7453972f3aa935c597d8c54330c203e028555a88321e1644f8e3bf85d5309f8a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89c8507f20487e01c8004160e707d7f0_NeikiAnalytics.exe
Size

720KB
MD5

89c8507f20487e01c8004160e707d7f0
SHA1

2c63aa0385b668e17bb6916828e5aa5b9b8da0af
SHA256

7453972f3aa935c597d8c54330c203e028555a88321e1644f8e3bf85d5309f8a
SHA512

2e7ac3688c5ac7c898f58b29fc94c0e77fdaceb4c02d953b6be095e6c9174f6a69bb785b736df02e2c65f34cbaa2f5a67ae1c7b2166c494c781444d4354e20a8
SSDEEP

12288:P7hU1vpJJdp/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXRE6:VU1VL/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
540	alg.exe
1220	elevation_service.exe
968	elevation_service.exe
1928	maintenanceservice.exe
3212	OSE.EXE
1712	DiagnosticsHub.StandardCollector.Service.exe
2512	fxssvc.exe
4232	msdtc.exe
752	PerceptionSimulationService.exe
4992	perfhost.exe
3264	locator.exe
3948	SensorDataService.exe
4304	snmptrap.exe
3724	spectrum.exe
3504	ssh-agent.exe
4912	TieringEngineService.exe
5104	AgentService.exe
1656	vds.exe
652	vssvc.exe
3228	wbengine.exe
2420	WmiApSrv.exe
4160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	89c8507f20487e01c8004160e707d7f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b918f2c04a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fe802f201a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6bc77f201a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1c2dcf101a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000036442f301a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020ed4bf301a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012fed7f101a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a73611f201a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfe27ef201a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1220	elevation_service.exe
1220	elevation_service.exe
1220	elevation_service.exe
1220	elevation_service.exe
1220	elevation_service.exe
1220	elevation_service.exe
1220	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	432	89c8507f20487e01c8004160e707d7f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	540	alg.exe
Token: SeDebugPrivilege	540	alg.exe
Token: SeDebugPrivilege	540	alg.exe
Token: SeTakeOwnershipPrivilege	1220	elevation_service.exe
Token: SeAuditPrivilege	2512	fxssvc.exe
Token: SeRestorePrivilege	4912	TieringEngineService.exe
Token: SeManageVolumePrivilege	4912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5104	AgentService.exe
Token: SeBackupPrivilege	652	vssvc.exe
Token: SeRestorePrivilege	652	vssvc.exe
Token: SeAuditPrivilege	652	vssvc.exe
Token: SeBackupPrivilege	3228	wbengine.exe
Token: SeRestorePrivilege	3228	wbengine.exe
Token: SeSecurityPrivilege	3228	wbengine.exe
Token: 33	4160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4160	SearchIndexer.exe
Token: SeDebugPrivilege	1220	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2036	4160	SearchIndexer.exe	126
PID 4160 wrote to memory of 2036	4160	SearchIndexer.exe	126
PID 4160 wrote to memory of 1192	4160	SearchIndexer.exe	127
PID 4160 wrote to memory of 1192	4160	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\89c8507f20487e01c8004160e707d7f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89c8507f20487e01c8004160e707d7f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:968

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2780

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
709be1e6d9eea352df7ee5219b4b93da

SHA1
d1a7cf36e18dd0add29a577e75b9603806d3c6eb

SHA256
5814fb9550f66e8d4eeef2ba96cdfd044cca972f4ff166242a49348f2c026325

SHA512
e6d7e1428e0bf820a212fa163455f1021acfaf0cd051e4db7a7cc0210bcc959f0cd4a965b8a42f6410b3d913c2aa66947134f3a47e769e8d5e7ed7a46fb9a88f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
72e74679816dd99f8deff876ca51bcb1

SHA1
c38593fc3f0765ef8f3069d6d2001a5bcfea0ffb

SHA256
42da40fac49a011d3c8cb18a350df84af41a41a25a72ab3bb413f60c6ad2eef8

SHA512
149a84be5bc565b6bef76610b3dc2b52524a200018e05c1b1f8b812793c179434b2c350846b90659eb605cd7397439527f191d5d57b9dc23eec0673103a15b23

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b2e4323d86ad6a551bea81b5c4022de3

SHA1
f71d33a9e39c346ec704916eb17352bc277edca2

SHA256
9b3c94d17133f6f98fda0a799e80531f3043d723abc57082608d5fe2c8ca9868

SHA512
9664dc8d43e3c2149e9353adbc9568112cbda04a244c537a2c8985a8dc41a47aa34d2f1532773ebdb34dc3e0dbcbb737cc652546a8b49637cccb2c97bb702a42

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2be0bb8a1dcf5b82d7ac6e8655c78165

SHA1
8711092f713d3a8fbb1350784e3c83a4707e3418

SHA256
98bae63f34bd7c16ab9ac64289bf7d8bb791f9904e399e52f5a01b214ab59c51

SHA512
b30ea883249bc46f6ee89170502e426bec5380584f64b1a1cb0ddf60e46c9c9310d1729982f598922edcac09162c4bc4941612c2a03fcd48597651cb003db662

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
36086dffc08dd3f4c0800c233d46be55

SHA1
2f7d50289cd009415da4edd9c87b7aa752a44bdd

SHA256
c8a026b58e9c1c225e69cc4b236f41afbb129c731dea102c9cd718d8f4fd09de

SHA512
bc37649e1832d560316ed15f7ca78dcf28d2da0407623be78f2527a9cf2c7e872594747f4aac915bf427cb1e14d360136ccf563d0d12077a0caf2f020fc03f0d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8b463ba06e31a0dd2e1b142381d2d1be

SHA1
b2cb3b13cb998c420f087e5e2d8a8ba01ca62812

SHA256
5f93536d29dbb4a035293bc51ae9a7e7df31fab700561419f4d53e5a9a82fc82

SHA512
93ec24eceb07b8b848b2b9528b1946cdf61d25919cdaa14e6f1ed8984b75195d154a2a156454215cd433b1b6d88b190c8c64c3531c33bdc93f8bcf7fdef63ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8107987714e5877116b2173f9db73f34

SHA1
eaac30d84882b208ac28faf485eb12b1097c3ac0

SHA256
349a042b330db27c5525f1ed4eef645b7e88199dabfa391a271764549c0341ac

SHA512
9d3e03803af2bdb881114d3d6469d49855a9fe2a4c79a28822d798c8c4d404de2c96509a10a9b7cb2f2cef4d752dda3979ef581681c7f3d4eb4a2764befc7df1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
63845afd1bc0fa7c9f2b0403183e9d3b

SHA1
5742da198ffd1d0d6a5d3ec7ac0d9acad9b039a8

SHA256
56ad289c4752a8775860af80337e47430e6dfd73f3520cb7950625b3bc3b7efc

SHA512
6460fa6b139c4286ed5fdcd129025fc9fa1ca1ef0b1615d7f79200c766cff20cecbe20d1ab92bf45b4b2ca751c52247d3a089b70c2b931e27aaa2a5dcdc51ef2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5c31cf0d7c44b6e339edf5fffab36f59

SHA1
c70bb2f4e420ca9fc93818af5b911d58ae134268

SHA256
ca1d02ab5ed8b3438cb40baaad04f967736cb9b2d27c32cfbba9b24aae81414b

SHA512
cd9762354be4e13cbad1a70fb05230df6ea3e88ddc0a8c57329bba91e84c5c35cdf908e226985ff5108ac4ece7734d14c4243e68293ce53c9f423c6d8ab38f44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bd8cc16f28f393dfb8af3772614ddb56

SHA1
0d3fd57060834d263da0591b7158a7aa44841e73

SHA256
89cae10b9e7da3e537bd72f240b760ac5bf7a80b7ec62c84d5309002282ac718

SHA512
4328f27229a7aaf28e569636d5c800c150200efc24f7e225aaa26f1749cf3b70522e26adc24f81910fa122c49354b0a3bb9eca70353dcfdcd5d997217ada7b49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
491754a9eb2c14f77eb1a2659d649bd2

SHA1
69718c03bb0b421c5d364eabafea33fd4c83d531

SHA256
5b3772370dd0e458bac40359b1fc9b73ab6641105eebb6c51333b3758905f6c4

SHA512
5add29141c37401d125fe383f6e33984ca4ac32e6f5172a2bf950c4b1cf9bf44048b07b60a6b6ed956788ff004a99438cec087ea33482ef9b872822f6d871463

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bdf63b3c54e59f4c9a9ca3f2f9c18f18

SHA1
a2532f37fed7f2c78541eefda8ef558330bdc573

SHA256
99b88636a6460ea02049f5dc2e6985f43aaef887635b371aa81f1c12b98a7f0d

SHA512
0d39829504a138c3e8af1517d907853a6f346497eb99c337ce216272e88add791a88325a1a2e55d62a169441845f86a9694148dfb186ccc6d75619f9b5e675c7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fb88590284a887b0331188fd9299eba1

SHA1
b0d1a4bff58a1aee242d06405df7cea155ce0c8d

SHA256
325466591f688df64354a92fcffe0bdc19a6c168e78b8a3110e9f9dd2b1ea2cb

SHA512
a78f1dbe4339ab6e444d60baf88e224c43a17a529115711c2883c9bbee9b6fd9f7c5a586f6815f990888d7d55ab6a6829e2f3815022faa8fbb33111b4a0f6856

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
656f4791a436c57cf9fae136aace841c

SHA1
e9f5976e6563dc03aa927d6238135fbb5261c611

SHA256
a6d21395ff0cb8a654062c7a981f58b197192939c9e0bd5af265e0ce7c76a6d0

SHA512
3352e724c20e40a59e519872a2522f1c9c056e523e20fc1554fc6aa001b5483b8a310959a402f0b43f41ebaef091b38842b9cbf964b267cf5237a550156b5eef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5e701d8a34de385bb9d2c3e5132acc93

SHA1
d4e498075c6f744e6313d6ce4524fb73f28c7e14

SHA256
54ec734f06ef9e5d25c57b1c1e94df6a31ce45b4bfd45d79bae5f7cc9bb3a484

SHA512
356bb9e6a6950752e884743a157c9679d30e5fd8313b6622b63735426f4d9b19de38ac7e09f1153cb58c183ab81730118c3d23b737fff85a01b344a0aa52d1d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bd0baa525596ee223f13556d27a5680e

SHA1
af5b72ab8b99fcda127131db243ccbd4b0b2d80f

SHA256
2600cbb37acb8afb40c7eb06124bf4bee257a465750cba71acaf764b55abb1d1

SHA512
fe01ccd82eda3d2f3de29f34418fb58c9cd1064407eceb7611d61a102fb6cf22bedb749d4ae5e53504b112989f77a5d51277b7775616990ea91b5094775a9e92

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0c5a539ac1983a6bbc4f1a4b57fb9394

SHA1
36c590999e9fb6e757600bfc501a03bc84f4aa91

SHA256
6e9952dd34daac40b949368235ed036972f9c27076127e38aecd3460ee49c166

SHA512
5d7472828d509d3f1fa8030bd71c47892fed1c614bd709c0095bb43f22ca9b0492f40c7dc1b9166dbefc09122092fc3196004a696ccaf03c15882dd107f2caea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3abe46fe9f2ed1bd24c05e2fdabc9e13

SHA1
7862b0956b64bf2cb8b7ff299cd339294f559c14

SHA256
8f691a77eaa86f675a3f70fc73c6f264975e927a3b9b6e2ea662841e256be047

SHA512
f7bfa159f3a9e9a3159b7e9e6d617f208d9283d1cea85758eb92c111dc42ee71be735effe3779ea20e89af7c788286d4eb603414f32f3e0a29c47ca7dc596821

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c2cc81ca612fbd99d6c06281e49541e7

SHA1
6d3449e6854eeaf801893e145628ec4d0202576b

SHA256
37a23335677eead1c9e6f35ab1ad0843b3a5869af12860495c24a15e6d297c60

SHA512
1bf7eb8f10195d66b2e62e842182aadae6f1a5a0e38e99d0086f5d4e4ca86dbc584def0574d7bc070f006ab8320ea4fbe4043ce428869a54844b2ea6e361fbf6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b67305df7b6856c1d100709184e3ac95

SHA1
ec8bf8c5b0ea7ec351bf273e69017d12d708f19c

SHA256
e1adb721eaafd750fbdcf62718e12b0cfb1f8c8b782f5703c8228eac90e9e7e8

SHA512
681d255770c0ddc10dc708a6428d230447053c6b8f9d471dbb8a82e532b3164d6f138c6fe47de9812a206b32cb00f467ebfa1795a31db85ea72a5795f6d5af0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bad9892740544dfc3217dd3a108c44e3

SHA1
3b724c448cc2d8920f9f26c2be8ce35b47bea819

SHA256
90301a805282e184080c1df86963b6ea00a33b4f429b79141d2b5e6f17cb3f93

SHA512
4db7406320696a0ace9b5aab7086f8535fb1ae58198df2d9dd05ac17acacfcd19373fcef35c5a56238d0240f2abc05c79701ffaffbc33cc0c7235589a4646abb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
23e12e217bf706647099db555c08119c

SHA1
62ca15350a08ff47fa24e766c86a4e48370c2728

SHA256
2895b7d584e4024a320a5a9c0069b4aa915c480a1b6fb912b3d8eb8dec1a9a60

SHA512
349607d65070946f15869a1e0390b34fc1882ee9471acfa880e54b854fdb729a137f426d1fa343a7b0a95f3da338d5dc8a1510d1c79c5295b961c98ef85da6af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c9b8ba7c479b42ce6223d25b94b487c5

SHA1
b4b8b6d6a60fca07f462140712ff93309470bbb8

SHA256
37e8cb592de637ed4c2f55611955c5a897719a7bd998885c4455053a6e4277a4

SHA512
6ac5980b9b524bb8e1ae8a4a8ef275dfd912c0d4932237f37568accee76b10492a5450f70ea17ff2b06c89f14f7c6ba4231727eba216fdca4b53551c2de7b275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9459fa94c21a0ed3e8808015e897ad97

SHA1
809635b56ca00b4fd48ce182b0bc81e4eec2031a

SHA256
e88c6652c8ffdfa777d66978354b5112dbd78345fb85a0e9ae9475f22873cf04

SHA512
869651631ede56ea4207f3e8adebdcefe3a3ef493d1bed0cc77752f69c9981f8950500b27dc15f9b4b900a55bb0a1f4ed3e726505b8ea6eff97ec7892aea0be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
826dd3bfc6831b96d76a9df26550347e

SHA1
05e16e503d27d722c32f9ee4c02128ce59891c16

SHA256
5b06c57ad60d421da4281aeb8d97521061a0e091372c674e21e5b7b7b27f950f

SHA512
bda65c6036ac9e79c28683f4c84361a2d291d478e8d469da5c4f3b59d1f371454f9d1853a2eb36b73375b2a9607939672062cd0cf14bdc505e69db5192ab04ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b79272e91a5631290b732fdc6c8323d7

SHA1
9873a3e4636a11a1b200c1cf165ffb6ac08397b3

SHA256
49cfc92f15afb496a0cf44aeb32f51c846b2e309ecec34172dc79804421aa2f4

SHA512
50bb825e8e12a51ad30e43e35ec0ed0e2d4484096ca2dd47c658c179c1d864c85c40356415426b3c8c5cd487b3cb5ca69c847fd418d0bc438e86c0d681dcd3dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
957abcb6efb746d88b8886619fb7f663

SHA1
19b7359faa3488d87a91138b675446d29f4bb2f5

SHA256
317d74471526c735dd78f8f05ded8b7eb296498d39edd983df213da1afac64bb

SHA512
691e9212b99c7e1bbd3a6fce9861bd1e8ab799705e09b5c01d7db90641427a47fb6049027b2a13876415f0a0247a44a5d83cca05a61eeb599c2194226465778d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
abbca298bf157203e2c8e4d8797262a6

SHA1
53b120938c5fcf17ca73d056a8fad378d4b4e633

SHA256
bdb23039e87f6683e5fa76e5c198f5947e279a878e2e361359245596b3ebb82f

SHA512
64c5dc26c045bf0f2dd982526d1c769acb8764df3a6e3bfede1570aebc0fecf26c45d065893fbe61806595a00faa8f0998a695b662c2da41714f920795a16062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
66e0c21590320aae0f22e6d674b1603c

SHA1
570f933801fe2e737fd7a9820c7a895d7f9043f4

SHA256
3abec35c5de32cd39beb5e6b78512cd1782c4a1c6210364f8c93e4e9f6b54b50

SHA512
706120993062c147c6531446c1ca2dbeb634fe8093ccff536a6653dde7b6d793cc20cb255ad5df219edbea83ab1b1fe85561705e94e1b5ee39b25ff52fb36907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
82a4a448f3f3f8eb867c4c4e0d1deec8

SHA1
09d66c1ce152b5ae6dfe1705fdbf86e89105f0a3

SHA256
a6e78c3308989fe0f3daa0bc8a92803230925bb952e069e1ac990e380704d168

SHA512
b1b1d01abbff3d8c3f9824d2b0f496a5a70075126a7769fd74e511c373f017024c733c2bbc4960aeb4437238e2e41e35add47838408625f8285c5fb811638315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c8e061874f5b73a3cb35c31f42d7085e

SHA1
a52c70cfe2bd39e24de13be878bffbc554dc21ad

SHA256
4c3e66d2d142d9a38d9153201b8ed8c1f7e7a131526391fc02e69c9e30b26258

SHA512
b05a58d11d4f161f9e30c455de2277856b39b232db4d9aea3036ab04838f3917851867616488c6d0c822c80055c70f737631d7174af8b27790e966e55c96c9be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
998ab62e722949e811ae1d2e197b39fd

SHA1
502043c9d6040caeba1e19d41464197aeac14e39

SHA256
5ed12d092286fad11eff87cc6f9b79be185a6d61d0577a2008792e8dad8f2f47

SHA512
f477d7702d1dc5e80b88e377007eeea7d5a392c52b3e1479f2faf688aff1b7fce80da14fdae9f1474a6e927a3d9d2879dbfe0d9994c0bc2b4e3b0c553b261249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a29798dcbe231a3a4eda01b76b447cb0

SHA1
25ec64d6f6af37a8f7f170003789bb5308c4e030

SHA256
7afaf9b82ba7ca394332fb93e7987b80154097dd50f8cf3cb38d2bc8edee72ce

SHA512
394a53dce35f8815dad5629b73ebbc81b4fccccce9ae23ddd69b2e7fa418a5fdf2123dd493ada611ddff9ab5f48647e2d41c5432a91a4f979dd7ac8218876a4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b754bb6b15a378541c15e4636366b275

SHA1
1cf9f95623d87a18e029a86004dad8e1c925c11f

SHA256
ddcae6afeca2acb04060c62042b69342bd4aa496a3c039256ed857354077f6ae

SHA512
ceafe3eb8af33ca5354031d14d5fc70a5be8b95236e79141963f65a00fb69b1c8cdc491a1f74257111389e0ad56e29c5d90290134cabf3b539119d32cf3f99f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3d5a16060b81fd247d4e3a35810984c8

SHA1
6f637e6dd73e97ad90f81624bf0fbd0f02bc33d4

SHA256
3b6f257ba9893f52f82fd394c9ffba95f7606f8515fa1275be45ff3b027ee80e

SHA512
1656201533d0a7bd1e48307198f582cfe8651f86bd385a0e10a429253c6e1dfd32cfda705857e4b6808ba0e6ae62b56cdc998b2066f06a4ba80868bcbb118cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
62f2cf6e9eb661b122eb622a8ba3cba6

SHA1
d1ea6affa6f4cab4bff91695288c133aca001833

SHA256
de1502fcbf87bc711c837730d14b642fb95322df832202109b15cbad959e889d

SHA512
50602267f045b0c787681d2c3768443e01a918307fb7de5b6639cc9ee4b152e725ef14bb6ca5df36c868b00c19716e995658827b39ff856d81fbe108debf28ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e64c06e9d4f5b137dd6668a1c34a284d

SHA1
5581b978425711d4add16052a30c3d4ad7eb509d

SHA256
6e70a4c506240d95a37b0ab340cefbe4d42ed4af286c5d3c6c23b7f9ca1c6191

SHA512
1d7dfda2d3c464b23e26f2b72b5f50bb3bada7592d6fcb76185eea9bea1942e3f4be1deadfe8f6c25f742f1c12743326154f3c64979ed726cbb64be18f5fa04d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
04524a233593a7b803926b4be8a049d0

SHA1
d32b394981b606124e6e146839d958c4e695e6f0

SHA256
88126479f05333dcd0ce737852a28003e6ccd26bbf387e16336c1c3669f5791f

SHA512
2139346bcb1302aa25967ae9241937c7a7b3741f7424235b63922e958c24563f8e0a0aa6c76d892d9abf2fecd6c6dd39f9862403e6b4a0be16df89618656e5c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
973a262f6d054e50c057fe37ec719acb

SHA1
c6db84dc7f0fbd095edf034b9eca239b9d7aa37e

SHA256
0f5959dfdae0ea87cc6fbc24e8d3657ed3f8ff0029b8ca4f9be2269ac2430a81

SHA512
82188f3e90d64e35cdd1a79c324c641ad3d581276287b4c7db2bb89036b208bea79f1a00e89b4bfe018705ff4fa6d30d9744d4a0c8665b7c36f5c8f627cbf186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
cd0955587a80b2287944adcfd6a6a945

SHA1
316605ca9f2c1e874a535e60d7c4b3386c16e632

SHA256
3f251e5ce8096679ca97f7b8a0fb1453635657bfb5373b48b770ec715436359a

SHA512
ceec328f42de38f52d4742043659e48fff24f635445ac2316b106e14326caa88b108bbd41ded1c3e72e1a2055254941c88b7f9b8f529c09beaae9b0549fee43f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
8c764af20de2078731a5ad9fe9c0a203

SHA1
4532c91e0cd3ffe758b3aa6da006b2d091c1f036

SHA256
8c55654200be5a809016b829b9940f7d1d73017a7474896ce4622f09135718f8

SHA512
f71d4bf176aa44ee18ba38a6bd74bbdfbfdbeee0ad5aa56eb0c2b9082a5538bb2baf915e9086dc957830b4ad61f827d200036ede1697a8ac6f7dd8382bfa3bfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
fd24df2b9d051a8cad44743df3137c43

SHA1
555839f4e9a9bdd62ed9f2e3cc62a69e2641951a

SHA256
1475d04016753bb71bc3678995edac3746496169b62c9ff0eb217fc9fee382be

SHA512
e76f72cba1f52f78ee4524e4f7fe3d1e96e8ef91b0165d30cb0472c3a3230f24bbb8b876b7b5a7a998e91e591380d2c393fa588aafcb433f07a406aa091b651a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b43d177e80a4f55a01732484a58b1c9b

SHA1
bb8933a3ed097cf79bad8afddca4c82cfb22ad09

SHA256
690495d60564ab9a44a5bc5e9f31a760af08439f4eddca902c99a33eb2674057

SHA512
d27eea0349ef4c70f42c6a90a4c273a36498b43541226f1ee87ecb858542245942775381eeb684936182c2c29c9783aa1555cf51a0361c84d0057a3e83ff1eaf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
95f51a6a8fdf5f16d5a9d5a57a829dad

SHA1
9194f0fbb4fc8b2ff466929c9b01cbbe6bc9e674

SHA256
f5b37ba743e71d0ba0a22a455f6e94806986a0f8fb138dcdc05e5a64c31cab9b

SHA512
7d36816237f9690dfc16fb275a265cd2a1607c3644bd4afeee00abdd6dcd7e71c4b8204258f0a57376c6635340078ceafcc37dcc6637ef2b4898dd0af4aec795

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b522ba43644d4df81cc3f26dab633596

SHA1
1fe71212c2648e9be5fef12dc30cbae3197cdf7e

SHA256
b01dd95d026097a31f9dfda9fe27b995d6563d11afeee4c713c892d570629368

SHA512
e1f09a03e1bca2f4b9917ad5aebdafcebf26a31480b59e3b6242d2cdbccb557f258375f6e014f0415a50629dfc90287f5b4f7f992d696ed2b3b69c7a1cc3038b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e2f0ed53c53bf9bf0d85e16e327572af

SHA1
05ffe6b55a4d1cbb84c3d468478e327ebb97e016

SHA256
a3aa65f70523623f18678ec2513e1f15c965407df6ea7e29c28ae347860d6790

SHA512
33199a7c6864a8ab8cff4bd676451439c24cb30559fc216f59fc2ce1b5017e7ea98f8a56dc76a0b003147d0c0aeaf38d2b0d82b39ba857f168deb43700865605

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ffd10316b674d52009ee8374fbafdf9b

SHA1
87b4ee8a12cd31f1c66be6d1f76436d71b29b552

SHA256
fdfce492b0ef972739c320357d577389820097d1515c317653fccb8dd1e509d3

SHA512
937d369f2f8d879bddf9b255427e07d6c4d77e75ce95695d19c4f0fa8b912c6f26be77b0537af41e663114a4ebddbf8b7dd5eb3aaa5fdd3f877617826d4c25f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d583188a100c2eb6d416ec294dd9f4d5

SHA1
12ffd7a4743ad8847efbfcec7060963b3ce5246a

SHA256
1815816b3343b8bccd41031b66c0256f256977ef3f321c7683e5a88fc05af6a0

SHA512
a799b04e9c5fc921cfa01a661864a118033cf3a441d738e467e839be5d374cf1541aeb1d417259cfc85041c6e541c130164b8bec8b02c65572ca2b608278adac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6014c9cc255e999dca125ddbedadb509

SHA1
749e8f26f5d5482dffb169b12cd93c9344e7acc3

SHA256
2fe3e81f61ea198ae739895075c18819805e902d9cc0ef16c00726a732a2421a

SHA512
6ca015e3acf4fe92eca75ba94fb6cd9f57ceb11efe29aaa350a954d0e75181d729ed43d8b6b59cf16dacfdb3551f649573a0b0bbaea398b81e26c138963194d2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8d38d0f57242849f9c160e81f2859816

SHA1
19d225a16fca7c06e4343eec157f35b6f7062236

SHA256
e98ac9a9116a3059b9ca81294ddde964985e05cee8e2bef3aefaecdc0529bf35

SHA512
d7c94bb6586170d1684bfabbc11632a3f9a6d029d42ab2d6019d0f0034880e48e858a4d6ff5d0c9021e8b755fe9f194dd501cfc3fd720c5e15714eac93f897ae

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bedec7735c99ecc6ec24e9eb0d1f7e10

SHA1
4585c4f398f321af74064f9b5a6461b43768178e

SHA256
504192b57080490daaeb0c9b65552eab5840beadbd96ad55c1c260f74a4f8fbc

SHA512
c5f7a861196de9dcfb8fb2741135f080ec0bdf4ec43efa3cad14acd12acd213fe201c11c0eac422480420a8d7d62c62ba8ff18801faedaea659698f4bb466a04

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
793c23836c93afac2e2d80e7bdd85043

SHA1
9a3a3882e901de0c286f90ec03ebec61552d9d6b

SHA256
bf8e085aa0fc02f0defa8c639d011002abb1eea4eee93cbe91d88cbc194a90f7

SHA512
fc2b43f878050ca44c23ceda34648bfdd9f813418aa62b6287b4edf63063a678439022eac495482e293ff43dbc3fc942446c1216a02df9d79f83ea92bc78faba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b02fe655146652855c7c129e193d94df

SHA1
e23cf623d08c6c01fcab71f2b2aa36fbca769296

SHA256
ec26ed94f708e56ac7935439c5901e5aed840ecda8e526af50d4f865bafecc7a

SHA512
5e3216a00795d8cce10f7ee275dde7603249c5eb6c6d63a16a8f89f62795b52a84b84060d2440792d6a689560477c71b49cde902b0c6306ac5162cfe6b360be2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b8b12e0cf7e4815e8111398db2c846a7

SHA1
545a2fdbde44fe2a0f3f3f4538d657ee83aa2900

SHA256
eee70be039f88d1f36ffc53ec4317426f3baffc650ba4b041017722dca9e34d3

SHA512
f1c3ae7ce9769c603d4bd6437965601bc43afb94823d9df07c99d40684ff84da72961d6637ca31ae04869abb43404df5f8e40066adcd3d62be03626ee7a948a3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b5fde0ccd8e357a502de154ae7ec1a2

SHA1
9060e1ec8b73647f2abdf59335d873a85060d62c

SHA256
b59dd1f6f8e013a6e5fcbc1e554d40d6d4d0490c112e950c5556d7b7cb148602

SHA512
7304e20c1ff69d20b293e9cbc514e06aa26b03ee464d74e47999f7768fdd09cb5ff7de92c3f4e710c83754f50825c0b81188e67b1e54a20eebdb1c93c8d9461c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
52b8a43418941509d043fe027930344b

SHA1
7b2567297f5fc93b27567c5385bc25758d1d9fc6

SHA256
a127a0b0d0f77ee0b2cda566c5574169ca08542378c921960b55fedfb6a48919

SHA512
9f29715026aef440f9d9e5d02509418064848066afe076f7dcfc7c84a049276d9cc07227a5d63564489cf5b5018eebacae992ec7c2152c0914cfb307f6d4f6b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
be727ce36b2a6040da672dc438dc6c16

SHA1
4ebfdf1887cf86fa9f46fbc3316dc8fea74a8708

SHA256
84334eafc82e365757dfe77bfb475b21af7742949dc4c452a7812b3cf26ff10a

SHA512
59085f4b053a89f9f531a51b768ab14fb7fa80f2d825979528b30da35ab5e470c37a18666cc7521a863e952ffcf0e36ba77d931ccdb9691ce249a1f3c2ec399f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7b554551816bcc696426d4f8f612222c

SHA1
02a8ff8642057ca32a0c84be2f63764ff0d8df26

SHA256
bb5cbac32d0998162cdf5a43b2ae869f811f0f6c6ca8f441f110d3e2c3c99589

SHA512
1a12c2a280d48d3a63f0fe57c20e5c6b7fd67b2b4d6783f19df8b2b7579c73621eb1066c2a6efd5dae3730132dfb69abb54e67673279cbd0f24fed2b252815e5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61b5317d9624c23e4d61ad1bff74a122

SHA1
4ef587aafb1653a743715c4a9a1fed0fe717f782

SHA256
bd89963e7bfbad6df3f656fbd6b053577163d31b15fccc7f905fd766e13be9af

SHA512
5c854bb803af19dbc02be3428e9727b96a972a87730033ad49476c04c9445b1c535bee176ca6c8b83fa2de39314634b6b610d4a7ec102a89988d174afecb7962

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4a37487f538e3d8c1d361b9daa37f335

SHA1
fb8e7387bc473c610f38005d4161b79a152c6bab

SHA256
dd7f6e45fb608ebe1d95fd0ee77b69b64005be8595913ba3e2cceb177d494515

SHA512
4894e2d5a8a1b64eec8568d755fc212ba39f5734c4db78cb207cb799591d9b0387923cf5efc29a79d26efed667543aa83025cea6dccf4133ef1611e6963da82b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
14caf6096bfa942191aaa3207a180ecf

SHA1
460b223c6b0a9bcc1427a4b8572e2644afc205fc

SHA256
e1904218b4912af09a4c2cb736131e2e877d184c70474d9239bf11c429ffb008

SHA512
d82e7326edf4f71b37991ccdc7346fc15a7df94d8fd3c1932586724bdf1035259cb260fead0f9d9662774b07be6bd642f004262b4f7762beb1b387968bc3533f

Download Submit
memory/432-5-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/432-9-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/432-13-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/432-0-0x0000000140000000-0x00000001400B8000-memory.dmp

Filesize
736KB

Download
memory/432-14-0x0000000140000000-0x00000001400B8000-memory.dmp

Filesize
736KB

Download
memory/540-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/540-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/540-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/540-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/652-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/652-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/752-396-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/752-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/968-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/968-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/968-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/968-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1220-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1220-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1220-29-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1220-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1656-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1656-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1712-358-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1712-246-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1712-253-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1712-247-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1928-62-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1928-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1928-65-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1928-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1928-53-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2420-580-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2420-422-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2512-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-258-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2512-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3212-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3212-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3212-70-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3212-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3228-579-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3228-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3264-419-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3264-301-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3504-573-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3504-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3724-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3724-569-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-572-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4160-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4160-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4232-384-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4232-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4304-552-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4304-332-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4912-574-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4912-359-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4992-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5104-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5104-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download