c0a599064f2b144c7c21163f966a4ffc012e30c10a3dbf8ecc8833cf20f186bb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe
Size

1.3MB
MD5

802f2f28956a4ffcbd162868b6f180f0
SHA1

601e2cba3c0f55fd1c92352db8c931a6f28a2b32
SHA256

c0a599064f2b144c7c21163f966a4ffc012e30c10a3dbf8ecc8833cf20f186bb
SHA512

feb7bf491560823e670644ab2ac645442bd2ed276143441a77e4cde9f8256a0d1feca7b562a199fe1b70744fba510f96baefdd8463d81dd8c7a868d8109793af
SSDEEP

12288:BTLJiQhJWGasF4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:BLpWGH4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
5088	alg.exe
704	elevation_service.exe
1680	elevation_service.exe
3332	maintenanceservice.exe
3344	OSE.EXE
4580	DiagnosticsHub.StandardCollector.Service.exe
3684	fxssvc.exe
4360	msdtc.exe
2212	PerceptionSimulationService.exe
1500	perfhost.exe
4800	locator.exe
2344	SensorDataService.exe
896	snmptrap.exe
2272	spectrum.exe
544	ssh-agent.exe
2148	TieringEngineService.exe
5004	AgentService.exe
1944	vds.exe
2580	vssvc.exe
2340	wbengine.exe
2324	WmiApSrv.exe
3416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exealg.exe802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f58484d11ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd2b17fbfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6072980bfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ce3e37fbfacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007436957fbfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006537767fbfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084cc2d80bfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f23827fbfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018cb4c80bfacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
704	elevation_service.exe
704	elevation_service.exe
704	elevation_service.exe
704	elevation_service.exe
704	elevation_service.exe
704	elevation_service.exe
704	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4732	802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5088	alg.exe
Token: SeDebugPrivilege	5088	alg.exe
Token: SeDebugPrivilege	5088	alg.exe
Token: SeTakeOwnershipPrivilege	704	elevation_service.exe
Token: SeAuditPrivilege	3684	fxssvc.exe
Token: SeRestorePrivilege	2148	TieringEngineService.exe
Token: SeManageVolumePrivilege	2148	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5004	AgentService.exe
Token: SeBackupPrivilege	2580	vssvc.exe
Token: SeRestorePrivilege	2580	vssvc.exe
Token: SeAuditPrivilege	2580	vssvc.exe
Token: SeBackupPrivilege	2340	wbengine.exe
Token: SeRestorePrivilege	2340	wbengine.exe
Token: SeSecurityPrivilege	2340	wbengine.exe
Token: 33	3416	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeDebugPrivilege	704	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3416 wrote to memory of 3836	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 3836	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 1760	3416	SearchIndexer.exe	SearchFilterHost.exe
PID 3416 wrote to memory of 1760	3416	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\802f2f28956a4ffcbd162868b6f180f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:880

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3836

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2591bf4460b9c4bca1cd8f625d04b633

SHA1
9d88401625e6840312a6eba66c8af8b360d2a8f6

SHA256
b8d69d7d6d5bda1116a75ca158517289df8e2c6e775baccb73cd850e92841a9c

SHA512
e47f6dbad927c8bcd3647fdd4becfbd8a01ce8e037230676487b83fd2f91db06f998c27c2c4823db2e379ff53bbd27c0e27ae4d84db6ff6bce1a6cff0c9f04f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
11761e8cbea2d8a632a260636eaba946

SHA1
6509b8fb7a16ee0ba1fd9299bb60a206e35c25b8

SHA256
f9d4195afbb84fa410736dcd8f91d5f62f64da6b5a61be41c1a8b71400055273

SHA512
e8d8993ca09318656c9b58c675eeefe986c7322a23dceadab98bdeb56110b42ca4c2eaa52167948518b9df2915c64e6b56513fe893c9153ef04146f8a821ef42

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
5e862f542412db37e7fa963af4d65dc3

SHA1
d0869aa281f0ed5327da56fcc4d65930bbca74ae

SHA256
130ae51f524cba48e765cbaca2a57b63903884a443f8d84743c9c34f2f31d896

SHA512
6224ca2e4b643462f0538ab8bf843dfeeac263b0542cf2db053a8b9f875d45c8731b023bbc53e2872b9db199c57e30695673ad79987c62f8f974bdaeab9d84e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ad34d8e4c8b24705487cd99cc49b6221

SHA1
03c812e04d9e5d185c69e09e9d4d384a93033cfb

SHA256
89eb096a6485464d59a442569c857f73411b22259ee50c9fb369e4c697bd7218

SHA512
5137a3d465abf31d135440268b34f2f70690cfbf0373ac6205ea7e694e08eadd3d8cec8c9fc76d0c9721a21ccfb20cd0c686e0778167db7bc01140e9139f88f9

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e4c47976314acd5b82ad5484a725a1a5

SHA1
a4a11859a265726f27f513afb37a3597ebd276b0

SHA256
1d613ec2c2833cf8627c77ca522041a0ce7e58db510d141f35a7fc5083215275

SHA512
37eedf19d12d9a4380ad20a34db97ded20cc56f5e6e9cf610c37e642a34014405b4e4bb614889b3d4116769e87fd625589e799ee5bbc6d72a665b993212b429c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
2982d522d3c6ed9c88fbeed3197635e3

SHA1
030a79639dfb151cf3606446e6e1b20d959f5f92

SHA256
318d29046a17d7b48d4d901a6083c30b8a0c4b9536d68932ded99011faf4a1fe

SHA512
eb052692bfd4c7448dbb37f9af5ed44aa4becd3c80721a18e94d8a00135b32d1c9a313b2cff1d3762821ca5100fbbef6de855a40f93bdc9bec74ca737cab4265

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
e1613c38a1ac82ce5b26f786c47a2ff0

SHA1
01c89d67d98eef48505c5a990b033063b141e800

SHA256
17a42ac70012cf789eaed72cf82ac56051f8a26b000bbee40cf6544b6b1e7c59

SHA512
2a3dc232f56b80381b78d8b3c5c95f4430ad8d15213a1d790a53ba6a69b8ba4fd9086454b3c2bc87661a1a45f2848369b133c4988cc55b64f0ded487f6786377

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
09e5ab4c062f2d576778c46fc5218df9

SHA1
f4a1c14ede6eeba235eb72a7705377b2c215372d

SHA256
3296eb04a51af1626e7ffba7d44025fabed32f204796a15076d49cc79c959958

SHA512
5214fd93fb3044ff4460328aca3f634da2f559021d8caff2afb0e110645d166c102ed527535f1f6a2c36573d7ee5675a5832514d8fd76a03ed07d48266c07231

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
e650a0dc892c2903650891ac5c59b459

SHA1
63a806bd361b073b5abd76691be4648ad45d8c48

SHA256
9da869b35228f69ee4be2428381884a5bcc84be7f724721811644a56ebc05ae7

SHA512
b19a3ceeb3f8a226192f711251079bd9b3f6f2963c66aae40f5e35f20c79308924368ca13389f7405bdea816dabc296341b47a62a3613c6eea85a10e5bdfdb9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2ce9584a9e66c613adb7f37c49bc834d

SHA1
54e7eb9f2c105f51eecc4a2c89ef26f06da1cbf8

SHA256
069969904ec6234df2e95f90789efc8cbf8fbed47abad2bb356c21d1c5ed6a32

SHA512
37c53a7469f28b658a1b71ca2ba32d249181e537bb312a9dcf5b7eb45b5e6527d52f72b6a52b663b8dc065260959b234206a9b01db2a32d8ac161d8d9fd3ff0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2127a51124e7704f6b0e5114033523a9

SHA1
a8f0565abd13a15c98305a3c7a10093dfbe51537

SHA256
962eada731f826b1ac9f0a70e00e30190dfb337e4164967ec89dd0a5294157a6

SHA512
a9282fe0bcc5c33b98a9683eefb7dce5e7495bd39c3602a8d4766c979c55ddfd217e727199cbda6da31b696c984921b6c9b3942d72e30d36ff63e2db401c431e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
d71906d1ac95769e1ec0c67a121c10d0

SHA1
febdd46595678d64a9f013333b70259f2eb5aa20

SHA256
5bf8e8059d1d9c6de5b325d2f882a0b52c25248362b1d38641295fe2e9a5e2e1

SHA512
4d92a446ed15639e642d3918d434d9e6ce4a7ccfc5131323be963e493bacf19194bb43c458ac6cd04c7a661d526c6fa7a54a0fd30346ea64a347053561eba891

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
dba551d4585778cd7a6dbd398b3e47d8

SHA1
0d72106efd761b85973d1d2a9ce87b7dde8a00cb

SHA256
a2d1177958c8efcd3fbfb06d6011eaa10fce2b8835a840e69e76a13ba6b8cf2c

SHA512
2a63f97aa5fbf00fc3b5ef5415d818f1966edfbb447e36f56da8cb6b417cd1c8ba511e224d29d5151c3576b5b3ed9cf0bcf370a7a8ddc4aa47c8815cb91b1000

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
56b715ad4927599dd9e8e216198a7067

SHA1
4e58ccbaa0e071e43f7e9ec671eedb09bc21bbe8

SHA256
7579860f545aec2e8680c495a503d1955a169b1876e91f81fa257d97b42f2880

SHA512
8c88ab55601209e4a0dd0966f67ad28a23cafb8f62a06999135eb0bbdcb616c99e1cc738f540cc245325a121e31c9a92434071e101f4043f33d609c6906ab6a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
aa0292484082d559ccc98c2133e75a1f

SHA1
f37edf30ec7f264180dd6d6f47fea90ebcc56898

SHA256
ba428d0f9f7d921d1eff06e7007209c93cde00fd8875921c843526a3dd678e6a

SHA512
c54e68ad86dba21d92de1c6bca2ad15c0119a63317542054df896a36234953d86c10f01a1e8df880e0ddf687d0a65e2a9e3e1d332f927f71cb65828121efe3fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
49a50871e509a2507f2609e95bf54b5a

SHA1
e1f85c3e5da4bbc7305ba7ad0befc11584ba9395

SHA256
df8efc4489c879a0a822e25855db99f72e9031ceea2f2d7e2958f1cbe48aa90f

SHA512
891aae660e865ed04c23d1895f0c0d645001bf042160964ea6cae53459f3e0de1604b08353bc26a44849e1d72496d1bfd2ac64c4688e8a59f62bd2c6d07fb09a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
206d06144bdf9a54ed021732150b18d0

SHA1
fe4e903db00e280f6e5d7f56720ef315e3df2c7b

SHA256
53d4e8aaf09b0688758225ff74192d3aab1ec3d1008bda28c762695ed07fa621

SHA512
f14df0a7983331e05b389c15f28b719285ecbdcf23c5c112e352f70cf431565b465b5849af453cdda75b02c10a50752f075240f2a8a70e635882cdae546f8d66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
294bf4188da9b7e8bf23a330ce2d9bfa

SHA1
1b49eec635951a1fcd24071888a4dc54a11007a5

SHA256
eaf935edd8d8e1b98be7ecbf10a1faf38a223db496f23d48c35d0fe762c00f3d

SHA512
eda6a5c596b900751745ff732530101f36d4d05a063ef86b30a763c0b58e7ac116f4958ab853e37fa2b50baa9fcf9d79a2e511e4a4ee5075dddc2074f37bbf05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
86120a41ff3a898549240605e33db87d

SHA1
f6d5c4a29c77ab6a267b5021865bfc839cbb0488

SHA256
102786451114c249f357c53af3b65bfaf71a21439741af58b17f48ae1d587085

SHA512
c8627b8cb88f063b9a0e8f5f8c295969e11456f5632192bc9202bd80fd1e1c411052a54dcfa20bbe7103789840782f387be70a260185631a8d8c632139815e98

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
9d65760a17977d0f45d3dd47beecf516

SHA1
42843eeca51120eeb441f4947881ad9fe8c51d1b

SHA256
e959b8b18e879b5d62477bfb0fdbf2f72522282b1a103cd593c4d76e9886a098

SHA512
9887e32a28f514bb8d7ed54c04adb111ceedb482fb75b9b47c0d136c25a83fb2cae63b13b1919b8e0655a3a1d344e117b32f2d5c2cc93f7c319ef96d51c8c34a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
6f2f58f73fffe9b3eff53acd8f62ffe9

SHA1
44c07f3e273e64ca3472bc25310d9ad3e225e86f

SHA256
9810f143c16d130806b6d48c9aa2c0a3aadc7657f0c7805eaadc95a4543a54df

SHA512
0bb7d110f4ac8426764b388b78174fb6196f5617a71d4971afbf206a88d26beff625187bd78ec8b2c668fec087e3698379a323de0a0eb9c022073b572005ad5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
16ac9ccffb24dbc015f39314a3582aab

SHA1
85a256d2009af1e122fd5e9e033c0a7e07281f66

SHA256
8aaf75e4c56ea367afc356beae6e6d6a46457189ff72290421db887416bb577f

SHA512
15512a5d87ec509dc321494ebb655a1031544ce4b0ad039f30599a2b0ad1f4514ce17232345a987c8c619af0593f1aa1abc852331c7fef410d49dafd9d5f1288

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
174fad099cf53c6d6830e7b8ea51bed3

SHA1
31a9c7b4fb1b1d40ac3bc9696cf43ca439610e5e

SHA256
5624d23eb4bbb68f77d13c6a3b165265d278b016e9a292f9e9a82fd3cade4f53

SHA512
6317e548bd30aac164b7378ab6125a4a3da54b16c82cf280ba8abf9e2306386d691b11d33653bbd4eb27d7cdb65e16643109318ddfb927f2791ce95d58f08000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
0f3e5484874188b374a4ceae1c48d04a

SHA1
43f1d43db999904afa945b2a6df1e112b70fe98b

SHA256
ee7a0de781724e266b222236d944a437ecff7c0466d8317c1a836b96a2a6db29

SHA512
e404ec623831ad1fe6228e7558de192943fda95b52ac9e5a7513efb47c09bc22e7d9969e1a1a3315bcd3b6fe386066fcfb5eb35cb4d947e29b487663f244e140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
25d40ab7131d8c6da76d844d082bcb5c

SHA1
9aaef5ec79e409db26999d8b31115ab65dd366bc

SHA256
3f68749793a223d48279bf609bbad35c9b2638aa4fdd06666cf92662114b7597

SHA512
4fd3f5531e71a62801e9138ef30a4ae64fd1cbff32f271e49f8cb5ba74c7517a41025c568c64685def9d8057589243cba5f419257a59eec53417881989d61814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
8916229b82946023157a1e8b79322258

SHA1
cd2af5964d4026767b00032ec03b4011561cca11

SHA256
2871cc17e8271c089a8f79b927c41b29c3341842df7b03aa0790e362f8ab31ac

SHA512
86f85b02307a126ee30c29f01081d789a0ab20f074225c03d521ee01157bc389c54adc437182ae184d9b2f360774cb9e2268962dd5d3f3e07aef231cb6857b93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
15dd992aae5017b2e5652fb282ad2333

SHA1
37b303bad02286b385f107dcf51e43131e3703f6

SHA256
c057bd193078949d46da5184b518be380e969ec07fb045d404954c4f33f99fea

SHA512
489441eba8cf63739ae336d9883f8eeec0308c96078b178925d3d5d37c27f4a0e5705f2cede87a2b2258f9fdaa7317bcebc155d379491f51d8bde4817f6259fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
bdf64574801ee66d055dfbb1433b8c28

SHA1
76785da7ff5a91db7ef88586991ae3641f7b2c4f

SHA256
50a19b9dea3f1bec926a5f220e17e36f71d3b9f51d994138c573af10d0b2a08e

SHA512
b81b979406c35fc6fe879cc496aa5a33656f395b85e3423241d82c83e00bed212a41a57c46add2f545b50e4c947ec2a66a99155045e6a5e724fac707a75f1fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
1e13e0a9f3accbffa93af139baa0400e

SHA1
d7595a0ef22fb7134fa99a8ff8d6ca2e1bd3883a

SHA256
a8845b735207e54d5e64b5e84b53304c3adf901e2b789631e0d9ef03625cd7a2

SHA512
59b4eb93009e6aa8b65a9a006a4cb74e82854a3fdf7e6f0a9ba064ea9a78838fce7ef3681682d126cbace7c4da04859419848bcc104065aa7ff0645d4789b445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
806fc0c16164e1fccab2f58b99451973

SHA1
916cd5f17a8ede5d5389106ac0089b457607ed48

SHA256
05f2bf43d9c489671e7ae1e900fd4759eb560b027cb69a9ae257dbf5ec7cdbd3

SHA512
67f869c61dfbc969246dc182b08366673cffea09cdb75d363aac2a6618e85b01f93826011ea213856481d40fb9ade5739eac443ffb8942496c105203a7c8ea63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
82dad1067876efc94b69f3904ebc1733

SHA1
fcd366359d07a406b06003141a23f6317dbb0a15

SHA256
d3ffa4ddf9f5484ebaa6c4eaa2135f117e8fac3865f55623d2ccb40d7509c98c

SHA512
301cc34d656b60dbe586a6d714dd24e250db05b7ded7c617b7d07855c14d5f420d417e0ce77a429d5e726303f273b1810b07b3568b5c7fab5c0188500994c042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
3c08b86b09877df5dcd140ba4c0fd581

SHA1
087b8fbad1a48597f53a3bfe6ef1dafada6b5dd4

SHA256
ae146c660f522ad4b15b85c28e49f09ccf5cf25dd08260d281c259e9cf496f9a

SHA512
5469d911d94a83ba3309c730e6b8bd1b8c3eaba442fb38f7a6a9b901f30771334e498da414be368c861cfedd9dc3732e47f22bd4663638e3635aeee6551b202b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
fbdf923f49d86924e039c8c415b26731

SHA1
c37c435b0035f15c7be54d750b7145197e8e5b1c

SHA256
99ce9b977013737cb5f648b67bee76f54398c40ea9fde012f2c2957d4080e6ea

SHA512
1c4630b6b0984fae0e62a02b2449980a059f19edc143d0310a517a50c5532c34e8b282cafdc8b6a8df825c2944c299a11bdb245a167ba2b115397a8eb68be484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
396b27b53288feea81bc1eb5cc1a72c0

SHA1
49399f2188e9e55759ce634ffcd002523f319aa3

SHA256
791aa200f103bc26474e1f5744e2f03ee737d84d69700176eae1d6de1f3f2c43

SHA512
7aacb283fab872950c3d5a53e84d4989c7667e20cb86564c5d8d618c53bc0e76016acc4159c4f981791f8ea7abd9d0fc4a253d898da61850bc38fce4c0b63301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
607756761b021e6527ec573fbe8acc1b

SHA1
5ae17bd73d1bab1bd310afb6a802de2e47aa4eed

SHA256
7e587af2e478a0cb9aa42dffb6fa3e8a16a525d87ef2b3d211b7a5f2792d800c

SHA512
a54a135144b7ac85a08a6f35ac09dfdeaaee9383bc7a3b5cd554acb0bf52dc23cd8edf2d2ea4bde97ef747d0279768011e680976c02facd2d30ba889bb901a56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
59da49879f7dbb8cabce4bab70a7b63a

SHA1
ac129b2305ead82605c6784f409b001c9f83bfcf

SHA256
747e37867b75578f5fcac916304a2d8dc7ca169e2156cdac642f1503d64301e0

SHA512
75cfb8685a38a8624cdd45346a7b5444a27acf4f5e248aad8668f6824407e6f77b5a1ce0337a55c6db4838b191690f05fa28c08fb93d57b483bb6f8c1161adda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
a1b2bdcb91fa52f015007f8443ab0b42

SHA1
2e7db0a1219935a90b8147007e37be6b275acace

SHA256
51134f2008895dc41d51ff06ce25ec76a35fce01fdda79b2652caaca690b289f

SHA512
53567c05169d09fb8f9dee2756bc636380b90906888339323460d36a0ec77cc816db569aaad31f19e24ea433eae010d17a323d646ec60cab3c4c4bf45a4cc15c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
ac6826cc1b636bdab097efc562d4db34

SHA1
d10d33ef75717a2b3118b7123f4bd5d566483063

SHA256
dcfa08008fd7df4904940d4bae1d58aa1f0ce114378809391c1bfb2c4fbfdfc0

SHA512
0e8dcc495a17e6f1bc2fc1c98bed695d0637e9e020a43af0fed2049ac6fc022c586a45955b868b4d09b3d3791fc1fed3c0c0d2c125d833430c1252cfd9d50502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
d19f94bffaba2b7a44f0e3d99268fa6d

SHA1
b57ed624dd4c3ffaa91ab9803f841a5b2fc9868a

SHA256
cc0377b42e25168575147fac9f3144f9ac1ef6942405e3ee302fde364916ad26

SHA512
38a112a6a11659409ebdb0a257026bad7acb52172f8be2e467bb57ea311d0958da89ae5731f2f58ba1c80000be8dfd0d5a88a58ad7e44dd10637f712db0d9982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
4c54b68b0cd39d7b5c17dd0b476bdf72

SHA1
54726984078e637442275e1c633fe669153dda99

SHA256
5206add0284e43ce1bd8e3b4bed64c400ebc01e520c77a1817cfb02af43ccc08

SHA512
62da6ea8a603eff7d081d2f267885a2a1ba4ee762f30ff9511cb76e48c8bd84ff7c8ddd7aa33daf00c4843ee7966348b3004397cbc4a8e1da63699cf8af10c02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
38ff97df14431efb7f978da7dae152be

SHA1
4f4055914d605521d661b1729dd6326a69de23ba

SHA256
71083b2e0feb4963a441bba3186527a319a3686de45f963358cf3e6be3c20e24

SHA512
4937e5cd04afd995245cc7826df981f3474ea65945aa12cfc1aa080d2e2be4ad203307712f850155f1b4e85f1c4db82a78147884694a424ed407bdf39c89b873

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
d28ccd152543c6c987af79c2b33315c5

SHA1
9b2b793f77377ef8edc1a3a96f896437a9d1dba5

SHA256
830256a5062e8c5a6e3fdfbbf7396b2fb3a8af2314fec25d7b8b620bac183a8e

SHA512
23e04cb11c36af4fa65c3b366b4c82f7995b03998a7de456cbfafa8b900a5b68a725eb037314dc956da3443265a6c4f63bbe6a1e3edac285f810d61642ccca70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.2MB

MD5
f663d542ac6cd8974d769452ef7e89b7

SHA1
ba8d3d85b2806c9a13882d82a6aba311240fbb66

SHA256
879304637edb1e91d29cdb085a2761936aff89bcafdc68b02b61e031c2eb749a

SHA512
51fcd7ec4e39dfc441b35b6dafc3447b94bf4370537047d5f953c1086964e2e2ef98f87655c927353e639677e427dafe22ffa6dbe4d0bcb7f38052611961de1a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
cd2e6faad4d4bf8cc8349722a0d9aa79

SHA1
4fbad287b87c6c90699fcc1dfe504a4f49f2964a

SHA256
7937e96dee3084f596f5e9e96b2341564c581304bc11d0594d1eedbdcbc5d5b5

SHA512
ff9b02672ea4399358691118e728cc7516024e66ef3aad3bbbf1166b02d86fb02390a53563f8bf9afb174d9d0b83da93cc8d4990b83e9364863e028be68ef1b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
7d02c111d6f3b7cd2f09cfda2e86b772

SHA1
da354f8bccff9fa8559ce184dd276b9014b31bd6

SHA256
89458e5ce012c89d0a230d1b37f1e021fa5c502d2b9f11fb7bb758499ff77791

SHA512
410942ff97b94e3b3b7c30a03adf6e5871ddb6f9d91c6a498329ce230fd9e93190634a5ccaf82476b9ec50bcea8746e9ef339699e4f2daf2aed523d5ee600315

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2b8357d59b601489e4539320d50d1f99

SHA1
49d80748f6be9e0587ad6fd2e8d2f09b554d0519

SHA256
870f757ba8486617ae37eddeb7b2e346b92efd40cfc06fcf3956d193eb7b1a97

SHA512
78a4f99c212aedcddf9a2b21c3837ebf5526cf23a403b799bdae4d429c5668df2c99bbcfad82dbe1942cc9c3e8fc66959e3649a9b71a804f332b00864dc9dd11

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
f65613898d8b867b8ee550023a6a8bf2

SHA1
bf9492e2484ee2997cd9094808530e079997d3dd

SHA256
55de505ba893ac4b9f9e8e2ceae395749f495d4a1d4616fbf5bee992a1c2296e

SHA512
eecd3d5a0c67422614f0d60cd042a8e6132188f6093ec9d11aeb25269c51e8a572a7478714b6b23b8f1033769774db4921d87e3780f9d4e04c72cd4a49d16ebf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
936b3199711c1e79f09c9b9064ed7218

SHA1
235d443064ad74563ca29146b2027623daa4f969

SHA256
ec697c0a02024aed600e348dcf82bc21623afca617b7fbdfc3668fbca7994e15

SHA512
1e5d535106593dfec59b6eb948708f5b52601e860e2cbead3fed0fdf80dbe8b6117fdee56cea5f8cf44083aea0cb462eb22f83611dc6edc68bb4cf302a7443bd

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
6bf67e3aa9d4027d4478dce4de58e440

SHA1
7b9104eb90d5e591f7df47312b87641231099290

SHA256
cbf67a7f51958fd0cd0a2b48e334f614b38d0bafea08d078927e5a462b7d1820

SHA512
ce1ca85eae4fca6fb49ade0d647d5dd06aa41d4ed8fdc04ca78f989e6c6c9bdbd704bcd193537c4008951b4387623f0089e704a710323044083897591472d3ed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
21eece3870bcf2f7e2b890bb54db7da5

SHA1
5a3964a8627134eb646c2f90a9e1bf457ee790a4

SHA256
7295fb7e4aa735be3c5b2c90cfdf97376eae06807c248dc8dab8b9f139e723cb

SHA512
94c0c36d9c492341aca064ccda4a0188b91b044cd79b3c1f68b8ee87b94e1cbce9dd55f94cb2c74f921fecc03064ae4a406ee8bfee8dfef3306f367f72b58829

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
3a590d49e02dd14c9e731ebfdff7e082

SHA1
594e883024eb684b7f1ad21ec128ae5d06ac992d

SHA256
20fa145b0d6098c480cbfed8bf3f2636f28474f67056cde05d74db3e854cb94f

SHA512
3dca5da2933150a8da8b03d1d2ddfe12af21b87f9b29b29d1f0bebeda01a69bb796f5501b8de1da2cdfd46dd7c698995b80af3d6524be376845be637a3f91709

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
dace3ed80257c72f161e8b1ffe768f87

SHA1
692dad84564f27e9953f5c7b41e7a68ab3624567

SHA256
119bb451274ce5b30d3ee188510fcc8cf88c44837e0c2df967f18191ef96fa72

SHA512
77beb95438306f22cb08a6552528bbfe165aa9c4ea000b38bd1e729b0ef73ae2b68dad1e341c57ab8408e192ed440c49645216f57a77aaa8868c8359f50b8df9

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cb0a7b4c78b41163c07e5c93a2392f5d

SHA1
9fde2edeb01306ade91d58f27bc84df6e7c5ff21

SHA256
ad0a3b4246a417c3eebb0cb9e1560f39e9885b8b50dc1540221929aaf7bdb0bb

SHA512
8e7057ed4c289a98dc662cac887428576193d7604e224c57dbfeab90c91f0656791ef18229e0d95a775c897ec20ef552004fb0fa43820defe62b16fd50e16d42

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
b23c565e38b2bf7d2c6e8b39378d98f6

SHA1
a77544106f9436719ae922d630ec47cf1791d9bc

SHA256
a6796b95c9bc4fa99bbe5260d39d23f04a664dcb0b7f78d428f3976054a6fc0d

SHA512
22f1cc4ae104643a695b25070ad6eb3bdbdb1f3b60e795167d1f901672ad26c25d2908bbe2b86d10d21581f8f47bba8050aa9019987280787b022b482850ea8d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
0fa1f1af8041b54292dc40483935e47d

SHA1
0665d2b0bc239ea63bd1d15af8146eca3a638392

SHA256
f9c9f4f60cd9c8124f2025aa3770108b72dde59ad508f90ab7e46e1558babf33

SHA512
ed714e9ff44d2a57756ba3371b8a797726cf3604bf1c9577dd95d1ddf2c61abcb6f879eed6af01669ac827d55dcd407102e58a670dc4713180416cfb56b0b158

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
eda319d594c58120be4a52a3d6a51ba7

SHA1
1eef2ecf622d09f4198851f82336f423990d780b

SHA256
e854c944d8898f1cfd9e1b2be50154e49973b7828eb9f732fe362058d91cb243

SHA512
b66cc349d1b2e92115f89e5a271af6f44c8151bf498e18a8fae5518d6a87b9ddb68f562aa1724dcd73544a898067c230633739c5870814d45d938f0c29797170

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
ec13c86d7c1192d07b710470e196c2cf

SHA1
7022b48da8efe8fc7332c4ecc5bbf86cc82ad095

SHA256
6984e53373ca5d8b68ded663a95e4ddd21de467830ff5b912b1a363e241a4914

SHA512
6fee4e1f17d3e3ca41e1084f21c6cfa428863713a7afe6ce88fbb0e133cc2a1ab62d58293cd836667eb3d80381110a23005d7a6efb8968f78ca48113eead7563

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
a44efade3f6312849c4c31e12f29e09c

SHA1
4717b8928a1e4cc9d9beb0edbdce398637503271

SHA256
7b98a58adf90c836e08afa3393fded350e4bf86da0d80799a593ffaddcc0abf9

SHA512
54e5aab29ee1189eb770457c2b21b805b1de097e7229e7fc614a337a865a635b4e3d66811c24ca0eaf762efbcb1ab632b7a91bc01bdd96438b577a9c0a5dec0d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
5b6366b80d8c210b1b2427e66c93d52a

SHA1
b52f00b84f89261490ae3bae3db45875531f53a2

SHA256
947740b0cb2559dc7ea055293526363a70be64f1199b3208d49866d0093cc56e

SHA512
d5e4cf30b7bd78c575c7d278804c59480064d1ad2b50f718420ef0b30c4d2680b41fb207ea21023708ac3ae384b20bee094cdc99b096e12c07a0a51fe01e5562

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5c8f45234a56ff56b7437ec07dd02cb4

SHA1
d0b050452e3fd87e7db26238e2650b648af6d8ed

SHA256
3164317d33b3984b344315c3d01f979b9426f157125c1bf91bed70024123cb26

SHA512
13d539d51cd88141f5ac51c620a595b19fb35d0f818ba8a0d02858649ca0bb828c39805840e1afd80cda2ad092ea81bd09c9a31aa6a23e4de8ab5cea11566fbc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
f417d0a0d2ed0451a8cbd154fad68430

SHA1
fedb75ada07bf56e73f3e9d6291436d9773f6b42

SHA256
4fc10f280bd9161342ad8adab2fce1170a6756095ee3eb2ada25f584298e370f

SHA512
0d52f52a0084d980efce64460099d5d21e4f861637396fb3de14863369c0ab3e0a40c73b4acd7be8892b15691adbde01cb7d8afafc113c670d816d5d41d9181c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
73d09ddbfcaf11482fa6353538bf90f5

SHA1
0033619d278963d23b045aea5e4b890d1776758c

SHA256
6747cff9b4ba350d0a440641a1d5148e771b71c3ea98292dea32c91fa599d83a

SHA512
20cc0e7200cc76157c62e42fffee0fc3874dd801174e9586bc10db54c8276219cc847a00e918844fdffcb930a0e0019eceb8005b9716a3ecacfa549f5c77232a

Download Submit
memory/544-352-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/544-618-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/704-28-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/704-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/704-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/704-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/896-329-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/896-557-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1500-296-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1500-413-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1680-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1680-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1680-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1944-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1944-622-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2148-372-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2148-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2212-401-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2212-282-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2272-609-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2272-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2324-625-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2324-426-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2340-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2340-624-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2344-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2580-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2580-623-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3332-52-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3332-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3332-65-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3332-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3332-62-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3344-239-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3344-75-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3344-73-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3344-67-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3416-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3416-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4360-389-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4360-270-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4580-363-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4580-244-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4580-245-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4580-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4732-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4732-13-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4732-8-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/4732-2-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/4800-425-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4800-306-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5004-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5004-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5088-234-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5088-24-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5088-23-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5088-15-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download