75545f86e25726beac5d0e62ea1ef6d03eaa9f7b1437295b50b3e77ce1b56f07

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exe
Size

915KB
MD5

77fa3b12a5c6e3c0fff9a72ba3eede50
SHA1

f0a735eb2885b10963825940dd967065541651f1
SHA256

75545f86e25726beac5d0e62ea1ef6d03eaa9f7b1437295b50b3e77ce1b56f07
SHA512

05c2280a54b4ad473b073290654d0a2cc4635088c882a51be8698fcad588be66d3c4144cf34e5ea7ce9a59a691574afc2592c233de20f5e4c688697a2f4486a0
SSDEEP

12288:YsfKoGpm+xC0nJPAEumQoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVU:Y9oaXHD2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2356	alg.exe
2428	elevation_service.exe
404	elevation_service.exe
3356	maintenanceservice.exe
780	OSE.EXE
3120	DiagnosticsHub.StandardCollector.Service.exe
3524	fxssvc.exe
2212	msdtc.exe
2788	PerceptionSimulationService.exe
4992	perfhost.exe
2320	locator.exe
552	SensorDataService.exe
3892	snmptrap.exe
5048	spectrum.exe
1900	ssh-agent.exe
1052	TieringEngineService.exe
4348	AgentService.exe
4088	vds.exe
3688	vssvc.exe
1124	wbengine.exe
2916	WmiApSrv.exe
4784	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exe77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bf355a09c8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ba1720bb9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1c8790bb9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073dc6d0bb9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc01940bb9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000768e5f0bb9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa20550cb9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046467b0cb9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f504560bb9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2644	77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exe
Token: SeDebugPrivilege	2356	alg.exe
Token: SeDebugPrivilege	2356	alg.exe
Token: SeDebugPrivilege	2356	alg.exe
Token: SeTakeOwnershipPrivilege	2428	elevation_service.exe
Token: SeAuditPrivilege	3524	fxssvc.exe
Token: SeRestorePrivilege	1052	TieringEngineService.exe
Token: SeManageVolumePrivilege	1052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4348	AgentService.exe
Token: SeBackupPrivilege	3688	vssvc.exe
Token: SeRestorePrivilege	3688	vssvc.exe
Token: SeAuditPrivilege	3688	vssvc.exe
Token: SeBackupPrivilege	1124	wbengine.exe
Token: SeRestorePrivilege	1124	wbengine.exe
Token: SeSecurityPrivilege	1124	wbengine.exe
Token: 33	4784	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4784	SearchIndexer.exe
Token: SeDebugPrivilege	2428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4784 wrote to memory of 2944	4784	SearchIndexer.exe	SearchProtocolHost.exe
PID 4784 wrote to memory of 2944	4784	SearchIndexer.exe	SearchProtocolHost.exe
PID 4784 wrote to memory of 1952	4784	SearchIndexer.exe	SearchFilterHost.exe
PID 4784 wrote to memory of 1952	4784	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77fa3b12a5c6e3c0fff9a72ba3eede50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1272

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d344b5820a3b628129c3d8711c5f362c

SHA1
c29259c7100cc46f9f3bbd27660b9dab1b049dd9

SHA256
46f288671c05a5f424842b1a9b26abf5a9a65f914ffbd40902ae00dc26c5faad

SHA512
22809b5ec4b7c7aa6940e26f7978c3882b79df5c1255731df80314b2e0acdb28750eb3f35dcf0cc5bea00e8ad5ea51d04a794287958126c0c68dbeee7b2ef00f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d012f1b9927bc75dcc7bdc634c0626c4

SHA1
f0875b93a104e4d056ff3cc9c10387cd9bd2954e

SHA256
6762eb9008b8b0a5c5991cbd171affe7fc49bb8e4291d2ed55d859490e10aaec

SHA512
ada5d04723dffa7695fd30d769fd0c0d8a385b37dad44d9b244539e7ad46308e4995f03d211f5611c0a9ae46cd16d35360f0392b1af4f86b8f519cc7019f6904

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ce1685bf0a4d83c92fd12edb9b2a0daf

SHA1
ae009e6b559a59638aa00aa048cfc151b3e368b0

SHA256
2c5c1c01199b7def271c649fc385a09483cff3dece17ea2f73caca907303239a

SHA512
ddca6e8ba5a8438ba3d0e6fd245bad6f6a1aa41276353829a0109bdc2d807a9647841f2df8a100b93db891beee467167d4fe3e0305248ffede74e8a304448abd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f26d4824d8a7524fd37a87f5a33f82ed

SHA1
cd80dd74a4969d111d6c573e1242cbd38ab55a06

SHA256
386251b8ccee2e894a9c2f370a7847d52c37a5aa24fd04596ce5afe3c24f834c

SHA512
60d04dde7ac1228f889905279421b3f0a5af756e8b4d06cf5969486d10aef8a516eb892d18718277351538aaa95cae82a4959d4e47bb031f4e765d6061190d31

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e88c63f701379222fe051d84279504fc

SHA1
a575c16522d10ae310ef08ecd14823bd14619ef9

SHA256
bb0e20a614e83c26f41ba865e65ac8f1f90b5c7a9ef78376e4f279e05974dc5c

SHA512
cf146e2e7477219a3d2a51c715fe642b586fc300ca30947be37a4c51d7193ea50ee4e1b5da56d74adcf64f58ed26b962d45358c9705cbd11a203353c784aafdd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f8f64350e2abd3c3ec6d3bc02170c848

SHA1
59c43cb2801abaeda85aa1e0e125c45a5de6ee94

SHA256
d9bba3c88ef485d398e43c49d0e3ff7e95cefbc4770a11e46d1801cb40ad84b1

SHA512
05d996cb8a1cc1406b0c9fcf2d8418c2a176629335eb6977743e5a9593c7df329307966d66fb0f624d430731b0d83312530e35bccc1dd80357a6efa684a9b33e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cc7b6f2cec4bea4a77bcb14c943a0a40

SHA1
fe7f92f614475329e3ffbff7601a7962847b88b6

SHA256
0667c93ade19ab9e8ba4555a9a22266cfa44ea3c36be82a3b6f594611ecc828f

SHA512
6be4914cc6605cb09cb48d9d5437ee92f5a7197ed5008d52151bd9bab296ea710f0b69f27fca1b978799046a57e48063cb35d2f32a5d969d228c5f9451356af8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d55252e75e23f690c7a2e9e72211b80e

SHA1
86fed259df8b3c38086d08383bfed6fd95e3e62d

SHA256
b85737c0431848cf6fe7c00f93c37da66ff322244adaade24553a222c0e5f317

SHA512
a82cdd58d7c127daa95ac5b49d361e89743d923ad2ff8d51d38007bf3a23f48d0cb9c603312eb43ab52fca72d6bb6cfd1abcb33b2d45972ef25c12eb786e2656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
24b7f7724873276fcf3702f470790fe1

SHA1
a5f2c217ef8bb6573bc50266cfcd03b38bc24c33

SHA256
e4e03ec6e5315a2964be0849f1beabfa73c5cf5659f7e4afefc9cffe694cc638

SHA512
5403586e0f7245916d360b617e474cb97564d2f4da994cb3f69788cd411a70bd53d74b96afe974a0537b94480b316ca280cea79cd0c8782812081de20869e94f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f3149fb80b8c20b8ad9204a098d1ad36

SHA1
212272bb4c94117cfa4c586e283969bded2f264b

SHA256
680c01988e6b98fa17fe9c923b481531c13e318fd3b4ec613c9ecc66fda33ad4

SHA512
61462c10d9e468796a3ed98b06931e63e429de167164afec7517f8a2529daae275b82bae361047fb1eaeed2fe3270256ab77c1360825b26f2193acd3939a93c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
396fac5ac6d366dd43931d75bf23505c

SHA1
30bbac3c939676dbe9e493da2b3dcaf4353a709b

SHA256
96eb66a27773acba5b1498991cf981b9f40bc66f6c20ac15cd215d888fa8c206

SHA512
8c35c0d72857ece5071bb4c3c7b1b136802dbb75729b8858b97ef3637a59c5840bf0cf644b9a7f0abcff6efe0a2875f079acfba99485ece3bdc36b8cd5821c1d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
55601da7b4f068705809d2b815b38067

SHA1
14bae4a2e6b6a55003f4d00f1e52c3cbb2828db4

SHA256
6175bc11ed62491f2c7e6e1c21cfe3e09074f34a44a6624e238f7b2a654872f2

SHA512
21dbfbfa158af7fdc0cf7b67ea2fb5c2ef130695c6d830c67e311a1ed9ce6939fd500a762c82003b8d009ccf40d86612c95e81ef0006da8124f617a6a6955550

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
636841d3dbb999189b666f2feb963fce

SHA1
d4f7bfe972369567e085f4c1673fb58b88ed536f

SHA256
9ed86e19890489d031a2f69df244f070843b0a0b41c9240f13637b24c4337fab

SHA512
523af575b0ce788a8b71a4eac81df06be482a49d0afcddeae052630b33f5ae706fd7468a51d25464cd6ffd6de8424da8f80fea58eddf65aeccdc36ba27b4df88

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c6f2259fcf630369e6da42674c04a92f

SHA1
32a8b2442f8ed8d31e9776d398d6c226c60d183b

SHA256
a07444e3c57bb3fe453dbbfe90719b87fe67e58f30c0b660db9d8fb1715224ac

SHA512
9624a5de3f4c9baff902d86e15cf59f060ca9058a2141eef1f4f4eb81e8d772fcf80dfe270d4cb9247d040dc31581337e6e6a90cf7060e3cc91473999c9f7792

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f612039605ce622694a29a49147826ae

SHA1
6d13f453090104364ce4b0893d13ae012502ddae

SHA256
35edcd7a038908167a03a13da67e1c4b489843a6c660abb5a088547f1951923b

SHA512
73dc6cf1b528e1898ad2fb6ef0170583456b8388bfd3d9843c0830153c3e0ec1f2e1f3df465702df513cbacd6b2e51ea9faa76b10aae2866e45ffee5b8a1f1f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8f96d01e22cb8656d6f25979b58e7867

SHA1
b767594cf27c5cb72e7208a3e32518bc6ab91183

SHA256
d1c23ee02e25a5d480d264c59b39e99b3af912f8fc8158b56b4dc957b78496d5

SHA512
20eb4c0f582322b9b9587e289ff6c3ea4445b00bed5f28a6c98bbb1f712d1b0dc309410b96e173b81104c3e5ca2f8da83f1d28bc6a5a585d0b2b60e3f61f5b59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2346ba4ad064987b19d86837527f2b85

SHA1
fe394c547f385c3bb0cd5292f5efc29d34e6395f

SHA256
2334c5696a668c8651f15619f5e967323747bcca31af20e129b73a35909f5bae

SHA512
57d4bbfecaacb72de91dff88ab453d7e232401c66ff301348e75aa6fe0e02bdf006f3a7f0e30c33fa77c0886918a0eeffff392baeab1c169a02ec12c56fef44b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
872bfc7b1b27e3f7df336e3ee784a194

SHA1
5f6b1e8bb58a89f8df5da1860ed97af4d2a8a54f

SHA256
321da351e3afda5a1254fc7be761dbad647dbeb5a42fb26aad52a9e366e3965c

SHA512
f821f1159f556bdd7a6ea7ce809499af23946ab2a7b9992596945ee560d9184ad2103846d9b5a96e9766173bd9c2a295b55561d19712da642add010c81d3b728

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
37f6c2c2883e44c0731a2d1c389420e5

SHA1
952966ab87d608cb0eeb7c84b6042500de651647

SHA256
4ab344e709aafea95ed7f3fa95a3cf0d215806416f9529e94d7aec32764be24a

SHA512
d83ef0799751d91b286a16ad8add2abffa03b05b8841908d4495a9ce2d1aa36acdf709227c70d5abaaa2f31a48277e4e0a1f827b9a9d927dc21daf4503490936

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e06f700aeb3648bcd2cc3fdf7e593a5b

SHA1
8ae92843097e6db548020bffdae0ef8797870366

SHA256
e4b1236030df07c4d7756c065d73b8ba5760e3c122c62d3396bf6011e95ed57a

SHA512
7d67841737ef972478b55dd55f8eef0039ca12c79ff5b3a858140122f898e07dc5f2195d4f403b1a9b07e832b42ee3a5112fe358b1705df76abb7de136d48e92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
919eb35142375e17892f3bd0e67e108a

SHA1
76c9746c54eb4ec24d3690f8609d454450886d46

SHA256
9a0be49134f6de4ed82fcca0b483fbf8a120b011343a270d661961f0790f7a9e

SHA512
df58809e3494dfb3e1d6ecc6bc5e12c146b951bdf7c135ab9f5e49bacedb81b44481cda0e3f826268ccd5fbee06cd0031da0cd8f25b87840c1946d799ab85ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ca1f65155254492b678c2ffd38bef5fe

SHA1
62bcf8173be96a9123eb637012a19610f6738a77

SHA256
88ad5d17865aed0d9fa9b86d82c190f02a2da60ad47984fa1f43eee0ea41faff

SHA512
95e928cc1d8d420b9cfd599d6b5335594e00d76b5472615fbf9742f5a8010d77046dd1cd7ee21ad29743e1b140f55665230e1003beade093b28345289a753dc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ce6c3eaa3b45529a43be9b3069bb1b6d

SHA1
0dddf8d2164608bb17a89cd30512da9d0ce0ff0c

SHA256
b4074cb1d0a8cd8e68cf51cd73b17ff466883c6f86cdb267af0d9d01813375d1

SHA512
ce00667b976dcf47ce94ae7504d7a7d4a86cfcda903bdaa2de2c628f943655a143c5ca22928816ab2cf5a27faac66086e13ff49a2d48b980f293e091f099e97e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5bdf14ddde45557de3d4e7610282eeb0

SHA1
295382632cfebf3f00d13dcd9fed10a30cea4b8a

SHA256
56748527b861167fdf295a362acafc1442c12ab23b8c95c9430ea8af30ea8805

SHA512
0cf9621d887f9140c3327f62bd53053687bcb7444bad7c690078ec7bfe1db39cf7fe95e6d55f241600754fd567a6131f8525fa9f1cb9a0174b61b58e2f137574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
09987919703177dc058f36aa1c23762f

SHA1
7ecc6c5e65c7fa35afcfbb973509ce875453caa9

SHA256
491d593bee2cbd511fff244755a4295030b1ed1e63f8c427e76e207ed1c2998e

SHA512
2eb2a94a7d08bd0e60b9e3e5598b1342cb930659b31e3dda4147961ba1f9038621ce115ee6ce26b799fd42b343f5e7fe16ad0e24ec664a0517a32c49f6c7c4fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1b358180fb479c675fd0024759c8d427

SHA1
7195d882308d8fd8430f6ec0a1a4526337b8c35d

SHA256
0de1ad1e09a3d53f2b39eda9ca0d2f7934e6b977c5735214a6c54cea3b0732bf

SHA512
372d47571dc8bcdd7ac4a85f3d38eafd57208e4a4dfab736490553b6c43681965c69b5d3c8e319657dde95df7c95c6ce4c49a0e79298839136b4f6b17cb68f4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3003f9840cfd1507a3e15dd9e0f80be1

SHA1
3c8a3d31038cb404a817c9d2d838980e5ad6ae15

SHA256
6170ecba4751e82927869c357e9565513b326c962608d07e0e70aff72356141c

SHA512
a6dea2076bfa7165ff9bdd7851fd54bc8a02af00df81d712c0699d87f6a942351ae5c1724a94a253b10f38dbab6aa405b5fe64c266d1b1321e832a0d30c6aa6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
cd1d93f65afde7bfcdc5673e238ad669

SHA1
670984c26ae54108e64814e5ddcb04be8fda7b60

SHA256
e46f3eba17d830723f42ee23c253dc195a62be34a561e164739034f46a73db17

SHA512
04eef42c7097aea941286118cdc69e6a12e0cf5c86b370bd3c7e516389769cdbad014c7f04133de50f8a0423a5c8b6e542cbb39c0ba428d1c197480c2d33a06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
921af0a012d3867fdf999b7765e1acf8

SHA1
65178e02af5cd25fa688bc11517876812800e6af

SHA256
71e5f97b2970b3dcd1b3d0c1049bf4ad513a4bdf8f6484d1c66cf0ba0f15efcf

SHA512
73d4341ac733bcf12b649d929782f6b8b2648b7607c7a4e435fdcb6e32a017fdc4983070e73f3eee2d2615e47a54ff2d5ecc1b1a34cf74c1c86def7e21408a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
93846012a1c7a444f9b0df12ad08b80a

SHA1
f3ea1b6e7d21500fa10eaa653e8489654be9641c

SHA256
ee3dd36c54582ea6c8fefec03874061b194c0499e151fa27b555c14ec41e5d3b

SHA512
3317360ef13dba908f82b8b6d9e80505cfccce649c7a1af2a4dfd9a3ef6ebab16724a6cf07aeef7575e3169b92a2bafdf106e30eba29d14cf6e710284e59acc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
26bc6d2c6ec17b31761ab4763b5387b0

SHA1
275305496bccf17f6a23c8d75305cf423fc0ea1f

SHA256
1673cd9db506243d97cc733266fcb66d4836ae16000821e3b934dcfe22557fde

SHA512
e77bfa5f8134b2cb7e0ec1b7c5a163a0f3a61486853085c821cff52a1690099404ef26c784409dc0da84e9bddf3e82a5fb3fdb443baa3210cb0a066a722f2cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0e216defb337c147468a462fd1befd47

SHA1
19241294201020bfdf149d5c6638ace3873e88c1

SHA256
7c8e9a2b907d0ef4c68d4ba23dce9da25d1746a9a5d7f7c2f9d4fbeba8f45cad

SHA512
ec284867900fcaf7a1029815f81e84825cb532956a8471c3ffff361f05fd4811861c0934b378d17201d1cfa0499eed8fa8d8d584eba7a370f8494648526f6648

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3f894c5522f4c67437365417c0c4a1d0

SHA1
9039d1173411d3ce3fc0d867d11eb5f312bdca00

SHA256
26714c33e9c4a9dea6030b176e3dc7feb580dfe92c690bf52381fbe79c740fb7

SHA512
9338549abc471b4738386c9c5ee237eb3606bfbb2f56050b7abeaaf93995453cf8487745c928634cba3348dea857fef21d3f50f8a91c113065e33b04e5d66c16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0fbec7f823854b562d8c80db34fd5955

SHA1
5f759891430c5b99cd35cd9d1d1659850cff64ae

SHA256
5dc0fa2777544efae0c57eeeb5559294f0ac848fe15b862a450f5c66207c4f04

SHA512
b0cf06d3784f19a27136555cbce4f26ae7287a01f9eb93332298ef24d71c6e6f1b997b9dfcc0045d115afb082326d17f61d39a867f521fb5a6586bb6e26a477f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e1aa9ec4e979aea69ceb98e828f12120

SHA1
3b26f27dcfd03029151cfc9703e19c737b974519

SHA256
dcc6fa0bb6983db5b9950f931c22055023a16df194cc0822c93ab8fe621eab2f

SHA512
87c0999a64a7770fe6e3d20714efb247e93dae5a3ae12cdfcfa7b247601d9f43f0e350ebe07fc60479b3b4d84183a9ce74a2dfcdf40f021e08e3c643f0ef90d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
189303db7626bf528f98b5e79fa5bcb8

SHA1
c46a03cf89f412c7828ea470fc747400e303ddd1

SHA256
58968cb963c503e558cbbcee5825723dc27c234c4b27f24fd514a09191e87edd

SHA512
b09a9f92cf0aa432612927bfa572719eca3b0998faeb7cf02dd946d8ea613fdd61b67f7501a84c57b24815cb4d1fea2548c53a8775ad1900dcab894d04344051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c40d8ac9b8ea9351dd0f12cc0153c892

SHA1
86eda4cb01db25404bfa16b7e35701fb07c9d246

SHA256
e9cec0299f446ea85fa80b82c558cc3d5260909d41ec3a89279aea48abe06782

SHA512
bb01ce1a4f70cafdcef2100c5c4fe029887823e847ce5b352b51b25132ce84921c5bcaa909621eb3fb32e4ac22f67fc475cea2c6562b56bd00ba47cbbea4dd6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
2d534f336d99be54c03562ab47f8ab49

SHA1
5954ccd4dcda0ad24bb487f15d1545069762717c

SHA256
8a429619c3fb7d55a3b3c982024ba10759663f69f86b3d107704ecf279413dec

SHA512
04c8327be9125e153ac8357fcdfed36ad9c7f4a1f3c75bd78146df4ad6186b7d8453dbdde0ac8c567d1ba7f20a48c9947bb3e53fcaf603f644689fc6af01851b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
2dc70b5f8e9e2d25247cb3486916d92e

SHA1
d36779d67569efcd8847496a6305fcd7b352719a

SHA256
e453ca8e75fc36ec40fc34bac71c932e63669a9f0e0883eb6c5b973185e332fa

SHA512
500e31894a5b70353ff9a71aee88901776a674f8103663dd5f6742b7216102b06a55919b79583bfcd24c0bd6a287370f019903cd4c980cacade1ab9f9cbf75ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
0e8c764c7e24ea4f5b46b158c0afd9f5

SHA1
d008aa02abe447a6a9ff1a00ff36e1307b07f5a5

SHA256
a0a1893778627508614486ce01a20e8c11a0a65530634ab52a061d309eaa6329

SHA512
f459d6d57f91dbddc2a4dc33ba7627375d95e4578aeb900faa7a5da09fb79f18d784ed08158f2508d642318814f92183e1266d9c1ae89a357e117e8351d8eadd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
2a18df1b775209d1cc02a2c4bff52386

SHA1
e4fc5d6bd83b3341f58591de229ab7a5b2c99c83

SHA256
72f1d4c8625938599130bac04d8b018e0c1dfbdde5d547c5839bb33e1ee536ae

SHA512
df0937c045ae521844a54432080c232d1626a7cb8d2fdece9f9f4996b2c786dc4d805e0aede6c5e5ed92c9ed4ddb5bc02ac239661e93efcd84dd0004caf32d3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
174c511aeade426f40a82815a7ed1db1

SHA1
b96d68330a5dc6d2fcac95f4b1d7dc7b861dd811

SHA256
7e3b4a319fd5ba9c6f4e6b80d3bd3a18127cc90c785d755a7dc68fd98e000407

SHA512
c0bbdf2e1daee39de2b004fdffe6eebe7968a67c3c7cb124ec514e5ad5ebbaaf104b51fe24cb994c99cfe9e0aac872520fafd96f8779c76be71bd1e2853369bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
9cfcb089bbf5a32702ded0a7ab0e4748

SHA1
0b309752fb8b17d2cc19b88178bcd71d7c29aff1

SHA256
d50caa2cddffda19261be7af0fcd30147cb7213ddd60cca88c9f36e381e620f4

SHA512
a1b943c8dc2438fdf5e0145885cf70ee772218ccc80acd6680474bb238e74dd16ba9f2d65faf0f66b490f63185a3a70bb8a07de88cecb551975eaa7e9f77ee2f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1c06e750aa6e019f850b9457783929ab

SHA1
ba705ab65e15e0c9ff24e62a69b63da6bafece1a

SHA256
4fd30d657b3ee68cdc62612275e39af2ffe789f9dda75834e5378a5de3ce8935

SHA512
7acbe41afc1203ebf8694043820a4e35d2027e2fb46a0d25559f779e475737eba617b313cab468c695d3a4ccb2c4fee5046660d1bdd4ad0c2db5aeeca49bcb57

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3ec83afa06f6e3a77d3f938a0be9e16e

SHA1
ff36da62986cabd00887a9fee70e8b3642af0dcf

SHA256
adf9b352fe9d59008959c012bf54eadcdf96e41e4619a54801cc8c3fb3f0607f

SHA512
8359bfd42dd00b93cd6e39bbd586aef62058c3f0507e67fddc883de7a7da206c279bbd0e7c274da01ebc048e9ca1ed88314907e9e39dd8bf688b1d1ffbb6aae9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
59d5521e88105f84e55832162a01b1ff

SHA1
4ce43db18ed937b9dce1d1d26e4d59e794bf52c8

SHA256
7fb465528334b92ec3161329152ef0bd085ca2b4fd5f69905ae619adc42d7279

SHA512
8e47135753d5e3f2d1f3e98919a6938355a261f20b2ebf9f81d4aecb4265b33bb89bf6afa37245a9b3c2cccc6e7bd4f9cbcfdfdb85d80f5f7986acfb7c3ba3c4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e0d2ac8868016ae9323667df585149ea

SHA1
d0afa2e43f57c7151ea279d8166ddd70c8f5b15c

SHA256
b31c05e94d8fbbd38c00782cc098eb66285b40efe9ccd0574c7a4372efc7cff1

SHA512
3db8d97f4bfb81379851928cd9c2734ac4f05d305d01e508231d06063effeea76757aa10d4ec974e5fe15a33cfec850e026b8e4a2cbf90f97a905c3135e0c881

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4a759c5165915bf5bd0dfd09af99da1b

SHA1
9c8889b520773a6aea9d6b8c49319555cf665d01

SHA256
075ba355960f533e51a392e5abd50316aa7d28d69c443ae29052f62bdbd69777

SHA512
c148448418ab5f83e3c15a43a78ca8afe808507a727558755e528f9f6c9ac007e01d83a682791270172dc4a5bd482b4fcbf04fd599ddbb91d1b0dfb19de13685

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4c5def5c88fd6ba9cc8cdf67ed3b0bf9

SHA1
c9492110336916f5efb78399a2ebb7ac0dbe4425

SHA256
178056bcff92f27e94304168889d0660ace6bf8b3e75348013498da1a5cd79cc

SHA512
8a4d91bbfb8a5aac674e6414773b91d9f6c8b79d969ff61666d855dfa0dde29e37b9fdb5e783191b78e21597304e0842a82ae6a615945d535a3a67e646b4757c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
15c7599cf1ce0efc2d55fa832b61ee3b

SHA1
ec129beb444afed1c6a060c774e3cc4eff29f2d2

SHA256
3095a4391ea08e910d4d388df401b2388845c8679070f67ab7479f17ceebe31c

SHA512
ff7c558fb8936ccc2a6accadc14b9274d16195c607b6a2bb597d6c232bf5fa473a29b4170ebd86ceab06980eb20b6c65046f0ab4c99958f434a5df28afc05f72

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
15659529fd14e4c677b6d83b0f896e05

SHA1
bf680869d50282bd626b07c2cde75c0e9cc2267d

SHA256
34e275aa3b3dc8eebdb3d56a461acd2c53da8633c02020f98ea541886b2b9db0

SHA512
dc21bc1168c76e852fe24e5294549779e689678ad2a8067afe09fcdb3bc482e50605d1a45e6400d68e3d46fdd6d9d717e292bd6d7da80f2766e5b75b77d3a582

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3a9f6d5e947e2c1890e1f5ccc9aa1e62

SHA1
fa8fcd47d782529bf3a025c9b086cc2e5c8b291d

SHA256
99c74ad9ecbdff0bab5ccec21c2c1704c70b17cbb08577c9aa1dbf8faf2e6f66

SHA512
b66dd1b89cb5c44a833f11021568aaada5877bc2c8b44f8fb6be2015e1533974b5defa132686f3cf5c748226008e8923b5468b144abdd279ee7d43e49423a5ca

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
366e894c40199506045cc4cb8579952a

SHA1
d296faf92e42845c195a9a94f3750bbf467c8406

SHA256
41cbfc893172d00f6898188b93fb20e71709d7b291f83bec6fe03d05fc7903f2

SHA512
7946e06f20ac110ba4b25e206d112ce79a813fad2cea2462cb5fa4bc2c067deb95dc614a9f91d0c1179eaa44c1db4d24cf7c7f92e73174d9a7463829b62287e1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2314814ab90a24b28eef9f606a6b3fc9

SHA1
8de8684d5444814fc14a346b9e2f1b8fc0dc30de

SHA256
b4cc4814814080313aff586378494055d5dd9f9a3259a21b06a09c812ce6d2f5

SHA512
ee48336fc3598d7f3263007fb4b8f0844ea08b9802b2528b87bc1bc73fa4011f8804480d2c3eec8e04a0a57cb50236fb802f63625d8146de07fd51dcbae81c84

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
04a428aef8ee273a7056e9a69b2f700d

SHA1
83a3bc9f68539e20a2532fdaf8c66b78b6a62c5c

SHA256
86fc28c0854c6d14c65d964123dca516644fb9dc55a387e33a82e758631fccd1

SHA512
687bac8593ebf8f3e1a73c1e6ab041eebc5490ff859becf16a959a8d013aff2d192828c913fcddebad7c069f47a9db7be5fcd9d0d27f4b203516cba691d303a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
abd413e1608442a84bbd695785c6237f

SHA1
514c758b6eb75f670f03fd9b095abc13920d5cac

SHA256
6cd1c50834faabdb77d2934e4d1338c6554e540eb5a2609c6e9f353e5a4634c6

SHA512
90c3f0f14bfdd3e0fe96a66fa28a9f14ca48afbd2d9cd479f0dadf0a4b4ccd109f110d0ed7ce14f535d0aed5343f188b1c99dff721b056cad5d521604a990e2b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
90fc2a4408679dba4ebe680bf8c08783

SHA1
d7999a4755fbfd88f1c2a9a0d3c8dae953de6646

SHA256
2681d4c1cf52dd4323c40e95734f36b6e44d11452119406c97e241849a0bc74e

SHA512
f75b35f95bfd707ef67860340a593cd5991d9a5dd57f6fcd57e7be4c307257a5a11a9cc4b2162ff53b0054c1b9fbf8d44a94a7fd0a82bdad2fb6188658cc7177

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7178ae4daca826377af9af92494f43a2

SHA1
b1295e097a3201234e40692c57df4af696a0ad16

SHA256
ab0f01d0a50567bbcfd2bfbce0806ead2409e3ac9098cbe378d149d36f346b5a

SHA512
83bf479fc3c5e042526644ca89e655eebdf172824e80468b762b3485f6d0e33a674789d6ead61798a219abd6f5d1316e27fff28fd6ada5994f260dd2da5e61b8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8a7e1a4c9b530cb26c2910701b278259

SHA1
3e5904222236ca2613ed9b840b3897ebf934125b

SHA256
8243767a99b4d02d9ed79a4b0186b847a3ebcaf66d9c3c354fbff7f5c6e8d733

SHA512
a09db8f2234a55469766c1b0fa993659e61ac9e489095d4248ed19057e32d522220361ebe0b794bb8b20041996a12542ee25279958a4c8ddd42691144abb0ee9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df0116745d28de4ea35c49649734f077

SHA1
b6196fa6c88ed16d897a52ae3150a975923278d5

SHA256
485e72e8f6c1b07aa326ab88008a35b9c8938143306572a016c214e016d7e12a

SHA512
d27e9935e0870da3c8b1ca7aaec0317756181750dee394596e9800bf4e84428d1fc9728bc8e34ccaf699a873dcc1fa1ead0eff33eeeaf2b89bcd980776077bc1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
89179f4b21cf4fae998df52e071b90fd

SHA1
9e462fa7550b4bdf311acfb9eec0c109fb3fb961

SHA256
86e383ed6923a2cec729f261dec1e254bcc17ac21202a4382a77a687d2603339

SHA512
2061f4c2d06488afd201f3eeb5e3a4eab0db9654bb1d4b15553e255462594bf149173d15cc634eeeef79d61d28d21a8b520d68eb65bf761c99efc3f79e2d0518

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4e899e461f06f31035aa86e5faf3babe

SHA1
145a8abef77828f8015d2531f96e6e2d8e17f8d7

SHA256
7c807d874c00014ee99a73b0eb334341d9a86b451328b63935a66ee05a1f6274

SHA512
c6601bb3fb7aba6c5eb223b7ef5e164d38e43f0275af0960d2d852aef3adf45fe9f14365097b8b5391ac3bd470bb3b42015737ca6d4e7e67d4598a9eb70738d3

Download Submit
memory/404-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/404-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/404-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/404-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/552-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/552-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/552-620-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/780-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/780-66-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/780-72-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1052-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1052-655-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1124-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1124-660-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1900-654-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1900-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2212-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2212-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2320-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2320-298-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2356-25-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2356-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2356-23-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2356-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2356-17-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2428-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2428-38-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2428-29-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2428-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-15-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/2644-16-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2644-0-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/2644-1-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2644-7-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2788-290-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2788-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2916-661-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2916-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3120-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3120-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3120-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3120-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3356-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3356-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3356-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3356-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3524-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3524-255-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3524-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3688-659-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3892-521-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3892-327-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4088-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4088-658-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4348-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4348-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4784-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4784-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4992-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4992-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5048-653-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5048-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download