bc5f393833fff6652b6597193915a3e8ae544f862ff11f1eb73ecf0947379a61

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9a0048e1a4b3d9ef0bcacde85e53ea0_NeikiAnalytics.exe
Size

1.3MB
MD5

b9a0048e1a4b3d9ef0bcacde85e53ea0
SHA1

bb16d35ce305441d885fb40ac0ef34cbfed652f5
SHA256

bc5f393833fff6652b6597193915a3e8ae544f862ff11f1eb73ecf0947379a61
SHA512

d07dee5b924b88e50b606ed328564dae224099868136858d1157970f38d159a0686bccd98b86c08c82ba89c1c90fa0c90dcc1bf0ce5ca66b9c2f71f477bf0438
SSDEEP

24576:D3LutmkEz+PAVV/bOInO4Xs2ztR4iegxLHgZpJE4VDdGUOoTqy8QCYrLLeYKUML:DbutmkO+wROInO4XrztygxLHkJE4VBGp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
712	alg.exe
2776	elevation_service.exe
3668	elevation_service.exe
3260	maintenanceservice.exe
3008	OSE.EXE
3224	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
2696	msdtc.exe
2888	PerceptionSimulationService.exe
3536	perfhost.exe
5108	locator.exe
1988	SensorDataService.exe
4948	snmptrap.exe
1576	spectrum.exe
4648	ssh-agent.exe
5052	TieringEngineService.exe
3372	AgentService.exe
4100	vds.exe
4504	vssvc.exe
1504	wbengine.exe
5000	WmiApSrv.exe
940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2955d8974a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b9a0048e1a4b3d9ef0bcacde85e53ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027293f3277aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4bfd73277aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f92fa43177aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfe1953177aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000141bcf3177aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008492a63177aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000eeb813277aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d603193277aada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2776	elevation_service.exe
2776	elevation_service.exe
2776	elevation_service.exe
2776	elevation_service.exe
2776	elevation_service.exe
2776	elevation_service.exe
2776	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2084	b9a0048e1a4b3d9ef0bcacde85e53ea0_NeikiAnalytics.exe
Token: SeDebugPrivilege	712	alg.exe
Token: SeDebugPrivilege	712	alg.exe
Token: SeDebugPrivilege	712	alg.exe
Token: SeTakeOwnershipPrivilege	2776	elevation_service.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeRestorePrivilege	5052	TieringEngineService.exe
Token: SeManageVolumePrivilege	5052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3372	AgentService.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeBackupPrivilege	1504	wbengine.exe
Token: SeRestorePrivilege	1504	wbengine.exe
Token: SeSecurityPrivilege	1504	wbengine.exe
Token: 33	940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	940	SearchIndexer.exe
Token: SeDebugPrivilege	2776	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 464	940	SearchIndexer.exe	124
PID 940 wrote to memory of 464	940	SearchIndexer.exe	124
PID 940 wrote to memory of 1256	940	SearchIndexer.exe	125
PID 940 wrote to memory of 1256	940	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b9a0048e1a4b3d9ef0bcacde85e53ea0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b9a0048e1a4b3d9ef0bcacde85e53ea0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
929bf3c2f6c172fea13875fc4ecccc11

SHA1
1e08693246df7369f323955869789a43bf570450

SHA256
ccb9a7776a50d3b09e4198b6158aa8ac922c3d9d8030c6de603ef5927eefd380

SHA512
84e6c69a75e567e2c0dd9e413b2b5ede484b8030a3e107300c55e873c38a7915bbcbe7c48968ed560cb752148dd785bc3c6ad0756be4db98bf16c68a4a38ba18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
99698df7d66596e5d971cd69fe3456ac

SHA1
9ab233554948edca783d96056aa77185fa4d0900

SHA256
a90aaaf8b2e73e6eb198f8d540cf37dcf8876febb304162ff9466d16c79a5551

SHA512
44bb4fd3d91eed51865bdc2d5d5883501b6d81d5d59bb264396de9288e22d73389624d36c4435c523c18628219688a494d9f5fac7eca70393998a7398bfed2c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
207831e13bc281f0fda86dfbba8dcae2

SHA1
e5c5c96c28a5a57678ecefd55c2f70c4eeed6148

SHA256
05e4837b65231af490020473566dd4adfed3395a99c0910134af7e8089f1e709

SHA512
95f9cc382e9e82d1751b6410d963e02ef68ecba1ff4b091539297b291282163856d2fbfc65713135af74ef0762e96716ecaccd7be9687fae2a9690a2ec12bede

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
96bd50900059415c04f0f11bc125a833

SHA1
1f4352f04cd7929668f23998e2cf06e370b5dc42

SHA256
d0d9a45d30f8a049e808e7f6b74bd2445bdf8e8ad251db58e7728d577421908a

SHA512
67bdef1f25ed0b57dace46afd8de30bb1bea272c3a69bc96e479a287d20e33d9d487e36040c6477bd9641b9e55becfd6fdedb9e024aee0d357a840108034fd9b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f1bcb4589edad687ba52ff70955a53e8

SHA1
34fb37c62e06102521e00e2bf6e73b0202c68a98

SHA256
95f80cffd9e0a0d902e3f2bdea7486e9678a9d396ce9803303ba12a7b53bf85e

SHA512
6088004991d68ba7c7066e81dd525d39039fde975aa2515f38062d3a0d0757d0f7f045d9233af096a929920ead6bfba31282870477684f36603d08bdd8fff8b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fb18e146eb101beeafb03f91ad8218b2

SHA1
93bcfae706ee715f08aacf76a30ed3fe9cc442c0

SHA256
0232ac1fc7c37c0be7442ce80419f14dfd7e430a67acdf8453768e8cdb1debb3

SHA512
cc34af863e593e712f08c0ee14fb130e409aaf10bb4f105ed72e345ee1206aa2f9230451310948047eda2b41ba9e31f455dc5ceb19069a99413bf049eaf8900b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
211719ebeea77fea35245c97bb72cefb

SHA1
a0dd81caf09cee6842e54e44dbd013108940bc21

SHA256
e1b320367320da1c00fc5e7830588d6235f01a9c0977d22e80170b91b060c9d4

SHA512
3419083105422ce43104872ad2b9dd5a97e4d102992a3f3bf43c23d35a5fa5c9b77e74e4bb73440325139313923f5d53aa2e4e96b1fde256bb94a57937bcbebe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fdac0455cfb3b660a3b0a2327094f9ab

SHA1
c726b31ff3b9b6dd2e03aaff79f95d00652c2123

SHA256
ccd18d2391fdacff31fccff3dda4f4dda810d79b57191d06768759426a88b44a

SHA512
9a444995d6bd1c003f302e27991740a0ab83133f6eefbf53400b5d71524a81c20613b71a1b9d571adc005d6ec611e4579205d1c7e854ccbf7c2f2b9906fdc38a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8c15a046fe703f4532e52fcdee33b51b

SHA1
49c9e347f29eb292c53eca01bc91d20223c270d9

SHA256
ed420da0960403d551fdad87ecfb683d76717ddc717d60e37a18e96fc033b50d

SHA512
16efe0fe0fef97a51bf8c46053596b422cd3ba80c7164f845839132989f72c6a3bee881296785485c2decad7803a80b691a59db3d2183ac2458641ce3235ca0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9f86c95a7b4eaf2ed2c2e33b793fa78a

SHA1
3462bccbf20967b8117ee57d44c7ea1da97f58e5

SHA256
6535ff44a6a1bc96d57dbc1afb82df4c897b36048f7305adbeac5c477c8ff87a

SHA512
f1c8989c10268053157d7392fb79c6a3499ddcb99076703a7572eee8940af59f23e094b1e46e22ed99ed0aaf43f0ffa3e49914a408cff724f3e48e94929026fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3de2e3306dba6bcbbe2f907a0b9d1327

SHA1
05dab09ab7d2a58a21a4426c5ee71ec3d1c22ddd

SHA256
aa620a813d30c628246f033404a5f2d4aae77d1c3690f93acf9c046953db02dd

SHA512
9668c6c4b3eb41f5b82eedb59ed5a709ba3607f1167b3f579b6bdc91a3f7bfe9fe73ad394ae1922b6f90b1922eb2d0a288a874e68c11d460332c5be3fa571bfd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b0f0711f527525da3d47bbb8300c96b

SHA1
43a01be0121fb028f3d8ea435cee614ccbe09c1c

SHA256
e328d7838332c444eda3f86d5add424a7bca07bdd9d3ef4e2912051014c39209

SHA512
6b1e90e701c9edad99a653cb1b78b0aa5b4085a91aa88877a464a3db4d91cd868cf6ca47a9c32ba86c57235df82afb657b4ea387480dc024efe103240521233b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9464488560ac11f08f897c3d27409ef7

SHA1
e7a1f0f09529db7c2f2c23918068efedfb357d24

SHA256
563733e70b6c73a70b5bbe46121652ac7a8003d8d0a9a07ddfb805a946125785

SHA512
a2af9ec77783a8467566667ceb9e6c8b45efb50865d4f602dfbb70609401df6c42173447308a2dcb05d273d48b089ec72f76cc78be6f7a29a19eb3b75f204028

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8aec1889fdab50e9a0d1febf39e29764

SHA1
0a88393a1fcc0e6088cf99d2c07e97e7a608be5c

SHA256
95820ce7d074ebd9424453269ef46960f97e7a6e0dd730d7fb01a26a6adcc690

SHA512
38b3ce189c689d6ad66e4a3aa4cebe93f338afd19737859288ba56519722c664dbea25b14083c034502f9e18fa4417b939f2992002fe6731458c13861e415498

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6ff4f62d0e57a729d82d9711131f385e

SHA1
83d5d92998b65be16128b128d4ef58ecd4eab3d8

SHA256
dc27591ce08d341d9d22c64875b20411a7ee1269a9a8c1503a705121af458211

SHA512
69f3de371bf8602ad823ef40a76e8cbd6c0f38417188b6ed14b145c7f40d01d53e12267786f30022ba9b2160ad9b0e51b6da8d55379c45169c50d315324ce584

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a8440dfdb96d499a2d4d57475ec19342

SHA1
bf74c8915bd72e3a8c8ea43368c00de6c8e2e3e2

SHA256
d3749c01eb69844cebc44f843a3e07da62aa83b26cd74a4237f4fb7d8fe47b79

SHA512
ff67cdcfb04f1810c8f00d4a02c867aff25ab8940d9ef33ec623953e1e5ee763b2d13d693493a4fae2f5ea3daf0df351be9c0ede517bb7ed760ea5be2d5e4d45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2495cf81237351a0808ba78b27a18485

SHA1
767d01bfb7f22c74b254a202ae662ec5c013d036

SHA256
a712faccd4071dc39a06fffad6cfc7135cfed3f00b4f76e1dd4dd27871142af7

SHA512
6fcb7ee82bffb7086b012000a99cb0536e02b32dce5e054be1273ebc0037e80e6f7d02cf782cbc64c0e3ce80a2d360e3d817cfb26d664f4713eec45adcd1c56a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7eb545407f2c510337db61627014f8d1

SHA1
f60e101510a14881a37be3ae4e7191430d88ce8f

SHA256
096e2d2e0f6cdd196dd3ab69776527240008b4e284d8dd0aa47fe2c8e8eab04d

SHA512
c794d28bfe00793b9aae17c61fa6a464ce1194c3e0fe42adcddf41f940a04aad09a36b55efb76e9bcb509d4a63cb812478e836e000648f69089c352fcf2ea17a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
563e867aa2b73f72b57ffa78dbb41ee8

SHA1
27871946897e24f53878d625e4ecf32aa6520ac2

SHA256
6b8fdc6a837bb202a4913f8d4c87e67a99f3bb17b9efb6fcc9747c95e6ac0bce

SHA512
9fad20d0d582dafdea7430d7959a33932ba8a6693c0dd45b0736e8257b7f574cd8eddaeec391d21fed1b070c91099f17cba4cf8b9c2e2f97611c1d67ddc20ea5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
31851dbad201260781dad416cee716fc

SHA1
91b090fc7f8eb6f81267b039a2d3d62d07a02f09

SHA256
9238faffeb189e9e43ccbedfa4e34ff4dce057e6df39943bcc3a68d11780f475

SHA512
79c787f4cdd6ba776ae6e4d80220ef4cc661bc40867df5d40df6009353f7b0d6eb716acf6869e3b6a9eeda26f31ad7f26a0fb3a9e2f3df67c453f617197bd882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7bae7782538a6e0256a6e06abb74b869

SHA1
2cfb5d056fba065c6139d5df42a07dbbd42ae726

SHA256
1b84a30ce0b90c9c4cac26d5f2725e2313aab78de4abe8f7f2f36db8f36ec309

SHA512
a2e810814337eb6752627017266fd97c81a3cdacbc025155c75474e3bb7b0bc37a8071b8688792cc9be43ce5fabbbd703225fa7c2147818ee8b8b0f5bac898de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3786d8bc7f4b9efe49aa5c3d029b23b0

SHA1
446fe63b945640fd98e6d3bd8a608bd58cb1aa56

SHA256
644732ad5445bcda733f853afcae561bc777a9e0ddaacde3767b81d4e3f8b2b8

SHA512
21431da1c41c424fb775b55c61d39c184a6d672d61d79147bf2cb618f0e523eff20ec8772780fec720cea69b89e3d995fbe3d586a5cbae121091d63a861b1949

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ac61785bf5709addb32ec1b14df0f58f

SHA1
b4c9624ec961a1e6347dc4fbd593d2b0393a5d81

SHA256
396e51982a831309b8c532140872d0ac219b245e8999d9d39ed7614b16b2de28

SHA512
2cfd1f3cd4ad2d04857eff04a617675e9b1da2423cfae72f3e8535e7cf51e0d7e3fa3d02890bade53344e776a4967121469c3e2b21406860281db40329ac19b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2d157a817166fbe7354497e54acbf9ab

SHA1
fc2b366661a333b4d8a0524213720f7101088d7c

SHA256
24340e7d555b58625752ba4ac5a5b5dfe0f295283f0caea23f9d222e4705a704

SHA512
e68e431efd2fc8072fb6804f82a88d6f57a317d20612bb8ee6243693b72318dc1869800ef7e0742bebe7679387a21e17054e8dd94d0dee79dff64adaf0a8dba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f97dea7ddb7a97a520d4ba321498c80d

SHA1
5cbedc401798c57210a19c44e30974b6659c6d43

SHA256
b77f9e1d98764d7b3e60466f72adc034ecef78a43bfe3f4c0589ef19c41ea693

SHA512
df2d93386530f65939e9e8d5daef9e73a9757073288f9dbbb3de9432207832b0c3ebd8cf31170748e6caa027d0e08dce7b7b4237241e02fd078533eb3fe9c20f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ba091934a49403fbd67ebfb9da9fb608

SHA1
f023f4e34c6ad62559e23be4d7a463e6353116d5

SHA256
44e1e605c8609454556661b251534fcd4f34ce47c3371dc2810ed834feeb9f90

SHA512
7eadaf7c6043647ab8d655d0b6c143dda90e32d4bba7ee03f9fc1e63bef9a5a7bc6da54660a83f2e3258c7230de2dafe9b52b72c70484397cf34a3219bf22a1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a3c26fd29c140529f1a0dcf02bedd22a

SHA1
4db05e805c1888c8c14de097ccd86ad6820cc56b

SHA256
56c53c1167f56a4554a6f3d290da035c65a1f2018536f3d9d363e4e1a54b2125

SHA512
0d6aa8d90fff42bfabee8801c0c8042083365f10f86cd39163de52aec3d5a3700b0844b5ed01cc16480f4cb7a760fa6f20bec9bf03b1346a6f148a71ec0c237a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0237d54894feefb22464e96cc83aab92

SHA1
6cc1a22e025dceb4b4c5690014cb797e07ebe494

SHA256
d2663ff348d8e7f3cdf452559e693cadd10699eb67400f64b0b98c03542b0867

SHA512
3f2e4837d1a77230d972132ca8bcb75188604594fc0b02f72dd0c7e3fe8ac0d40b4311dec878a77964db66f6a34ed28ae51467977a9aac10243e104d1ef299a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
49937376c42c2bc451f47303ff603171

SHA1
026f97b2c7fafda1237712556df199e84309fed2

SHA256
17400b4aacd2b557ca1d02d20eda604af031eecebe217487fbf30be71fadd51b

SHA512
12802d22dda1296a758f198d77746711c812138e1aca35b47670512211e36b392e7b55adfa14166f8fd58da4f3a4cdd5106d9fdd34c499b5f96990da02bbcc3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ce037e7a1a7e15c537484ce21ea6e1d7

SHA1
71fcabcdbfd4a086e3292fe4caab5f6c25a1a91e

SHA256
6528d77adc211a98f67b54be33466145ffc03499a572b5d32eba6d894ad57781

SHA512
3340f98200ef8540a791cf04ed729b568b14c6ced2f7f70feac6b595a55d0eeb6a256c5f61e58db796aa11a1243ebc35b564ce40f51508bc1504320e2d6384d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5384c7bc904765621da65e36bb56262d

SHA1
572b37eabf85097f383d98c50f65d87517b8c01e

SHA256
0d45a47182e606b6973db97944c3ca21a02451caa4a213b9930b6e3549fd0998

SHA512
eaed5083f607b3590d88cac1d414bf54177d703b15344a2aa7ce84161012f765b8794aabdac01cfcc4c0ea06ecb2d58a2e5817a167cce9fee83194d40e3e1b70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1aa45b76b4ba3045de23a19f7c4c4793

SHA1
7a5ef97a32db1a2c661854067a8a3b97be2ec2e4

SHA256
7aecb621cedcde50ead755c58ecb4469a8d5731ac5ef2bd151104cb35deef2f8

SHA512
1de2b12d5820357428e3b6019045d43667683668eb55e8683ba0d903be3c4dd66654198f563e4c98c24e899adcab01923fb0a7fa919d38facb62204b45466995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2fe8c30df2af8858c901875c92bdd4cb

SHA1
5b14cc3e09f9e418e103312710a504c29745ae21

SHA256
7b6c26838619b4f9496b6b51f47a69f0d296159c00b4fc422d62dc543d822be6

SHA512
fe4963134e00497329b302bbb5a889d19971b8d38b4a295635f92cfced6509d0ec61c1a03cb9aa3b3f55056eb45707bd82e0d958a56fe3d1b8e55c2d8bc73930

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
337faf350603cb3634169d5f31ed0895

SHA1
1b9fb73810c43c363e39d5e22323fa06de0ca033

SHA256
a8921f3a45cb4669cd02e8ccc71e2fd364329f3d9e61c7efa7eae7a1ec89eed5

SHA512
7e0087023417db6c058fa988048e8bfc95a85980c175a83b7598446a9545159cf6395aca23888024854ddf9e415163a8e00d018a2081ae381e874bcc6e4b48b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d99d4754c01d265c894db4ee4eef4a6f

SHA1
69187e934e97f7640fe8a1dc748e2dc4e9d7bc5e

SHA256
3ade2cc913ba26a21b8d2bed0fceecfc938155e59c697c41e2aedbb647b4476b

SHA512
cb29d9bb5048b6253fd222b56a95bb4077879dd870fbbe2a9ee8329d9a1faef2563427cb91dcbc346e8c0eb944db4b96825b54a89bb4d204b1d21c63307f3d02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
39e1b2694df5b09645af0c6b0a560d64

SHA1
d8a270c2e3ca55cba7fd54e3e7b23f92af63481b

SHA256
f3917cda3257cfbfb61c8003bd6febd6f50ddc4d691fc3293e5d33b92f7deeca

SHA512
622aa720411302d18306e3fb946f88174c1964a7e13cbe6953068bf2b0eb4b51f8e6bbacf0ba3fcc7574732f6efbbc826e52826a54f661ad0f4ead99503536c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0a09726dad0dd12241be9d1f1c98a43c

SHA1
bb43ad7c252b4a78134413811cf4d8679395611d

SHA256
092dde8acfcc064bd73da898eac5e4b48aba0025ff0eaed048e2cf591719fd75

SHA512
1bba87eaf9a688c17a6b9219525e50950aca589cc24e78676a95bddd3ec90b3d9f61332d177e9ee29e2e35b267bb4b1121fdc20aeec6aeaaacf1e51808153c18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4e806b187bd158115829caa4229f4efe

SHA1
e3781a79b771aab80073f1bcd6926c0d3586989c

SHA256
0c91c493fca7b4ebdc1abc3b04026f56a40becf61dc7b12e89f3ba39b676a9b4

SHA512
0f82d6c0e06be0e4c49d2fbba595a8a7ee7c302b8ee2c1b5654cce577f640062164c67b67cf6c161cb1aa0e142e1f5e188bd548f4ed5d8529b80ee219502bf0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
42c0f3cf218c7135bc1501dde31d85fb

SHA1
1c259994509e176578b523612d8f23cdba40cff4

SHA256
c08417bf36125be430b0b66bfa6bcdb2ec445bb4a32007ae76de2c36ed5ba877

SHA512
05a844ff6128d973e55672232be91c9f91ebc6597b19c616a106b78efd70d53ef6fba9597d52e334221dac07affbc942763ccb9cd141da3d16de7de20794d767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
298fed9eb2e72cab72e79070c1b83000

SHA1
5e1b7bb2965b121d941e813baee7b44f14e420d3

SHA256
84a892ee6a2f40cf7b69af7339fd5033ecc692b81812284394caebc0066d5044

SHA512
9bb4a29d24541dcd70ddb75b09c9d4d7c923f652067f1119cec486f47e7d81f34134f8e965583e3dbfdbd51685b2f2b1c3c6c36bfdf4808da7cfa24e8207477b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7325925d2dba340014010432184a09a8

SHA1
561b1cc077da525ee45549fe04e19ab02c7a1063

SHA256
1f60631bd66534099cbf808fce11cc0cb6df21049d5da64a7fbcba2f8aacd193

SHA512
a94f49a6cdb360746df46e052c5361dd97c1650a77aef5d5c369888decbf9136a49b17943ba7938f5756f2bebd2ef28e36df2e604d882f6bc6f76fc6fc8b3541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
3aa46c74092b1cab24f004bec1352be0

SHA1
c8926eed09112f602548aa3d88a27d22e4f28a37

SHA256
92797c70726afe74f3cdc033eb6dcc4119c5ffad148ecde253b5c8f040379831

SHA512
1bd5eea8c39d6353c7f91d78ccddab2cee6a025d7a4d19917807a18e34934e39d56f477cc384b34eb3c9588ad7663783bde465da88e7afb5dd1ca7d3beba10fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
b30552fb6608489a930da3142603f9d0

SHA1
6e1b62e04a50d82adae9eebab8d36ee4a1b7b2f4

SHA256
9940fb6e2b77e176f321d83007169d8d8d5e45130029185950cd978cca18844b

SHA512
e626eae91fdeff1ccf1c0b6417f2ccf48e1dbc886f1e53c96e16241de809c46284953732a0734c9813867b478e7036b90953f18cf671d7a5f9cab24bae6a19ba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7190b962a88af0f1f55086600f26d15b

SHA1
517ca9e806ab50f5c735b049bfc1de0d23be23f5

SHA256
a17bce5f75b22d3bebdac8e6e5eb6057f70f7f28912246ffe3e3d7efd2417d3f

SHA512
8609292287fb3f8ac6db18d46c102307a316df825865c2f5137f0fe114c7a549f2d51d8088def3d2a3d2c2cdc44ce48710e7317605c37c8295be911e5cdcbc86

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b9a67a4604edcde326df226c0f2e689c

SHA1
148ef5ad3c205a1e33605e323e3ded3ed25feeb3

SHA256
d793e7ade85f84f0bc04bc5f5010e14ef2af8173c3e074965d3159007379e04b

SHA512
36f27d2b517e1c522c0441d4a5226e372acd7f6d5aae7d9023d466fd9903c022d38dd9de60967ca25b4c33c689d6122dc684f316e5594cdc1f08983ffdfe1a7f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a900c3d58fe6f8df16a06c305f12fc1e

SHA1
168e917035048fe51bf4ef59a70b06797654eb21

SHA256
4b994ed719cf9dfb615d006512b3302450d756fb9fdc915832aacb2bd8ef82ac

SHA512
ea477e3aa9e1ee36a08ac8d173202832d0450a21163ab702f0456ce0f91bc8f7ddb9c05dead15c4a5288bf294aad17000c33f9f07624c6293328d2b4d54257a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5833979cd10d0a78729fe888e0abaad0

SHA1
e0af32a4a9787829e1dcf957523d72c5a828ddc5

SHA256
8ed9787c6e49b6550260da162bc962d4e7c26f2390c99e2e7275aa36e690e10e

SHA512
5234eb856c705c2e74680bf1265187c511e2efbf54de610147c07819e793339f346df80fad63eb2c92a739143412ccb7c20f7e3e13ebf3ea506b1947aba707df

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a0de85f49d835c99d000d8e1fe5cab73

SHA1
79c66e9d0822f2a4b3ee9bb7c5761699233eeb43

SHA256
24a2393be261b1be4cc3bbfd6d27ffe8777cc27964ee8d14cdf1081c35bb06d3

SHA512
ba93c4a24e488e6bfc5fe92c539317de87226591d3786ac8fccf53d18d6de88d0dbcc3ba888fe35e83e0fde57ef8f56898e3697993afff431a5209ef32828950

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
72f9e3881f643caeee616723b972c58e

SHA1
9eae0556bfe02d495a79597e1d9aeccff8cc7f9c

SHA256
673266bdb4133f8274947a618dd72eaa6c030712819d4d3974a3728591b93edf

SHA512
052961f6a445c61eb7e560123b3f31e02a6932c0cab702c9ed5f4ca90e6e2de42e4c2ba92c40c950807e053fb0cc267c51a20ee2ce8d7358f936a75b2b4e7d5c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
84c7f78e006fd669959b8fe8e192c34d

SHA1
7e29823cb17b30cb5ffdaa6bd199bc3039b303db

SHA256
cc91b892bcc26913f83f169524bda7f79053d35c7ddd52b6064f69e72ad0aa27

SHA512
fa09998f2fd6b45b42223f837e472bbd936d5d3655b6b9a9e9a29643a1a9b98404e769e4acbc4402e6d06b3a7a14588052c0c3aa78206e8235fc924d8e5a43c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
73e3c1107d07537d0466234ff3f40557

SHA1
c7dc5ccb51c163cca965ba0d994d6a8e804f919c

SHA256
628937be5a13f3fcb38c7ff3f5cf8d4ae0841765a9211eeff6f0710017bed685

SHA512
4f987fcd7b724b2ac51cc9d47dca7b9e004bfc24fa146125edfbc7d0765e2c44028562877eff0f8819bbce188b497c850c18b7b43ecfee8a2f12ca3e72d738f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c24bad5e53a90cb1b9902dad13827045

SHA1
7f118ac4faefc159dd9d42219e6480f4cf170214

SHA256
bb9ea0a5a7af95805183fb4aaf25006f45e24af1b8f3d22ac116835c5f79970e

SHA512
3296b08452d5090136ab04db54acdd1203c4c4f2368f75da46c3450c8c0327ae7062e3170cd1968cae28ea6e538c9588318c43fd60f0b45ee6cce0c0ab4806ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f9c29965fae82f9dfe37e65504a91fc3

SHA1
4b385402ad19d1c5d34fc8de7af809887fc83bf6

SHA256
051b122ec54e41c19536cb0a6d35ebc81df5ac1cc597d7d2b991b02309074717

SHA512
86e4baf90f1855cc819ee0204daaca8c8339d64b2d647ca80a0558d487056da30efe1fbf8d218f37441413fe885c88626be958e5c405c81aa927c884adbe85b8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eb0874e493ebd043bd86e94562ea67ce

SHA1
a11046462aec3d4cfe32a140c9a6a4b45c812e21

SHA256
b252935dd8f6e1e87a09cbbc615b5c7b3c922a738527bbab092bc966c6001d97

SHA512
d44bb770c3151c91cf418d648f07f07b9e7e9fa43a54adb38a9ceb73cde7a0888ddbda1cfab63c7554cd70da0e4b7e29b20a53de24562a9332c32db2e1b20335

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
59378f62fc80fa7e4fb6c3bf50e7ac70

SHA1
4e00d12384c87d0f6bce3aeced5ae50489ce25d7

SHA256
fcf61fc84b989f116f36bd46cac3d3194f4a16ccaf512d0351cb6035fb47ebe6

SHA512
4aea88f0c3eab7af01f363d7bbbaa0cf4775289e7cc17a8e0a39ec5592332edd7448e05f5e365715c3de331660cce4ee2b7057e4140c6b3248b34234fa74f808

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f956f0fa2b7b8cca24cff8c109156037

SHA1
6580a15f280a10c4e2e13f54014fdcc4a2ac3f69

SHA256
4ee8a408c7469a9c96e864403a28372cf76abad824ccdb243929bc73a3efd214

SHA512
8bc58e78a15d4ee5505647b55414e4af740686b432b79fb0237aa272516ecb9177f72ed78fa1223ce6e7b09b346702b1fc3d0c55794b33a98bac028d3a5d2d06

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
caee2db7621e0a77181dfe9c85934b04

SHA1
2211fba9a241e60f5def3d52eb88a03b75456023

SHA256
9ff80f6ab308650edd578fbf5158499c63a515734f96480499d01f762208966c

SHA512
e73c33f99e4af51ef7f3f58c6a248368aafc8b979844c58e4446b81fd7a221fdb58b9ac20ac40049e4d9fe0f4d1ebdc0261964b90a606d0f3c20a84981ed0b22

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ea08a1e0769f820a5a1df20f686ffe52

SHA1
69b785032d2abf938f23b5c642b925b6da195457

SHA256
a2f1ec9d02d36005e62aa1b2f68519a3447b6948d8561192c1e5d2f87c6421c7

SHA512
0ecae9a05bac12bfc77ada950bcfb792657d8be30070d021d26a996218adcc7ac44c82559345aae902d32fea83606db2cc7d06d2b1097d31860ca94e8fff67cf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e7a87c01c33c1bdaf68ecb9e31fa5c6c

SHA1
cb4bfbb0f0e5765f89767ea4eb3784eabd93951d

SHA256
fd25fc2d429b9fa2e502cbf69d24501acb24c3431a7289aabdda186c3fbc6946

SHA512
161cea15e0978af9a99d0dd122ec096b441e6edf20819a1adb67e3b31b56f45e05dd6d7c560aa07c602178a3eb257cf5e84526cdcb4c4736f340e37ed40c90c5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
56269861ddef0d73dcb594114246886d

SHA1
bfcea512f20538db25ff76a809b4eb8472406f79

SHA256
9e8c3fd840c92187cd48ffeb0bffc210f77dc26676c19ff3ba56351c75236092

SHA512
761d6b6916f8fe757118ea6bad2c3a322d2347fec7bcb564b06c4998b2c609b8791912b659f262f31f41543c64a042f3a306f5144a1ffa2378a810ce0ec581e7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b4f5aaf3f183150af13da73c9d883599

SHA1
8540a0216f6f9ca93c0fb8862437708e46f90ac8

SHA256
478faf78544c25f8849d450cd6c36892153377352e656ec35fea1401814438ef

SHA512
3b67915272616fbd823688c84679761823e365284c36b31028bb52d148a71232e0eae70724fa87779d965d86f3a1842501b6f4aec35e455744af3b9cee9f63f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a7a3b43829f1ac871be98b01a1c98fe7

SHA1
51f395809f77cbf6be5cbfc9d8faa8f82b7bea51

SHA256
f454befcd0209c2561ea2f04f5125c9b5fde73cf55ccb7df5993259093ec9410

SHA512
d06c6f56be850cc838733c0dc90a408c5d1d0e9548da16a23e4c0d892b341d6d06acab3fa9980a2a9eee5bb5de83ca32d649cb5e603d5b9962a9493daaaea352

Download Submit
memory/712-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/712-24-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/712-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/712-18-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/940-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/940-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1504-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1504-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1576-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1576-640-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1988-643-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1988-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1988-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2084-0-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/2084-16-0x0000000030000000-0x0000000030167000-memory.dmp

Filesize
1.4MB

Download
memory/2084-8-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2084-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/2696-390-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2696-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2776-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2776-30-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2776-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2776-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2888-402-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2888-294-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3008-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3008-65-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3008-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3008-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3224-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3224-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3224-364-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3224-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3260-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3260-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3260-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3372-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3372-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3536-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3536-414-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3668-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3668-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3668-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4100-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4100-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4504-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4648-644-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4648-361-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4948-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4948-623-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5000-651-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5000-427-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5052-365-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5052-645-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5056-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-257-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/5056-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5108-426-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5108-307-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download