5712791dc101ef56dae9f25893ae3e5f2e35bdbdd9b898e28c6cae2636089657

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exe
Size

604KB
MD5

7cae9a90d74c77e23f34137d6940a770
SHA1

548204815e5ace136e2d5f9ceda621860cddcd46
SHA256

5712791dc101ef56dae9f25893ae3e5f2e35bdbdd9b898e28c6cae2636089657
SHA512

f4c7aa417f2d799a9beda59e2df3dfc9f4e1b7c93f3ba9c26abedb0d81dc36b07dc6c88e1ef782d67a1ebee7a67421506e4030055b6f3c77e918cb0d8889ec22
SSDEEP

12288:RIL6+oH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:yLM2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2700	alg.exe
4496	elevation_service.exe
464	elevation_service.exe
2160	maintenanceservice.exe
404	OSE.EXE
5000	DiagnosticsHub.StandardCollector.Service.exe
4696	fxssvc.exe
448	msdtc.exe
1332	PerceptionSimulationService.exe
2896	perfhost.exe
116	locator.exe
2660	SensorDataService.exe
3904	snmptrap.exe
2100	spectrum.exe
412	ssh-agent.exe
4120	TieringEngineService.exe
1484	AgentService.exe
3736	vds.exe
2460	vssvc.exe
2280	wbengine.exe
4420	WmiApSrv.exe
3668	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\377536038beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ab9d9d3bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013b617d4bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f3f3d3bcacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000281f9ed3bcacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a209aad3bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fe1e0d3bcacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d806e8d3bcacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000598227d5bcacda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4496	elevation_service.exe
4496	elevation_service.exe
4496	elevation_service.exe
4496	elevation_service.exe
4496	elevation_service.exe
4496	elevation_service.exe
4496	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4464	7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exe
Token: SeDebugPrivilege	2700	alg.exe
Token: SeDebugPrivilege	2700	alg.exe
Token: SeDebugPrivilege	2700	alg.exe
Token: SeTakeOwnershipPrivilege	4496	elevation_service.exe
Token: SeAuditPrivilege	4696	fxssvc.exe
Token: SeRestorePrivilege	4120	TieringEngineService.exe
Token: SeManageVolumePrivilege	4120	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1484	AgentService.exe
Token: SeBackupPrivilege	2460	vssvc.exe
Token: SeRestorePrivilege	2460	vssvc.exe
Token: SeAuditPrivilege	2460	vssvc.exe
Token: SeBackupPrivilege	2280	wbengine.exe
Token: SeRestorePrivilege	2280	wbengine.exe
Token: SeSecurityPrivilege	2280	wbengine.exe
Token: 33	3668	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeDebugPrivilege	4496	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3668 wrote to memory of 2816	3668	SearchIndexer.exe	SearchProtocolHost.exe
PID 3668 wrote to memory of 2816	3668	SearchIndexer.exe	SearchProtocolHost.exe
PID 3668 wrote to memory of 4572	3668	SearchIndexer.exe	SearchFilterHost.exe
PID 3668 wrote to memory of 4572	3668	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7cae9a90d74c77e23f34137d6940a770_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2816

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
babc064a6fcd8a1ae728a5671482f0c2

SHA1
0a4b9dd6a2ca3333d8ebc9e4195bfc5b3438ee4f

SHA256
acbc12ab8d34ff93511ecb9456a13876439da4a2b4c577abf490f7d557b43bc1

SHA512
cdfc9c5cceac86923672ad224f9f27492b1a425aec6a4d2de11d7fcf64f752ddb395e255c2961f4c0c5102825066093ce213702de8cc032c96728ae20f66454b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9394e4c5dce68a62cf3ad615d013edcd

SHA1
0f5ce32ec230deff3fe9054640c3f0b6e1af171d

SHA256
dc929eab84043576c129982cf8b0364f089e5b25ebd24693e523e2a3c781ec52

SHA512
6d6112e4b644dcf8c5ae9fe7a3aee52de49f77494d371f2c1daec2ea52378921f3d41be6958fc3048f19cd45eb633e5496f42e2b9d1b23ea4c2737ca1575a1c1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d4b62250046cbda2ae9ee345dd571e95

SHA1
2f6b859177a373aa30f85e525e48c31056a6578b

SHA256
8b9bb0c7a3a848ac60cf28ea7aefefec04062525ba4c2c51e1360dad922dbd59

SHA512
7a8882cd526603ad9b3130f6d004ff403ee77b905cc1a960ea6bb4e0e3321f7cf51bf31cbbd05c761c0d8f0cd99b33ce509af58d42b7ea6119a4691ff7667b0a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ebbafaa56328ba0902ff3d9b51d08ebe

SHA1
be22ce309c7e4e48e1ac48e37f368fafa1573f4e

SHA256
5de24d1a1b2019ec2c35f01d627d8afd0544e0efbbf7e5cf6729a897e12d8fa9

SHA512
54cf00e66aca5b39e260954d48c7014a140c99f7eb24ed2edb8dcb732e12cc1c622537d9b04de3b3e53e608967753aeccc0696489e599624ff3e61c9687f54ab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
34cfe4b84ef7e15eb9203d22c7907901

SHA1
5d1ee88ae3de51b27ab0c9027faeaa3fed065f90

SHA256
65a7b8ddd63f2795f992732bd81c0ffa39da5b3dffcf1bef257b2c0ed049501e

SHA512
e67bf9cefe3007b8f1a45484977b9c7c982d3e34ba527321e48391e89d040f52b749989ce5d08339c07459fb42e2b92f959f85d2d7f32080fc9c2f5e4fc5e82c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
22934d7f09ab3d1e199ebb26eb4ad0f7

SHA1
bdb944c6dc44860f24263275755b3a376229863b

SHA256
da7a8ed3f8c5fe1490b943f476a65ac4e58b2d21f722c0ca3d4f17947f45600a

SHA512
1aed983bdeb2a12f437e6364666e7393ba332e73e6bc811c593f997cab24ef3076b9142f075a546eb46646c6f2e65c94338a44765ed54353dd7f1c4d8dbadced

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
58e6b09e2347708e3412f9b4c1adaa2a

SHA1
6b70776f86a42eeb07ae09fc05faa0d6a286cfe6

SHA256
3e73c98c732e3cc492c4577553f4cc043987b67d065343c617bfecd5ffc8c090

SHA512
66ba4e86ac85e281d4d4d0289af3a644981d6c66dc46581e406dc140817d7194dccf544b8252b38aab3243c0b864e0c4eb67a25326adbeb0382fb39262989323

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fbbf9a087ff2f296d51c8647af865f25

SHA1
1778235e02b26140bfe01dc629d41c4acf851c4a

SHA256
a912173b2de27dd959d14ac3a5c96ee9c4898c5927ec8eaff1b9b119376e0dd2

SHA512
8cbe58f49e3d6dd330cbaab1dfa42a91e4d2dd6f295d5a8fe0d504ad705b143d45335ca36c118dfe51734ef0730093b0fbb11c4d7c4d839573eebc7ec1969a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7c5711eb3da403abcd622b276d52e72f

SHA1
72aae5cfd98e58df9835fbea572e67e238fb632a

SHA256
f9c8c0ce7950ea8447358301932ba354435ea0868acc76d097fbf520d52438f5

SHA512
9cbcdf8ad7499de48773aab8b12d5681442d98e0e5bda1a8362a17cd6c7ac2e620c6bd9e46c6fa4a0ec7cae620901de195792875398a707e1d7164cc64c450c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
90859f44ce21f11f92e3ec564c6d4855

SHA1
a2efacadc3d7189ff0a325597b4ed2b07b6a7a07

SHA256
bbe65d453253058e00a1205561c9b9411fdde9d07425f7b70960b73668666248

SHA512
b62fea7eb23591400e82ee133cb0ee3d3ddcf2e27c88ef4ad20148cf002abcc890df6cb1ad97c543e6c8b0eb583720fd5bc8e92c1cc2f1a37af3879af2b2ae72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0c4baa8f243f39e409191475d2173cdf

SHA1
d150e28d9c08e8f512ec4b4e024aa2e9fedf9d07

SHA256
aadbcc0a8094303e54fbd6722afb0e93aab3c79a950a14310e5c2cb48e2c4384

SHA512
85b2f02f34f88f0d8fe2b664657a6342da40390a25f3863492b3972e969adff8362cddfb9ed3c67cdda8330db406c8184a503393921545b0f7a762b61afde4d8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
749073212ddd807afca0d3cb0c8bba77

SHA1
85f4a29dfce37b392a06f78fd3c81981e827b7ee

SHA256
420eb8578e88a8560ce21d5d71b2fe94116dcce77d778294c6819ca1dbd9721b

SHA512
6e5151b660263a73fe193387124b0878bb3d06e6f0bf1dcc764eee2e65757f3ac777bf1e130594fa1436ab035a23d4b714266ba9554ec658e2f78a74e413b622

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6b1fb9ae2d7554846f5be407c720d6a0

SHA1
a103f9f3636a44f010cc9534c65a9b6bab6ead97

SHA256
c77b14f1531e80dda71dd6715a4fb64b26f4ad8203ceb947b16c1416bd0599f3

SHA512
24ea254b87f2d0230c079a4f40e22582cae94fc70ddd83c86793be219c09fa327ce2321141b7fc66f5f4653f1973a97b01740d3464e8d876de88ef425ec3a719

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ae102b4a6fd4c447482a2d5049222d87

SHA1
5b79dbcda3fab665023e02e89760ac88203f416b

SHA256
25bb3cdac1647fe8cc53fd8e76c255c159b42344e5bd4f47e7bdfa8b72b00f55

SHA512
7535b0066bb13f73828f4fc425f8ce197601e9cd6e3734a1960db663298b2650c3ac5025e2742d92891106ce70934803e30fd935ded2714dca76f4fab1e0ff92

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
788409c5e9120aed89920033a158f9e8

SHA1
cc567b77865aa31184ddb5472fde1ddb52d78bd8

SHA256
28ad286d35c6bed6d2726bc0959551aaaaf6e8a17d85634cbc10416f13ab371b

SHA512
520e5b4af73fd9ab955b89bfb75b31f69cd165ea6d2dbab8bb3ea5dbb4f4944d04ba90e429897877cde977e8b34a3e70d98662cd589e1e15805cae66e6340bca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
63d70e1fdc91f5de9761ed8bda3cd26f

SHA1
4b43db4bdefa7b0d11a644a8a4adc5259f614a50

SHA256
c845436c38792d89f573b7cab6355f5f0bfda5b8e92ffa87d62b33c5ba775d45

SHA512
ad3b0f1e758eedcef070f166d212b4f92c069ebe138971b78410dc0b6e7bd715080645916eb13431d8315acb5af9e08444ef81dcb425b37edd21375d4696acbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e1ac7c039d5c5e2dbbcd702bdbe1b349

SHA1
a6e7410caf24843dab65797f2d9244cb6a20beef

SHA256
c2b10859d9d96e7cb0be3c8b891de9f35cb42c36e04ab6bd135a2ed663565468

SHA512
93bc4c81741f78245830103a044f9dbbcb9b546efe7481377b94d666cf979246bfe38c95c9891da80d642f92591863f36541c738715bd37c96dad5ddadb219c4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4de9d3ffdd9f9c093a918a9537d630db

SHA1
ad52c5ba54c721bd9bf8023fbd9f68607621fe42

SHA256
16551f3ef66ed7233c0a5b6984f32e0c7a03669b76eba46cedf61646dddd5930

SHA512
c0c501dc6b85f48fc2547b479682e149d73908eb1750988eabae7af59526f10f8b314a4470e3d2e5230e729bec9e48294a0b2e1c6cb07695c717b0fe616cda4a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f5cf5a9c5c880e5fec85b44fbf34bd71

SHA1
8368c1255bc916bf8c89b3f90a209a25ab003a31

SHA256
3016fd5224bd12a53824abf307e9c0ad2dfc7f776996fe4226abcfa37db76225

SHA512
a84584221619b3424b9cae407abaeb1c307b041e0dd4de19755aad950fbfc8e3bdd32b6e2a2e475383de861f653736b5b76a3abd2b3197a7f41b86bec5f89398

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ee478ad0169f871ea73641530408481f

SHA1
0b67098e9e7fcb4b2ac1b2e060ee083a3c12b01a

SHA256
68c23494487484616622a20f7d4cb1d0f13c654b74f62a0aef9a1f4af5806816

SHA512
47b1b8dac30a41322f7cb871326f2908702eae7f5cf7b9b92def7b5d5a33c102cccebfd28d14a5715f8e33fea810f4a3be91da39d8f9ebf02df58f0c56ab2505

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
496d2852c3a27d7fbd0e0bb77b148121

SHA1
d17fa7ea2be5d38ec868d838f2585f7fa2108d5a

SHA256
2be80f993462225ff25564f6fd84f071d039aa9da6470d54e1eadf33650c138a

SHA512
30f35a3cf85889a2fa0fea32631fbb04f1cc308db50cdf4907cd330be5bcc5df4917186b4ef1a883a12402e6b6fdd73aeecd6b67d4e72319775720ad524f6520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7a6583ed0c5b6fa7ae3d5e568ba662c4

SHA1
2e765d7c177e9d94b33cc3bac771df98b46fc7e5

SHA256
ce565da44bd2719d6c57094176643fcd276ba651bf5dd25a03ba96fcf04d41e8

SHA512
88beb265eafb76a0d07be47864cc20e936093a18761dbd591879f734ae52e1703979c9e916a41b3a45c2caa62f74a7a1d5665ef290aa8470c5c5b21ff30f4d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a7e50e057ce51c1e47e505fd1c20c52b

SHA1
f3e8de458162e167d6571d9d350e5a018e5fe233

SHA256
21a65007ccd9caf3dc0dc295b1eb2e783dc781f3a4ddcd1aac99e7d6fd805220

SHA512
26a40243c87daae93ca5b53ce3ff2957242c0662f75e708a2f6bc125b6ff54dda59fed3562088a822b606617cff0b38a8cadeb2a5a75cd0835a98190a84ad0d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c7a21a1f0b23c5fadd52de13ebf4f02a

SHA1
55a777f4433df432894c4d30e35df1d09f1019df

SHA256
a79a594047645a2048d6f8e5ef0bf65a1920684cbe2f836671023034619815e4

SHA512
9eb01bccb732ccc4aa010138d9eb3daeb5c6a56b0aba43efcdb6b02135c32e217fb0d2b2d6490fce2c5b0fd35be2f55191a1e8bf991572d34968f209be9a7473

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9cf90f47b25f0f8fbdf2f504e58ec880

SHA1
7f7fbd6888143a9a6e3dc9dbe0b536131bf8095e

SHA256
33386ad58bb672c9064481cfae8f58aa1af7d18a580ca364aba35fcb03246c4f

SHA512
34a544964ae4319eda80cd0938fb2a5f1bf587e58b5fb43edb40c9952d79193063c9a4ae43cb45ba406ab32bb9cc320c99fb37652c303f7573375b83978a6de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1b486b887d4221761aa55c989d3e9d37

SHA1
abe81d656500301918664e6f86a846347c4d8446

SHA256
37135f861332124e3e957487a4a86bd3dcd239a124f831aad4955cdfe5bb1ac7

SHA512
d06b395eb990b603276a88137702e4ad16752988d54e3f4bd96f57fe397ce4b3d1e32bb45ac4b8bc88f9c77c3160c2d249fb08a1d1ef900e6b825afa9da6a46e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1a1c95a6cac103f4ba9b7dc65aaba09e

SHA1
d97653d3d9740e94c5fcaaff7aaee20f74ba15eb

SHA256
37614b6bebde98c46077990cb83b1ea6439f04e09d17a063605b20fbadbe49ac

SHA512
9d29c4d818814ed6ec33bba5ae9214431e8b5c6627482bc33e20281da9edef1b2dcf4ddf3ab5372425e197a0263cc0b5cf847105ee66ca0f9cc62520b74a031f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
58973355fa066e351b1f9d89a5a11f4d

SHA1
f6ca673a1c7a4b792ae47e9a2ac853a1b5c7c364

SHA256
d18d63bc5020983dbb8842d55a71d26665ad09bc9c8987f2b7763fe354e3f6cb

SHA512
1ddce3b403acf0b08e4daae0ed5f0d33a184479867d8cafdb1170ecb66d25bd2425740881799dc5821136a89eae682c60c74d62ab5c962d44c5556598d2beb6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0132b95edbc997ef2fc0c1a7994cfed8

SHA1
c929bc02d7a1dc0aadaf8556b1d7e38deb1d00c2

SHA256
c3d2fa0e94b95ea71327bec37b21768c4e0d580bc2ee0c1660a9fa22db4aba1d

SHA512
f98d747e445fbcfb267dacf882a5a43d5b4a9a366e49ee0cf1dad21afc5fc7cfd90d24ae68cb2e9eee0c68f2800316357cc0983009dac4df4be2e213cf76c666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8eaf9f0561dca113050276ba6dbfd7da

SHA1
9931484f3bb7ea32764e1d94ec9a8f5e0025fe6d

SHA256
c92f6a99ec7d499c555bfe2b64a0a4301828efd31f33813c04ee4d5ecd8b95a5

SHA512
0884c581e0f19575733028796e15fcc09c7bef6f6c2bc1d3bd6ee27dcb977e45826f164229b1e5a42f61c84fb0bdd14c2b10e05f3a1ad8d99e8f268bdef3cab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
26337b99561a802e180bd33a6a80dd63

SHA1
0d5fb1af90decb934a00533f71a93d07cd71628b

SHA256
75b9e2789f8304b78777ad0d80b907a3920887d0d62d07097c87acb1a04d98d1

SHA512
9205f5d7466e55dcdf88d37747551d0e9115b5793fd2aea02128f1cf6a134a2a765df2a2f10b00237f098b745ccc08647e10d18424d805ac588104b04fc7b274

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3d6f7c74756d58113386affd51415ebc

SHA1
22d4bcaa31a745628824db7210d9c93ff5c25612

SHA256
bcaf62f5a1b0d31b8117ac376660932fab286104a710bf8d72b14d15c979cbde

SHA512
e60de0da0371f3a472689d7ee994837e1d32cba05d4156ed8259349bf163d8774164c220bf55027a774b65d47d7ad4d215c4aefe7a774ac27a6d3c96a5d9c7e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
47a4394b0162921533f6070e5628c418

SHA1
e640f21390a7bea5992f91aaf4485b75067ac6ec

SHA256
b69dd2f32eb78d5cd83a95eb414f8d88f3c2fc542d679401c123d3061d787405

SHA512
6a3102e87144ad1da8d730659aae89f7c4c14ef85d23c0c6b92f49e58b349cc1c63b4ff6425f611be6536a793ed5ad0adf9b6b4253fe2de39d154d5fa73b95f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
32aaffaffa04c9943f2b522647099ceb

SHA1
8b115c4933cfa96a59a823b476d28e961b7efeb0

SHA256
0e31442b3e4bed30a90aa82c98e6feaaaacb476b7387aa4f640d3c20b99c79cc

SHA512
6af07d3b452ce5d28ba694f1f5545b6eea43ebfc1daa405cd287a267b18f7e005ba2d466e8e48205853d5fc9ed28f293420886b8f91c0d858a2d11a47fe463a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d316c22e35a1d8247316901b0930f6ed

SHA1
eac267e0cca4035234ce48ad23b66b6d056591a5

SHA256
8927876068ca0f36743c3c6de9bfa0d943be646b72e353f714bb2ce5a4b32dc5

SHA512
34261248f36e627df661d1862f043e0ebc6e7f953985767e0f4068c9dc0d7ce09658bb6c006ed051a4ebc4640a1ba51c46d17c6966a1e712196331bc5043f5db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d2cbc93ab4ea0f4322eb2b112cc4434e

SHA1
0f05be38ac4bc35232c966a0d1f94f245dc545ad

SHA256
efe4d48346e46004822379be6850959ab51bf12f9833c237b667cecfaa74701c

SHA512
1387e6604666bea00a690f763d3b86d0dda8f439ccfe1d58db91a7cc6779ad6c011c0e02666860437ce0038e9eaee17d2cdb5bc3e3abb4283eccf37adfe6f88b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
95984744f184df308a4d5d2e02de225c

SHA1
0152d9979c6edf01f13da023de55f4d6d77f11bf

SHA256
5f50a8770167a667442dd0c91a641424075b1f51dd6b1df42579c884e575a104

SHA512
df8c28d60c3558a74ded70934af71a076446266ccaddc75be0a8ab15cab3849d9a5e882deb55d238829c9c9c116a56163031f11768576e0bc43d6126cc24b54a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
81863c016cd00bbf9595e4ad2a97b90c

SHA1
c52915a9ffe23b9a85a37bf837e9386cbc60506d

SHA256
e067ef40e9a6a8d4c82b065663d347e3ff838e7ab0181596258dc24451326c8b

SHA512
b31bad24a0b772c841d5f45c3ca1ed92dfe849661b37f7f3458d20a899870f73147c01d34a3e1a151e6f387a6342c62a3dc8d12b28e707b7998eb837fdbb1bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
96b9937bd895c61890b00bcd466eb67e

SHA1
73f386a7a134f49e1e4f67b0af4802196bc42ef2

SHA256
85c108bcdeba10ce15da90e82c8d99d589487d483c5b35ccf73fa857832fcf30

SHA512
10cddeb67c988a2398687ab44ee06c0cd9847245fc4b282ff05242376cab8711541cd1dcd8219bf86421e720c63dd2718986fd774ff3a4de0a0ab5b64aa9c4e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
e2301fd3fce47e12caed02f05e0c7382

SHA1
7e312dc4b6fe170bc259a4d4c940d5ccd4c9787c

SHA256
9dd5dcbf433249e92984bee47f3e6f1ca23415868ef7ee6e313f4916cf3a0f65

SHA512
a0c1678b57eac6528af967234b0666195a88d1911a1d436b6e497a47a5f35968c3900d9c749c0efe202e3f144773d83485557a79119a3ebfb877e6a95e10899d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f9665f79f2c05d8b9aa52b3dd209da36

SHA1
47183537801c3b5b4561e0df3752df6c92617c9f

SHA256
1d1c38599e2894f688446cac45afd40db63321aee566f6e665bf049f39abeb24

SHA512
d5e7b4185633e36b38102658385f9af8b8b5d8da4fedc373e9ee154f41a5ee4e7d15a0a89542a58abf023de955c7a802fca3b1be6aeedf6048af3b8d458a7b19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
ca706b2acc1ede8935c283e9dc91a037

SHA1
de07ab987f5da401a76ade2f261b06c01cb87b0b

SHA256
9768b4301feffad2ab50256e5d02b19109befb11e2a522bc9f2f79757a0d192c

SHA512
5f609ca1ed0eaee1466a5b7db2e89d8575a16b5736551ad6bda5635f5830e372ef078acd076c1e53ffb478c189ebd07dea18803180f8ca3cca74c7457f13daba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
e81caf384f6be8cea6b98b4ea90f956c

SHA1
0e5be400fa26d06a5a5b15dbbe3e77b2c6a59437

SHA256
4b0d30d29e285b9287eeba8d8ed3f5123363395e22ac73c2c93d42ac15c908f2

SHA512
6d451176a5c281982d7f644252b8a4ddd2b2186bb357adfb9dd2a309bd1be55ff454985534a1d27635610ee6a8965c706f3673b23f8a3d9cabe99654b531e31d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
af7675c0a858f548306405f6ad1bbf8b

SHA1
47dc819823645f25b75b7216e8705ae70192fd9a

SHA256
7e90c60d04c3abb9e0f126bf44f36adef196f478090bb28eb018d41654b6409d

SHA512
0ea7d6dfa3d21f5644845315f42f6ff2fbed9f22898a2c13cd200cf2ff41fd24fb4aa20d537c58b3037d826742071be688c29f35c6a2aa729c9577e766cedd2b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d4a6f6bcd0de833934449b403aff4bfd

SHA1
08d4350b07eb9e41b1f5b6777ae04d1686d5d360

SHA256
e217f8a4614571dc98df7956e51c888eaa842dab1bd41fe019617c4e357df2aa

SHA512
27ffa1997fea05b703ae6196a1f40660e572acf71e1edcb60a31e232bd863cab700e819a851918f2e780c5e73ef85e8efc83d980eef3e05a491b3280357ad658

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
94547f87f11befaacf071e66292649f5

SHA1
eef5f00545bd4a1eb06d422fa674175fd5aa247d

SHA256
de232d0347a1f52e16a5e36f7bc098ae80ed7323a36344a1456c9d6494e7dc5e

SHA512
0933e7d7a8aba5d63a176f6b558ea8dd55c76d27c3d6f28e219c1e36df881540f9edb6dfc4c9e0c30a9a311eaa1ccaeb6fac633cfec060a49230c9ab232a4389

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0f9257c47379bab595427d016adf5fba

SHA1
5971740590fc1377d9535fda19f972fc2ab52833

SHA256
0756c545e886fdfa25c39a237b5dca9ad1e72cca833614cd0773e8eba005009f

SHA512
ff5edc59f72f05e2182d1e4446eb4417f318a262ae367fb8039f86af402d6383f92b18c5ed2e064b20f1f93676e02a5295cedf04685f9a73d249f9bbeac066b3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6e116c9c6599fc14e78924800da51b8a

SHA1
b12419d3b062aa27720d6877f7d72ddd32957d3c

SHA256
ab3fb2173e3184688566324a15a40c94dd6ffdf59eb08b19d58c50e7d4d6f980

SHA512
188ef34fc238dbe582bc29d16b1b7396b424e2abcf911d105fd589a6f99e39b43b73b1f021ee5535f807f6fceaadca5b74f3b4eb33432302f0e19c05267e7b1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0a6040d83fd2597a41f99aa08fb297f4

SHA1
b522f1dc6d76d324371879dcf689ab26966f4c6d

SHA256
26644e5dd8d57d55e8b3edd0764e6e44e6d4f98e8c3417982c8701cce43be89a

SHA512
375040e98da18ae41809f1fa9262a986c9c02f82f84d8ddac1d2f22dba85a7f21a0a1290bce57b93e066818b64aa5742c73013111a523592c958cf819a5e616d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6c178474a26abf047eb3c9ec54aadcdc

SHA1
fbff1b890a31ef61724b7ccb8f9f9dbfed6ea6e3

SHA256
3e614a86b270e48001120002fa1df7992e14ed6f52901dee3df9ea5e3c7465f4

SHA512
d8004ae1c3f229e2daba3beb08fb6404274550562a35a36f8cc0e41583a459f54bcb767d534f6c42c021df67596e3f0d8bdc05e281d17cd530f124c38639896f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2e92b955f04a43a9556f9274a4befd1f

SHA1
91688cd55c1e752238fb2805323efa2986bb2b0d

SHA256
975d752857c939af48b80a3ebcba0331fe2d2c19671c40796597daa7c691e300

SHA512
31d180065512e52a6ef8b5946b1dd0dce9dd8aa42bd0d99ff967d53d1c2c0346900f96fda7825857610e852f4ba59a4a99df2be5ee354f64558d73671b959c8c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
462b23a29e4bca73e9528605bf0164cc

SHA1
ab76ccf993d8c07fcef19c6ac545c6d3ef0f40f6

SHA256
4e4e9779616e6941f5f96cdaf2d42e4ecdda17955211e9f5af757a0214b19c2b

SHA512
c6940a21a310e61f872824b88d6df5e614eeef516b840473b699b01adeb5ba89ddd7aaf1fee6d83e2ebdda7850da391d87cdef8d13bbfb8192455fc8dfadd77a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3d4a6d27f10e4bef2cca2cc25c81dfac

SHA1
e7227efd0a96d47b5f40f4a0d3f2a81f31435961

SHA256
00aefff21d1ed3fd518aabafdb690ced923a2d6ab461526d973aebf90c06e1d1

SHA512
c9ed95d0f644aea908a0246be54c94290ff7402215fd3b57ea8320e2f2f96024df50ea4088cc1dff5488affe81a3d22a615605cc2bbe71d8d3035b3da493fc44

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
42e2666b3fd0dc52b8d388123dfb11d7

SHA1
8c4eaf7d2796ee920c77d53e37ecc2000b2f0d63

SHA256
29ef037fed9155b10df4c88dc10703007c24bf59c30e0597271de8843432faf6

SHA512
6fc2d4be68683e77a26cb6769697916d52e4207647639277420b8b021fa37b2dbcae8ed58720dc9c13fde5d7bdb0cb92aa0b782466fdb4d523dfabc4c19cd137

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d1e896469de06d20babc0471fb0d0052

SHA1
42e133e371813ae3afe45df2bcf66035df81e516

SHA256
791ec4c5b6f90c0009819d986110cee8680fc9ebe68037cade559275ca27164c

SHA512
8f0b5d23456ab1c71d68cb8761178f95e7161386f4bef1a35c21850a442d8df35561952ddd9d32b41defd8b43603688aa7541b3f9853527c24d897ec6d2864da

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f3c03f27e41c592802a6c187bfeda9ab

SHA1
6c104881c28f92a3d42f8be754441296634d25e1

SHA256
150259ea8cc7d82990ecaaef49426f323608070bc001837b93e7296622a2af40

SHA512
bb38756784561d926a389ac2f1d593a377cb82b88d96d3aff3f2ee087e08123ea36656124f3b9b354e12f71ef72301f1d89bfde4f798de9fcc3e64e2497421cf

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
27993e41519a8b1cbdec9a1aebcbdba2

SHA1
75d2ded0549065f0b285f7ff6c20e18a1917f0bd

SHA256
f3231fc666ba91a5c60bcd452a32efb808d5daa71253707a22e94ec11c916893

SHA512
f491b87628f80588ae304780934ad1bc76b17af1216d63bf53d07b47b73cb90e1d11c1a2e401ed6ea845aea41e8eabca953379c105f6fae4318811823c4c4918

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
834db62727f7d3c63659a1ccb120817b

SHA1
2e989907de51b5f4086fbd01fca3089260645b57

SHA256
dfa008cfaca68b1e36a00e28f017060feef6be4168f0e9402d88030ae609f57b

SHA512
cfd08c5bc98b5c405423db50757b758c619e753ae1743a912718afe83ef35d9f7a3a3008fb3f8cfb41f434125f1d644d120cabab26f98b02b2f8b5f36faa98d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
372a9dfb37c73036424154464e87d74e

SHA1
bc5f3009aeea86988ff02bff46458adb35462f90

SHA256
06b85456315fb7b48c4d64b1f604d52d4f4ed5343cfc35361c13adb409f3b531

SHA512
3a96bc43498654f787e13484029b4530b695992fd6ff73cecc15d149882abdeb7b81066323ce1c390794af91dead35d7c32607aee91d9c3b284cd820845cf8c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f318413fb9979d04953a57509d11524c

SHA1
accca5e2d1dd5f2441d2c068da7ba24c6726c740

SHA256
3f034ecf3056a4ecaad746ea56adff1b60154024b4cad77a075e6fdff01e77d6

SHA512
bb1912e8886240f3918b449517f69facc1557184376e075ee8da8be6c7fefe8628e930f059ace697efb04b897ac229c6c9136ae46dc7f709a98f06fc93d92988

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
013b680f711fd028666df413a1b4b128

SHA1
16e3015bf0dcc9b9768affa066199a12a89c7144

SHA256
32cec0a0c14917029bfb6d0538c8d2b42ad7b097544e8cf4252a396186f2c53c

SHA512
a7a3bf21643b2d499e3ecd98a48f101768e4c36efb0f9f1f1d48bdd129d8b144170250c9b7f893c6e6e68bd865978993e016f9c9fed230abc21cfd175889047a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
95a38f7ac850e209226e37694a570fda

SHA1
b157f9a8744cab33825bd5f09f349e4decbf0b4b

SHA256
3791e63cfdf993d372cc952515a869e97e31fb25576d34b33b5f56e887e01afc

SHA512
9a289162477d01925d45bac180f42baea429824e336eb94a95b1320d09698ede1ef447aeff9b898d4b363546034addcb81d595e36e1dc72ef64d7bff725ac646

Download Submit
memory/116-296-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/116-415-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/404-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/404-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/404-67-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/404-61-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/412-649-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/412-342-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/448-379-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/448-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/464-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/464-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/464-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1332-279-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1332-391-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1484-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1484-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2100-645-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2160-58-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2160-48-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2160-54-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2160-70-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2160-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2280-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2280-655-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2460-654-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2460-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2660-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2660-648-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2660-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2700-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2700-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2700-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2700-16-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2896-403-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2896-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3668-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3668-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3736-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3736-653-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-319-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3904-532-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4120-360-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4120-650-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4420-416-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4420-656-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4464-1-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4464-0-0x0000000140000000-0x000000014009C000-memory.dmp

Filesize
624KB

Download
memory/4464-14-0x0000000140000000-0x000000014009C000-memory.dmp

Filesize
624KB

Download
memory/4464-11-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4464-9-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4496-33-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4496-27-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4496-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4496-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4696-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4696-254-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4696-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5000-353-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5000-242-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5000-248-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5000-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download