702aba6044be837c999ab64b9ffe7e6902ac55ea5

SHA512
76a69065c537df29b8f513a86f8f411192cde772cc92e067ffcdc4511eb7843b0f30ee46806c202067124b429e1ddb8bc03d83ad41a3ca3cdf0fcc4d3bf6a6d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
828ae6dc7a289b010f7f915826dc5355

SHA1
8f05f839ab614daddf7e6fb3ade085bcb883e3a5

SHA256
2beffb609023f1caa911e67694f157f4b700894ce44fcd1b54853337f906251f

SHA512
ee2dfdd945da75f244b1a1c414199db31ed4fe6f47a6fcce48aaae088bb252d26c44e239ba6ec868f1f053f6236e05291fbeec68d8e77c371276bb5331cf24ef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4acb34a669413b2f3c00504acd51a3d8

SHA1
69cfc0a0249abc417febc98b2814e7dcdb285885

SHA256
ac1a2fc45326bd3c27555afbbf5596a3b8fb946579e5449a79a0b7520cfa2500

SHA512
367b44c53c834ed67b2c2d640ad244d19b867ce6c6a3040179d3edd1cf7d6e760f5a51f847752221f39afa49c75148b031488b7b436f61cc1556454f3f6b20a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b8a4b0e805defc8c5f950199560b3f0c

SHA1
7aa1f0483743e5f821182e1076a8f218a1ac201f

SHA256
c50197834a2ef441b929383103b13b097a9d001a5de47c8e56e8a61c09d6f13d

SHA512
edc3e57dfb139587e19a6a2ad9a1aabc54fd880fe7947505016d44480fa69dcae2b32aea9e488d0570bbc0d448a1cb1da3d7b5657208c9db93ea2082aa02f4fb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
53cff55b37f5d99afb2724677bae05cc

SHA1
4c5e661a6037b09d7ba72509d549835cd0133e90

SHA256
7baa0db2d2a86c50760377857091901ee5a48440da6176283e6a78567ae0643e

SHA512
4f787a41b9cdc74027d5a52b6c61b6293cbe15862dca4bbc204d537990a2e552ec3ee6724c9f91c4710d8035886104ec1788a528299a68642677f449cb9f4006

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
34cd4bb47cd60192e34050d967ccccdd

SHA1
24b3f3335d8cd4275014e4d8090e5f1eba219e9b

SHA256
f9d97effd96348778dcdd10455e3d3142f74ed30c447649122f48c9fce043b77

SHA512
8c1fce0552e1f08ca208040f0ade76876143db71186ee4a87f55c97eca9c8a7adf94891def7d74f39a9c335789c491b3cac4a6a163e049bf61ccf6bb95bd80a5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b8eb79fb17e8272e4be96aa4b669acca

SHA1
bae6435ed07b5241a985e2e0f125e79138bab008

SHA256
541ced4c014fce295966c1ff53f9fc849202a162fe560dcb13c31bd2b611426e

SHA512
627c77eae24e088133d5deebc782071bf0930b3c5d749524f7b55b00b9a1e25bb408f8dd14003a005f816b04d0921ea81d38541a3e454ad6018d840b6c26f30a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
500207e7a2014e01770b62223b48404a

SHA1
3f84e7d718ab47bcd3b709f5d5fe9695bd1a9dc2

SHA256
aa7caddefeda38517ea1ba50efe90fb52425ef8bd62dc705dd0b0e8495bdf45a

SHA512
523ef58f8db823be7bde162a7381e8762250a7ccf5f9fbc5d5a421666575433647615bc2162eb3fc88e3b486879a50a40628f7425bb8a16476ee73f56b4911c0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a3ade9150fe752fb2105a85bbd6ed52b

SHA1
c88bcfd975d396f6c54bcf7aaec19731a4d01a8f

SHA256
20fcb1d18ef1a9edb2fd84dcc6637a3e85ab1747b0f4f32a27b3485f0c8986e0

SHA512
fd4e534600eba9dfba01606042a293205f53bade4956a3268bc90c1527153bb905f917c7e1766b1908d59820e51de7be41d9c9812e51ded83441e22e913448b0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
86305dbb6be09dc62fa69eb9d9bc527f

SHA1
23c086c33a9dc1e59e56fea49046135bd8706118

SHA256
65bfd63ea5ed516233df67a99399b5a9310656e58fa18186c593e47d3e8bf856

SHA512
5c95cfc26d89a3505c71bb445475b6b9dbf7177cb79e88222d950bab627cce62fe9f8801dfc6710887023b3eeb3813338ff2348d32d38dd081ac0c9dfe76141a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f8242262a9876e61c487a3050922940f

SHA1
bc06faaed2761eb170155e2e9fd1a439dddf9652

SHA256
bb9d83b11bc0d4e7dd55f9b30fd1f9b5d92b15c3c07c0017a69a896af68fcd98

SHA512
d1d17be55582630b6c6e1ad94ca9060660da476819b3072a8177dc8de0d168c0da70513db9925ce2777aabb4adb01edd9db3df8c2872609578335474b44ca1ba

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
476a8432b220db6c133f445017a4ccbc

SHA1
88be84703163a42faa3238728db6c6c12ce650a6

SHA256
ef645b9e6dc78b6ddc7959dd8702408d55423b1265b1f4020c967ebced2d45c6

SHA512
f860a79a3ae34522a2984d130dd049299dc234b1c33a4b9b9d639d91c4b5b2b82c1067b9814194354de5b51da6a5a5c3dc7e48a19dc578c6c2423b47aee8daee

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f829b5fbf1fb6af07435cc64c7628fd7

SHA1
38c2fb32ecec5bba1ffad67b6407a7f07cabaa32

SHA256
481dedc41159b1ca4843ef3e5bc7d14b8f4ca18c35bdb156dc2ca2cb5d756859

SHA512
b9e3a88e62f861dc96eb8bf382411e2eaf0f6b7a15708eed97815883d791ee3f0ce37408e202d08cbe4f1591bee36e08a83c7722763c5fad7c428991972f8f9c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9f8ccdb7bdb61ac1d37721620518dd0a

SHA1
de3873a342e8a64dd95a8e1365eadbfc2f64d17b

SHA256
3b82e3e85d91af7b7b24f4ef2f58a794dbcfe9bcb36a0c31582374fffeb73e26

SHA512
4ec5b4b17d924b2c9f0e784a8111732eaa2afaf33bd95fa4b34df6462b1ca5953ccd437e79bf4e85f96b10c214f39bdc5e4a134f687c5007c76a78063656c77e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7ce34bdbd4fc8b6f4229e3091658cabe

SHA1
c61cbe7a4c765ce8f6201a4ba2e55d923a7db546

SHA256
2af5a13b2b86f7d788b096a2a118d9d5d65d06ee580cc5ddc0e5eadc79783197

SHA512
3ae01e563b7ec41b8bcb49a48da1cb4e28d79018a74c663290853b07354eea08bc6851747e4df8b8ec0fd77f3daf5cd445b9174f21fc7346f96b0439f08e05b6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6451348249b00b99bc6b69fb77a13986

SHA1
43f253529df86202f5e9ef550afcada74e34f848

SHA256
a1423d14582d4424bfccff528c7554a5779b445714f35e968291efefd98c4b51

SHA512
4199542c96cb779df1e354db558d6c1ad35a8f99b4c9b7047cb3e69b45e07dbca329448e87c6892cfc94986945571fdac65cfb5f4ebde674b2382df881eda179

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d52a72bca3efdabd1ab0afda9b0ee286

SHA1
fd0f6b55f2837f6489972e8e6ba635542ea91c8c

SHA256
100a22e94185de098e7d39949a872607dd206bd14ed54484464124200f1abe90

SHA512
3d0429d1b6f722764469058f9780500bc2060ed95fbe041e534daa081b9049f94e812d8ca9032ec16a8ff28fd9d09a7e1b9fa4d09e1cc66647fed5b6e69e4fe5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
83b146092e8ae52a2cb4eb960c5c3174

SHA1
60c5e32e7df25bbf6000f52aae1ada989b8732c2

SHA256
c7340936fbb2344e6103bbac545bfa5638cdad608ca8ec08d7d990adc909487a

SHA512
52df397cfc1e66b91305a16498acd2dc9113fe15c4f845ce6250a631b0140510ede5540a246c61d44293b65561543bb064f543d7080fba3d2cf76932465c3959

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c9a50646df67eaba100d140459cc79e

SHA1
3391e4c6f46ab6ec4699881cb2f6ad194556d02d

SHA256
bad3818d34ac0a3462b51eb860b4461ac6f5d08b1645a2059eab30aa7d073a5f

SHA512
f051e5dc5c1ee0c01e3c0cd8e837cf6e1454f6217f4ca14343d57173f1c745c7a1d4f2bac104796fe81b553a1296a5e302698fdeba03ed4d577c8be295707326

Download Submit
memory/60-644-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/60-361-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/404-338-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/404-607-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/640-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/640-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/716-645-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/716-373-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1452-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1452-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1452-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1452-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1576-390-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1576-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1656-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1656-643-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1684-411-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1684-292-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1900-64-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1900-60-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1900-54-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1900-66-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1900-53-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2164-24-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2164-25-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2164-229-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2164-16-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2320-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2468-297-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2468-422-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2920-651-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2920-427-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3188-412-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3248-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3248-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3312-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3312-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3364-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3364-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3364-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3364-257-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3364-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3540-426-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3540-313-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4288-74-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4288-240-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4288-76-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4452-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4452-245-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4452-364-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4452-253-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4724-8-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/4724-12-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4724-14-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/4724-9-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4724-0-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/5020-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5020-29-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5020-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5020-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download