9110b0e06c4fa90ef8b8693f9aeb55909d33412d604426cc0d645cd598ab3d91

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exe
Size

2.0MB
MD5

a2c5347dba59c64a789f95b897403380
SHA1

c62a5c3f9c056c076e5d97508d974b39fc104c8b
SHA256

9110b0e06c4fa90ef8b8693f9aeb55909d33412d604426cc0d645cd598ab3d91
SHA512

e49bab707673f3b2958285730609eb92039ffab93763c4e2a0215c927544c8acd2f892c1ccb08c2d1132c41da309b68d6e579dd7ab2392380dd7980416105f19
SSDEEP

49152:KHoz31weaIOyyKTAwRhOQC+ye30jaNf1TWbdz:/bKe6U023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4216	alg.exe
3736	elevation_service.exe
2512	elevation_service.exe
4940	maintenanceservice.exe
1800	OSE.EXE
1120	DiagnosticsHub.StandardCollector.Service.exe
5008	fxssvc.exe
1140	msdtc.exe
5000	PerceptionSimulationService.exe
4576	perfhost.exe
1544	locator.exe
4796	SensorDataService.exe
4784	snmptrap.exe
4352	spectrum.exe
2428	ssh-agent.exe
1956	TieringEngineService.exe
4492	AgentService.exe
1856	vds.exe
3108	vssvc.exe
4460	wbengine.exe
4128	WmiApSrv.exe
620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exea2c5347dba59c64a789f95b897403380_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\22f73086b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebca6a85d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a3e9f85d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9581785d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000385cd984d0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa923185d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000920de84d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe
3736	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2476	a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exe
Token: SeDebugPrivilege	4216	alg.exe
Token: SeDebugPrivilege	4216	alg.exe
Token: SeDebugPrivilege	4216	alg.exe
Token: SeTakeOwnershipPrivilege	3736	elevation_service.exe
Token: SeAuditPrivilege	5008	fxssvc.exe
Token: SeRestorePrivilege	1956	TieringEngineService.exe
Token: SeManageVolumePrivilege	1956	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4492	AgentService.exe
Token: SeBackupPrivilege	3108	vssvc.exe
Token: SeRestorePrivilege	3108	vssvc.exe
Token: SeAuditPrivilege	3108	vssvc.exe
Token: SeBackupPrivilege	4460	wbengine.exe
Token: SeRestorePrivilege	4460	wbengine.exe
Token: SeSecurityPrivilege	4460	wbengine.exe
Token: 33	620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeDebugPrivilege	3736	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 620 wrote to memory of 4556	620	SearchIndexer.exe	SearchProtocolHost.exe
PID 620 wrote to memory of 4556	620	SearchIndexer.exe	SearchProtocolHost.exe
PID 620 wrote to memory of 4520	620	SearchIndexer.exe	SearchFilterHost.exe
PID 620 wrote to memory of 4520	620	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a2c5347dba59c64a789f95b897403380_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4940

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1140

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4796

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4352

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2308

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4556

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5ee6d26f6d0d1dfcfb213f035afe6158

SHA1
eea6d288747e965d74dd080ca4d5fbd43e32ed25

SHA256
9ac2145224088a15f8d3efffacd5ecfd65333e1065dbd093b809cd35710f07cb

SHA512
fc73e060799a8e961905185bd05d78433c5c9e774faa07234232dcda38b031ece0df003472fe373bb61846b2b2517f932cb1cb1e3b62abcd86b07a1b2b7aba70

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0aef99bb256d160cc83d2318da7a0780

SHA1
d13d6d0ee83443d63dfbd4c1fa9c41f5a3687e82

SHA256
9f553de8a81ec94cd6dddc6e8b142ca1a1639b6a9bf33f4a168d25b0248442fc

SHA512
84b06546b2602217f5104ca19ddf5a8d077c945490679ff42d3d7679a0622911ff891e076470decac0c594cf0b83cf07822584ae3c660b8a39b1af6f9a741347

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
2d18cb0acb5a8f54aba6f241e85489a4

SHA1
2c1231b6fe712f4579bf89a218b64f9a20c98349

SHA256
73d8bfb5da65dc3c04b2ef3dc683da07b5d4e6b4252ba8615603106887a9276a

SHA512
0bc14f7ed4065b4e944e7ac267986fda0e08dce300c14c42a7c298ecc3cadb52892b2469951b380f8820b60987ad028c47de1638b910111365093369ac76fb56

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7b25aa1092417a073dd714fab88451e4

SHA1
a638d629b59166bb92f8dad3a0130a00543dcacf

SHA256
54a9cbdcca4b28463220ab789c1e0361bdbd16b243031679aef7b081409474f7

SHA512
b0bd9f3580d6efec4406fcc47eabb41c0de605f39196360c703fa25ff5e8749dae23a72ee55ce32f22bd7a6feb32d602c269d245468282ad1f49c366285bd429

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f110c4f887ebb3a279aecd84f59a5478

SHA1
99e9e8ccef8264602aa942215d37353f3d24b3fe

SHA256
c1322b09b954b277ebfc5b4558bdbba828e82d755f58a148da6d5fbe112c1005

SHA512
90bc53c8416fd0fd445c7896e63b5023b9a9339937425d48153e74505d264933deb542204858a0b8c6f2c51faf5eecb3732698be23d684835af29724391962c7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
3ecda26345d75230709dd2efb914a707

SHA1
1abdcbfcfcd71955437168355811b7785b17b6fd

SHA256
e0bcb0a4a2b505207caba99706727967c159876485d58375f901e7464f623cc6

SHA512
dcea5efdd7ed636c4ae203d38c6dfa9ef60f179baeed722c83f9ac154de74f38f81823ad666ffbb0d9925a5df9b58b28b523c1ab20dbfae0c28605e5d5e380bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
3053f4f6528d6cb7fd0f13659775b5e1

SHA1
4441fde90aeeace22b432ff29e0a3bb16e15eee2

SHA256
9db5ce036d7f29b2bd5a8e6f4bf95f37699c3724bb88f35f806fec6efdbf052b

SHA512
f2610effd5c70d6c73b312ad8b6a402b81b5776a29b641204d60bc46993fcf104a5ae49ccfe2eb29a69306851ac2cd3b82e01c3015127a73b3ee0cf94c53ce41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c1c3cc91cbb54974e58109feb91d9524

SHA1
1f5d3de78e650a860304548e8fe25af095de380c

SHA256
be49a5e09f7eeb4f180df8fd527d4a2e6736791555e7e287840367574106fb02

SHA512
4e9fd67f79c7aabf426726c021c1e1ee715473370fffae6b4fec77efdfdcfba67f5c23cbbb9c97f5724eaf77733fa2d1c869f2a9d5877f2c33727f959ad95294

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
b04d6a4f74a9eaf5c8202269ae197cc0

SHA1
1fe67014a9b8a7e9ef8d328af903a89f5e896ef9

SHA256
b2153b6655a507c741a521067c0241b98d61506ec4cab5a588fa545a80ce449d

SHA512
c7e8d68c64daf0d0e808b756acdbb1d87fd2998d25e9f2963ecd7b839c169c698de4952b30157a5a77f45e552cc49fa0ebac6dadde01946bd95478e82e8d5ad8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9c9f86379d7dcfe97653ede14abf9f31

SHA1
e85ae627d0e3c4b47277bc9aa05c8999301ecc8c

SHA256
9b78a7f08f36b436b52bf51cfa297ef55ce75114d95da4468895c1698ae4c98b

SHA512
a035bcc12b8cad66aad40edb1adc77ac8178606cf7a26de90a0abf25cde39a6f3626b37cf8be9476a03daac3024444cb1e76d6145c34eaeeeced188170ea2788

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ce8b5ff3f3138c9516779ab0a0d0a761

SHA1
9a50ac2f6f19e5a67904bc20f4da08f19aff0d1c

SHA256
542d33edc04adfdd159f312041004ad23d72852cb15847362a9c0da44b45df95

SHA512
3b0b610ca153ffea200ae7343380535032cc89f7ae74e526ecbef26830413ef1d6291f9d2f5e1690b21778be2f460040d619405c74c4ca180733891d959adee7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
78fc90afbfd87005ae21210401d6c2ea

SHA1
e5f8f0c1ded96a99342c40a83a1635241cee6875

SHA256
34e503417a4f3f97c9dfb390cfe5fe52a90a7e81101e3d79a88b97ddb958ab14

SHA512
09b6e86b7ab72a15ac5b92e47d4cc378445e10ed936a1c2bfe7314223e2383bc4ac64ca28bd656f1e8a686c9b3ed53c12885d84e77f89a63fc4c4485dcfbf137

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
416749616658a1c3dd973ae8ea65a523

SHA1
c660c7602d96760089896c8798f8c4064c8b51f1

SHA256
48926c5456cf85d724f811a3bc387fc389d7a7e9a778f2fd8743ba0ebaf3caac

SHA512
9c3dcf333f6cfc36dd02f6342c149850d05624fb4677e12431a7c41a94e64e4431d4f3831a6cfce5ca34f8bbf722c0654108e6f72c239cc5b41ac3f32c57ca02

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d6348e0da8812cbc950ed8bdb2965c61

SHA1
7e57f21952407a5b6f4caed2392300359060e3b5

SHA256
9c29ba234b81e985ba8621ee316287ce695bce58df1ffbf94d1f04440837dfc3

SHA512
abe9c7e6130fa8bcc43e0a2e448c6e1f171ef8338813d9a1a2f808135d2a6d9a998212ada75a5ab210fe020c23098ceb0645c62c67c024612e3b26ce2d7007d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
02e890d3d2098ac025728f7b8164871a

SHA1
7082eed7c9ef4f887057c59b7c54b1639c638b2d

SHA256
86ce7aa5769a05125e6f23147018d3289e7ff3a716988e10777abba4496aef43

SHA512
9da51945c1be1acb08f7ead78a4ad3e2550a212ef93ec2c7483b12c487adcfc08c93b7036ab0e2c8d998ab7b44cf6b80dc570546c4ba1d7c7bd135907836712b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
43b0b87467c28d5ffb883e77de4df94f

SHA1
6d4059607c9c522863dca9ba333fc267f9793502

SHA256
ac182e8777a359969de42c02fde381779d0170a8d8a9429ab3980685f9958d15

SHA512
8e822f61ceae91216414050ef368f431127ec4aa226157ff625800b498fa9304fd725a2673f25e686c8a3486706ccd7af61a08c2f1037ebbb235f78670995b95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ea802862e5996c67ef1f2a48286768c5

SHA1
50e4c4aded5bd7c3ed7b953a4539a492da9821a1

SHA256
2160e56223fbb82607dc07b7711cab6c9e627b8c4ff3ce74604aefcf56657ed6

SHA512
74bdf6e12ff1556eb636c27cc56898ce1e1a2e4b50db9e16211fd385ebe82f06b39bc7c92c2ad12b8d1ba9becfa8045613cd60569e45f433a25d2b6e8e2d292e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ae0f52fde13cf7b1a531281c95a130c5

SHA1
66d641d3117a2ee62c2a299407e98d46add43b9d

SHA256
7ea091ca43de49fc82fb0d064e81741c1861572c237cfa3d3e686006e7622f3b

SHA512
c4a49a54515fba2b1cbe44fa147ffe101e196dbc3f986ded3aa0313e0382ab0c58d8976384ee54b2a80704dde44d143a841624ad2b89bbc90d2860cdd3cb5862

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a4ef2cb84c66c2dc0d58e6d6ca34ac7b

SHA1
2d3a0ab944be13ba50261e2522ad30bcf3684199

SHA256
bc47a0ec2e2bc1a6ff312532b1553aa6690703458214f5bcfe7eeb5d6918439e

SHA512
ad7c03b79a4fb1134e53f128775b667b219f820db7f8fe57fc53ad851d07fcaa2d12fc07edb3505ae4616fa921d34be38e268cb0cdd923d8ae31783d3b835232

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
254a874345ff57346e089d3c018bb7f3

SHA1
1aa3e2d3596f3f4efdd72c0068b35c2c5a1b8004

SHA256
54f5f09fa3221d2adfb0d40471c5a29a27396d09e9089fe8853c0336cf215684

SHA512
a362b7556accefbff0c279fb71a8f1e4f8e343037df7669191df551847fa63f392768002559856c559e1d05989ddb55ee8011e66192bc4abca86041459f2fe55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
1397ded49b40a27dbd6baf2547dcf37a

SHA1
47fabe97d1e0992c95a383a8ef132c593454ee75

SHA256
97301285197f5cb56f649610fe583e4672d07e9e9abf05b1de2f036c8738eb5a

SHA512
89b6031a727b2f3e9135390564647f9d67ce39b128e053958c4576940421bd5df1a3fe914b7c19bb8c49b980af7eeb1e8ea4e2e701b9d0a7d34003dc46070ce9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
98a491eb4c88422aaa5a7ad53b049cbe

SHA1
1ca5a05180317dbdbccd4729b96faa4ef535bfa2

SHA256
6df87bab5e26ba6427159e334c3fc1daebbef487bf0bb83464b164c27155f6f1

SHA512
70cc25275d9a5c52db12d00ecb81136a455eb3de5f0f5ba7b651479d67aa8a3f465b5ed85442348ff0fb25afe4af3b4810713aa8c4a5fdd48b3d8520939d9009

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e34d61fdd5717152bc6dece98a97acb6

SHA1
346a4e6b08a6dd316a4e7138761ad78bc9fa986f

SHA256
b272be4180054815133c8620e785cf4e9eb3f259121cd0c39a4f19ba92787688

SHA512
68fa7829acc3dee86a003d50e1a59620212d48a1108cabe01d7ac6ed73b8bc31e1051518efc0c9278ecde1d51f0c7a6ee63898e0748ff8655b13fabb9ba87b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
08161d22dcbdf708a51848e844cb19ad

SHA1
b09107a4d54f6565c730f1f771ef0b322cfa5e72

SHA256
9d4b44e34ed6f2e5f05e215c6f6c4389f861a02e98b1a8af5e63080ae088de37

SHA512
8e07beccbf05ee5d4b6bedf57753ef321d75056975e958e6fbbba880a6742f14aa320517df1fc7bacba8b9ed391acc86b81beb4880736d487d2ada558317b7a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
6dc6d4e4a0c8e908a1c47f8c7dc9ff17

SHA1
abcc18da8bf00e0b2fad5ee971a7c447b8346211

SHA256
9d64530cea2e3c8f22f91f7c7ddb5ca09ae2ec44efaa633b1df978bf34f23738

SHA512
27cbb811073aa6d4cbd991179840468fa859efcc1bd5ec1ff8a6debfb8c30c5322caa424b1d9fad23bb2ad1dfe79b05b387034f08a22387fcee5606b52313b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
a20fae4f45aa4396142795f898f2ec22

SHA1
c6ff1b0834becb65c4c05d7ccf2318aa5ae5bc2b

SHA256
695e18586cb419fdf5558031c104aa64b8c4698cc9635dc30e320204377019bb

SHA512
d6a5f454f00d65299d162b36c9c486b45fbd6e93409f01d2a6a89e157963d97fc465b70b59ac71fb5eadadc06bbefad89711e3791a6ed46c2aa33e79009ba648

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
0bde90de964c744256f5821b9ba58a89

SHA1
c07df17b76fbbb0c8c344742b7191b44558e172e

SHA256
42fcb3fd9e1d86db01ae162967e5a57022df451f8fc4c9c1366cc86fee75bd0d

SHA512
4a335e60fa6abf854be884590f191623703a3fa519d82671a0eddc4fee8761eeabc75c4bb47c5db6f368125413ca34513e51cc6c2a8e139bcefdae6f440ba7bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
2109e7a122eb307e7b837960e2b01537

SHA1
916e7fa1f5f454f17037b03658db4ebefbe1d324

SHA256
fd77da6588794fd091499667e22b724dbaa7e291120182a70500125dc73e4f94

SHA512
6170a330c04b5ceda7db451d62d192fae112a878fe2b8376daec72ff06e097d06f96d3a5a264783a73cebc627fe5c27ac7ee8aa4cafcf93fbfa88b2de6cca05e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
1cc9e2023e033debc2afe0f055c7b8f5

SHA1
d5516dd92d60dd653ddb7a2c03e195cb0b532719

SHA256
782b958358c7b2c19fb4dd30e6d22df5a47b77ddc990d4651b4af75e1f6a8622

SHA512
f4708f97aa4bda736cf4a1bd91319a8e3a091fa57f7b9cbd9db73ae9cb2b10b3af69b69b52315a8382ea64600a316a7aa1c3f27c3ac3560ad3151af40a957191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
21ae6ea0140e5a783c30e9fcc5a206f8

SHA1
14d7c291ec16d880fac848ac53d44a69cb5738e0

SHA256
3bf7fe3c5c266251691fa38cfe6249c93c6ebc09d7072a8cc6b5167fe8b63df5

SHA512
e28647e93c0e713d490f9b429fbc19b8879172954c22670ac6a8b9538609e9b5c2bb663eda2a8cc8bfd23f17ef73f83318d68cb0d7410e926acc483ac9ac8c61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
9b00cb1aa707c3d2c7bb74d386423abd

SHA1
6ac47e62683c6789266117a6ad756002971757a5

SHA256
455feb7e26f45ec4b7537af26a3a4b43c0d363b0473249b7b5ccd61c4caca06b

SHA512
f08ebcae82bfea469412e652722bdee45af03958b01b01863f30f41f4f94622aaedce981f6738341aa2da73940449caae710d962b3ff59376181a02cd2c79a87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
24e3e235166b464283f15266bf81ce56

SHA1
d18c65d35a313c2bb8cbf08abcd02d07068faed5

SHA256
33b3e8be8035222e1ba4f7acb0ab2d8adf6d677e7a5786da4b3d71ff7f30b138

SHA512
83dab2957099b75ff4b7f9c3030351f676a664950c9f5f509467f02c0e2e1b5ce345378fb2c0a4fe223566660fff1cbf6b85e6e5c5b47a03f1ef751f5855d827

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
25f432bd9bfb96fa1530a07a55ed8646

SHA1
a95b8d483b6e6d4b3eb0debca3ea8e0678c6ef26

SHA256
88c099f2daaa1592e6455c9e73e4598a63de8e27e11dbfe4240d61a48b585309

SHA512
e5cd05200333b4f58c8218eebb4b9cfc2a8d3278b034c589d7cbcdb3f2a53c3773db5d45ef12cc5a303d82b858a99a79fce6262fc877f2b53682c033aff28dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
bc2960ef88e0e5365c63b234d5d23391

SHA1
071990e669697c4ef0ef83e9e319922d56f89c14

SHA256
a7cbd178bbf6e2bc4bd8ababde9ff9d20994d3cdc74868f72acaa65553c62bef

SHA512
0a623a9e1ec82d4533a6a64173158b4750deca73c6dedbceb05ae10dfb6f9e3d4b53886d387f01d9913e29074e74dc194818ac3bd282401c25c2a4b211e5d677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c71d6d4cbc8405242fbab37994892ddc

SHA1
644a2d2ff32e5c928e3c01b275b4f8590e9487f1

SHA256
44b4abd412c7e534ae81c68e7b0d4cb36f626630797a3d9e1eaa12a34319f59c

SHA512
e10b689024ef0d74b93a666539e1f8f9e937abce083471cdda1ce25f2943004431dc037ecd5b7b83db450e4d16d34ff3f10b14da7c7d2c96682732989c4216f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
08306c926e3979be34a684eb340b6886

SHA1
1493c7bd8cb4870b344053656afcd701133950e3

SHA256
61b875e1ed0021e38153f17978d4fec95679096d5b09642f23d7ae1af8f3386c

SHA512
9e6225c3a118dffe5b221eff4cc61c013b51f947e189c21eb6032f871355ea728e5fa1bbb7c65f26f2d8be107f017ef7e0e3213095aad6c026d17484eaac4c0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
9aaa2ef7dd77356cf03098b55b49913b

SHA1
1cfc41648428ea576f845cbbe1ac5da65694a728

SHA256
978814b6465f9204d2eef4afa6ea2c2461de3467e3f59e8fb0d93f463d8daa9c

SHA512
dccc629c2058087305fdd93eed2c5ef23d7104b66a7a38444dc86d7e61ad9039e7770491f91cc0be4edb929f62517f608788c153522d8289ce751189bd180baa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
0578f38014aad99396592f89c173b856

SHA1
155e65601692403739f6dbde2a9c70d6b2ab8e90

SHA256
b0184255c5ec934ce21696d0c9ff528c63030807f7d8defdeecb3334f06ecf7d

SHA512
763163ac9c8fbe284bbd35a8aeaca86bd58c3ac4fae291a3f5fc2b17a8790c4168d43373675690be9b8c548066bed00c541824898bfffc4efae69a8161f2cfd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
df79caa8b364324d594402ffe8e75a32

SHA1
f0b976be3b8cc70c9c305ea40da25f0ac3a06397

SHA256
16739f88d2c87a98fdd95e30184f2b2970e57bf8fb560d4104354fe018eb05e7

SHA512
49d68882e2e76829e4b835f39f165de82105f2d07ddc76d41d09f03e913b37d4dd28d84d70f7a581721e2c49e330054989e9f61126055d1fdac1f315e3967124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
67611c0c1377792b4bb54d8114ee847d

SHA1
add8137a65123fe9be57e8acb88a173c055c6520

SHA256
3100c329989c84c0308c8d1683cdaf978bd8dcfaad6ac8f4347f3364c2c6b66a

SHA512
de3f99217db5dad66eea7bb65b90e1b83e95c24fedb628b48c26369264967331c2648c37f00e817294b70450c0ddf7b485a433761cef434d28b0550b9da77968

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
052664356cd9631d5fb13f4d446f7e6a

SHA1
c94e0300337c33ce3eaf13acf8262326053ac898

SHA256
9d03345b38a4b9feadb7b3a4d931d9c515d54b63e1c13ebc0ab88f20de88b05e

SHA512
2eaedf899113da2544f0743335d7ee2d30a6f3a21381ae72f8357a4916cd08336f6ee52b465e78cd8b7a31493732855138b3108bf2b2da9fd79bc0bbe3ff825e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
b3f4afb510fb0929f803c7a7cee495e1

SHA1
10e8d9b0564459c768d197a39528f201586033b3

SHA256
62e10479cb2ebfd09dee97707e179bfac38e60f391e3242028798181041c58a4

SHA512
3c359aa5d2adbb4621af0a9fcbdc4f559a41f1df7b22986389cee29c3c8afe2abbc155430e32cccc67ca8866bde755f569ad2cd5c18b58b478e1a07bf73400e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
ccfa634bd2bec51975442f840fd146de

SHA1
5d7d1c06c822cb73f0842a3748c0a7827ee01d4a

SHA256
a25f5ffbb695903e4d80578897c91833a925e48951423163e8c2e837a828c834

SHA512
4fa14e128dc2b0c5a046c5f8b739d28a935da2d9a4c945dbe872d8b075391c784e64ce95937b7c4fec326d662a4bbf9288a83c8a1309937109475f1bacfe78f6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
5017d08076c6bee979746d69f24a1457

SHA1
61cc441b9a62bcfb710e14c47901bb7246d72bac

SHA256
078c7cab9a747b21a87af2dcfed8ae686b6f07e9281f2c075a3431ba99afe2b1

SHA512
cd827d02a6ad2653ca983d8b1d7db9644a3013b43ea723baec6f54ae38c5c918aac4ff3b9fb4c0b4346d83d92c5e696a7f442e7a905d144c063f605d0766f096

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d194aba39ee5df233d13cba62641b7e7

SHA1
ba0962e4ab928a516e370886ef289fcb715a985e

SHA256
d42dc485d656d5a67d8e0d3cad0751c442dab9ef6276f49ff2b321ebd0a0752a

SHA512
367d8add1ea66fba3bce7053c8dd9d1697fda84a0999e46d04fedb37f09151ceb9edf195c9bd3e5d3b9a653264e71292b6c91eaff8e7c2404d5016de1786cefb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4478b9cb235192e1d5754ef312396cef

SHA1
b3bcc54e862d4b9e305cce1a5c3f8408d4c5882a

SHA256
76df314948c6b2aa4f55f1ab05059bb2a427b2fe6c491b15e5078f21721e3846

SHA512
f8f73de8b12d9e9292af974a0319e833a80b4970a8b2dd52149ee61059a39a92d4dfa5963ad2b5dc1ac8ea6594c1cbd96dcf8ab96b668e799888a081c180a2cb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c2fbcd5c3482b33fa809c02a50a07e64

SHA1
f45e6a33a839f82acebab8eba3160bb76df79c85

SHA256
b4871559ea49b3f3ac3ebac0cfe97e5432f09877d865796c10cba6ea79fb8d3b

SHA512
a18cc36298facca5305426ecda8c464e30e23c92d4fcb62770b98cda6d4f2cf0d413459964a8822cf413dc52a9d3e66ee71bb7f148f60e8f7557ab4c5ffb12ac

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
bcc995ea576c509c5376d2e455e8041d

SHA1
61446cbb7b71d6e977a3506907e55709d37071d7

SHA256
f4769e7b204d74e55ca46341290aa8e648208e6ec9184bdeb0b91b64c8901966

SHA512
ce6f32c30a930370afddb2fbc7b5ba386aa216b65253a1661f72f4a3be8b5d5d578c70c7308a47e3fedee499846f1ba8b2f209a57ffb0d50fe0f6a77b915f69e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
62055cd1bceb2a94396b488c9520c1ff

SHA1
970b2e607cb829d516299a37d9c511b616b4af08

SHA256
ee747514b60952798890fd729102010a26f659fcbd91ac6d400c3bf9c36f2306

SHA512
1c457fa49da47cd6e9b0bf2dba9700e266a2793f4050f96bc98abe612ffbe7e5c68b6f6e9c215daa3c037870641c5e2f1209718be6bb13dee5a9d9848e26ba6a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f1f560ff9fc95abca1e8e0930b3dad66

SHA1
4a80dc3972db64b5b5fcf5aa25cede40c28a972a

SHA256
b8465fcd8dfb5e4d547b48d790fcbf7a16a4fd9d6ff5a8dbc5981e4969b5783d

SHA512
2ab8c0130c26998a63441b196cdeba6e7128151c271b3d5456a6a9835ef4f3d18ee69f49cc9f5cc844baeaf766e7d55458f210e0864c719893db79977afea092

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
33d219d977a205037ab7608248a8496f

SHA1
61c580a5a1edadf362551646b1dde502a6d300b9

SHA256
df1f4b296118c33104445970a3e983277d409e0e5f54b3283db485b0244019e7

SHA512
f0bc715ed05eb378251c67f8d9ad327803c6b42e554e1c9e581bbf09f5dfcf051e0478b429063b95b9682ec7c6f1141295c2fd197c75e34656989c3b0f5cc549

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ef52c75285e3fc26313eb4e1122647c5

SHA1
56b37b3d153e53309d89dd0e6ddde611fab182ea

SHA256
8cd10f65f34f016c1f9a3b72444e35232b587eecb2d74a32a43117e949708103

SHA512
618a8a1a83abceb2648d0d000d689c73f167c31c2e4235aca170a3a31d18c0c1f7acde5f245d8ceac6735beb0ea59d24a688b3b6a23d93ab6630b0594845ba1e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0b55594a3c47d9aadfe3931c7b19a3b8

SHA1
ac84d6fda67592b36b05650e0a45e080c72799dc

SHA256
824ef21ca4053e3bf21ee1ab6d961d0abf043035a650ea897c33b6cab1f3ff28

SHA512
2c27d5bb5a0143136250de5181f8fd2649bc1eee61d184333f36b94d07d10a0976033dfda63116f824a8e7fa65fe3e685e77718d8cf6b400427b3be364b0c7fd

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
49b2ead75fdbd9453ba512fc78f2a070

SHA1
3628409e4747629d18d788825f10f5e92de18996

SHA256
015892f4918f36fa02f0a74604347abe46dbe81225767ff3cef5fc6e60f94c91

SHA512
5b7b8ff6941adab78852baa1f57f038ccb9030275e431d6bf3556eae8b2292e62d16e83295c8ec2d76954c32ff2002c0e71c43b31dd1182fff7306cd3203a094

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3e9ab2de66e9506951aafaabf3bae05b

SHA1
265895ba07d27a6b616376d56a581e9052f08d45

SHA256
e5b915076055514f39cd6f8a587d2b8c8ae486069bc9e310b0cd80e5ab881bad

SHA512
e01d005bc54b6c1a2778837f4f810dda070ae234c724632d485745bd5e7f6f64a1c5a3fe3f943e368acd24b5000a9f0dc50e30ce60d1a8824027f44b90095653

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
1649d4abb4df8d85b8971812b2ea8a51

SHA1
33729d374f3039459072a04a5dd3d2e81968b67e

SHA256
e1950578e2fa34a1563deddc0b3521618ae79353a73d4a0ffa52e7968c80919f

SHA512
97680247bc179082c7e0f2149e0af569d6427448148edd50468c812402bc4d46bdcbe3a8435e5870892e90b41742f7b7923c28b4516cce03a7bbf3c888804ed1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2816551930da7da4f20a5c9b3b4895a7

SHA1
4f0965bff2a1eca9db4251a4705eabb7e7f92bfb

SHA256
9b4a3a3f252e799390111d2eef2d994ce7ea9809b059a1df59d0256129bbc06b

SHA512
f4517fa7a1b72261e9fe74c0d5773ee0c4489315ae9cef1b1281a62cdc4c119f4b1a217aa2855d422a72e9cdd5b8dcc167fb7c2624c0115d2a2c9777c238851a

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
8ebc53098aa694a9c066ae36104f427b

SHA1
ca845817c206f180c55dbe5951985ad1771aa978

SHA256
85e039ed12c9dbc24597340fe59d1ad5355eb250a4ef2c6da70bda447b35b8c3

SHA512
531443a0efe7ae3010462c6d4213c6cf3104c11831320ed713d489bc218b66d5126dfa597dfa3b7852175bd05c45490dd9d3d86733e644c93456031e37520ce7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
9d13d48b7f45f526402f86d27f5f5ffc

SHA1
7ed0861a1d4fea681e3613d7d36fa2161febe259

SHA256
02fdb40bae9b2c4757c635b5255d72e1951539453b2fa3d4a313b528a89804f8

SHA512
3bb91970cbd50f470006daeb62d4559ba5cb6c2b13810a45bab9c8be355df055013693323b57f98a3c56fadcb78415a8e442009f099a3f033939812b87e140da

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
20fc72a5f20e4e751aef9f79108337de

SHA1
678177da2ed3fae19c4b6c03b912427b749d7422

SHA256
263e18445ad49d70065e1cca8deb6b5e440ad3bdb08228e07f482431c5b57065

SHA512
a57beec85a65fb2f308a465b9c7ec4df458059da0e160f36589d09a4c11181eedbd8807054acffa8f31422057901cdebd513450f5beff0b62eda2fc7a7ac725f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
41ff8159989ff282e9af78fbe517a392

SHA1
111dd4ebc7806de96ef6591a83b316fb42639b33

SHA256
dfe51c00e0ad49eb2095b49de199da462165ddf80810bdf354e52c6008740679

SHA512
25ea022d69182c3ac76d6367503e5475efed7372cf1a7eb52c8383fb6a93a78975d106b5b97c3aa6aa81cc2651f3a797fbef28283338f21cb45e2aa7f40d9b49

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d9cff72a34e61cfccb256aab005f4778

SHA1
71033b1ca2b17ee5890f02cb0d147cfbbf837a80

SHA256
1b04d70580a2160b830a3a5f8bff25cf49333f03a7993cbf2b3528fc0d3a61e9

SHA512
fa5c8b79e5fa96e957a6f007786f10305dae6becbaf562fcc2968fc78e387942899dbb940bd8987a4f359826f4cb365e37f026afcd975050ecbc9c2c3283545c

Download Submit
memory/620-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/620-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1120-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1120-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1120-245-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1120-252-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1140-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1140-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1544-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1544-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1800-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1800-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1800-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1800-68-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1856-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1856-647-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1956-644-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1956-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2428-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2428-643-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2476-0-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2476-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2476-9-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2476-15-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/2476-6-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/2512-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2512-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2512-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2512-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3108-648-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3108-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3736-35-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3736-29-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3736-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3736-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4128-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4128-650-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4216-17-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4216-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4216-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4216-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4352-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4352-639-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4460-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4460-649-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4492-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4576-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4576-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4784-588-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4784-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4796-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4940-52-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4940-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4940-58-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4940-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4940-61-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5000-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5000-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5008-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5008-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5008-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download