b3977580ee961677688e75febb713c5eefba4f57d82ae60015aae88b2f0d5e22

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exe
Size

601KB
MD5

57117751e9a40abd5fbd8991e4887c10
SHA1

97a761c268c8d5439a122da2a9a1cb2117468134
SHA256

b3977580ee961677688e75febb713c5eefba4f57d82ae60015aae88b2f0d5e22
SHA512

aa987142fce743d2afeea83b3e6e54093b565126e402dfa8d700df60e9c6f75a6c2225862ce5ffbaa3f4277ec9db72b90b2713a226c4b3d4696ef80972506c81
SSDEEP

12288:HvVpFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+yQRi:USRQ5UOOU62FBnO+E222YJbNEUQKGOb

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3116	alg.exe
1020	elevation_service.exe
1964	elevation_service.exe
3028	maintenanceservice.exe
2808	OSE.EXE
3028	DiagnosticsHub.StandardCollector.Service.exe
2852	fxssvc.exe
2340	msdtc.exe
2628	PerceptionSimulationService.exe
852	perfhost.exe
2464	locator.exe
2420	SensorDataService.exe
916	snmptrap.exe
1968	spectrum.exe
2368	ssh-agent.exe
3140	TieringEngineService.exe
4352	AgentService.exe
3208	vds.exe
1732	vssvc.exe
2332	wbengine.exe
5096	WmiApSrv.exe
4512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exemsdtc.exe57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0c7aae492be0f3e.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044ae6273e8acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098996e73e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee865b73e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097314272e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c8bfe72e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f2a372e8acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb3df072e8acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8445572e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000120c1c72e8acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe
1020	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2432	57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exe
Token: SeDebugPrivilege	3116	alg.exe
Token: SeDebugPrivilege	3116	alg.exe
Token: SeDebugPrivilege	3116	alg.exe
Token: SeTakeOwnershipPrivilege	1020	elevation_service.exe
Token: SeAuditPrivilege	2852	fxssvc.exe
Token: SeRestorePrivilege	3140	TieringEngineService.exe
Token: SeManageVolumePrivilege	3140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4352	AgentService.exe
Token: SeBackupPrivilege	1732	vssvc.exe
Token: SeRestorePrivilege	1732	vssvc.exe
Token: SeAuditPrivilege	1732	vssvc.exe
Token: SeBackupPrivilege	2332	wbengine.exe
Token: SeRestorePrivilege	2332	wbengine.exe
Token: SeSecurityPrivilege	2332	wbengine.exe
Token: 33	4512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeDebugPrivilege	1020	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4512 wrote to memory of 3196	4512	SearchIndexer.exe	SearchProtocolHost.exe
PID 4512 wrote to memory of 3196	4512	SearchIndexer.exe	SearchProtocolHost.exe
PID 4512 wrote to memory of 1788	4512	SearchIndexer.exe	SearchFilterHost.exe
PID 4512 wrote to memory of 1788	4512	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57117751e9a40abd5fbd8991e4887c10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2340

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3196

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
86e36cb46e0e435bd990dfd460510114

SHA1
4f084be9f453fe2a5bc006845debae1a27dfbc8e

SHA256
6cb6efd6eb9af451a3d4b317ee9159eea870821820267fb4fbb741eea3e8cbbf

SHA512
b745355f5a7dfc1e91f2ab04ae83c232279350d76ac53a5f08280e48e1a2a98246f43a4a7761413178bef8c530754a21505a38bc6245c73a05fff3333cae3151

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
6d638e253d264cc88d787c02812d35b3

SHA1
7a170246f37b3dc4ec505b2fb215c1d8e0059808

SHA256
f00103cc859119020d8e7a7e76f03219716d29f31bd01697a799008492d0cd42

SHA512
9927deb5de35540c591012a719f5a6ae4a53f7e6051dc645bb0e40860b40c71a0432aff3ebdc7be29f1fdd8081e2da79694f96f2e3c5a00560400879a1cfeb2b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d6a145afe29fae446d354783a8c7241e

SHA1
974d8e7ef6f5fec410c318936e1c92ee40a8d7fa

SHA256
037ceb72c2e3c33614c5be5f1a002780a4829bffd70caac4c058e99f7852fae6

SHA512
58d67a53d02d946766aebc193986addfec9391a6acd55877619bf7f27a8c7541048a633c077625a9c272e5291e3dcf4941f0d348ecb9b4a74551defdffe35e85

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
26fcaba3752341492282e91a3c564be2

SHA1
865d8fb9ce28e615d0d8061dd3c0a6fe3f804582

SHA256
cad39b6f73b6a4b05d9f5096a189031d241c44a3c41f494f4178a8a609c59410

SHA512
0c45fbc731e4d5a0b59f566032746e3eecb997577b7e265e45de2135290ec89b0cb7aee3a34f3a473c5f34ae1f41caa0a92105767ef2ef9437b7d532ab950d27

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
417ba241979dc43602b1b2b3098b325f

SHA1
8b8a30f66a91fae0b97276097037a0608052e745

SHA256
876b6e4abd4af436ec8dc201d2fb80eb2aeb989807dcff3f9807c1c5f3b1b833

SHA512
a08c3c6aa23855ace7f4d2eef9b9f5f52fecfab93638a2bd412aa0d5d342902206076cc4d42fef0abdbeada7ce8d802e0d24f37a82289ad0592001835fa56630

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
703b2b2a7f00418e69770bb410f51db3

SHA1
e0d4bc41fae98bdb7f3728d7d7f2cf41a803357b

SHA256
cd5df1331d9e3f50801d45d322bf2a26f8567484cf09a2f8d0f5575f6c4ce0dd

SHA512
79d1a88d8fd3f91687aef6e29a0b9f7af819c5c103bf789a80734ea059e7e27948d9089b303867e251fd7f7d85ace1ce84efae30ffeaa0cb9b05c6fe01ad4a81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8f909fd104e07f000aa78bb1703f5778

SHA1
01471b9154ae1d95f06d628cd10d455880f39833

SHA256
e007b9af3dd6f3d71be30db6e147251184f01cea94df21f92e262d097d579c7f

SHA512
8612df1f195ef8311ac737ef42b17494f9da957db8bec183c85d324b50a83ab2436c58969c2fb82dc91f4feaa65249aa2c83e66ceb27baf743c1c3f5ecf58cbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1a2549b6cd167cb8a589a217ff4c9b73

SHA1
fe0c40bacc5ade90e3e9be31e36b5a1365c3037a

SHA256
80da6c3e8c384578928e930b019618ee2da6b591e069b19257ca67bb04f7cb93

SHA512
051ffbeff08daf455c43354e01dd43cbc4c3a1e4a0353f6e6ec97a556b5091843a0f87f246b2813c8064d751e4382e3626b1e491cfdd68b625e339e4b640dbf9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6a867c4cf7202d747c07f22e13f11270

SHA1
18574dd63c914992e7eb739e8efb78b82fdb5d32

SHA256
04099922f6074fb473ce565e99bfe90fa711f315aa401c44cecfac75bc267b07

SHA512
a8f2c0c56fe23a11831ec2027a5a90838ba1a293d36ffec3c3f5d6d6716a27b76ab1cda96e0ca0893944f70a8cb18d418aa2f0e45e65fb1ed3ed8c43f6c581df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f340c52054a49a76d8983766620ddb9d

SHA1
e10a5191a36ed3c32669c3b32030236554e0c850

SHA256
eef06548756a21f93b57e74bce29a7d46cb53bf6b6f0ff77e40c7b97990baa28

SHA512
6caa8b60ec312dddc9f8d1f0bb3c71ca00bae22fb2d2ed0dec6000962146a3705aae9f1f0d53828e93616fca8e562fc2cd69090fc9d7375291701d4755851c99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3303bd337f9803dd91366e366195df4e

SHA1
3682959e5e64cadb8120516f8c57ac6970d5a67c

SHA256
a2e7f2f9ee6b31d89aaaf49ce43929d4eb5c54f48c8507bfd49caa629464d9e3

SHA512
5c39017aa68dfb20cdba15fd800ed51256eab44afb652a171f6d74d17332508b7c3d69262e6aa395e7aa841e02ca3151a71cf652d67423cd03701c2e6a3bdc7c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4c25f0446379f72ec7c2379da31f711b

SHA1
18e44b71d76bfd8866b17fc8d45b365c7b150397

SHA256
a808fd883d54105615359ce6c8dd8303c9354faed2f4611ac259b0b494a97ba0

SHA512
787de3860f4f8aad15b3c9cbdf0d84135c877c9b808adb5590466ea2f57122284b1fb98aa0bee198359e0a43ebf23da84174f559dbd9891064e6012e86d8b7f2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
95c0c1142191508e0a27a4a57adb4909

SHA1
f49b9ccc8493865997e565453af409113ad8a5be

SHA256
7a0aec6ad43ba3d93abd5c982f6d71e2f8c7b646ea03365b46d701853ede0bd6

SHA512
bc9258fe9b729401698afce018a8ca52da7b1d8c8f6d0656727afec926d61bd487b358d0de45fc005c440c7bd90d47cececf6077b82eb9e79015b7634e5e2cea

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
2fc4768b51ae1d61f133e4e6715af9e5

SHA1
913e3b969fb9f0cc7b14426c42e82d66b28469eb

SHA256
1d5da1bba7fa5f84559d8bfa5cf1b2184015880ecb6e144108dae2b530fe4adf

SHA512
ae547af5bb1421303b24ca3b38ea7503852b03b9cd1c35ffe085876c47744dd0c2da6f6a39cdd7b7877835878c08e07dacec596d3096077b8add1cb16f9db2a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
74c0f7d1722bb330507ec295770b3d80

SHA1
6c635d05363c1bd3d4e817c74ea0a87ed2260c29

SHA256
7209249e7e524c7b17f0b18ef992c99cfd9123f81ec0fda1ad72966b4603d959

SHA512
485595407c7cb783ec034eb9f853fcb7e3426f4648c6c5c0ebcb0abae43af2eacc24d8c2d8d3b88dfd91b92f4eb4bbe76b984febe0bdcc92d1670a4472030ad6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
2a862037858c3e27c979855ddb7bc47b

SHA1
73c745e0f2308aa44be0fc1c232acfddde4e486f

SHA256
7f44ead526780e57b4e926679740a3f0d5076de81e053888dc9bc6451c893e42

SHA512
a1a59daa805313452a5475b35aaed70f282cdb5d44e6f4a53f0025b90a7ab24e0a40a7268609f969a07839ae0604452187d7e719d3d13e658fbcbf37c6b8c25c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
5b32cb8b3bdd5558ec9722b05695c746

SHA1
debc44137e4a68d93ea3dc6799b3ad03a60bf0d7

SHA256
69e987cf58085075415fc3f813700d1d2a71198decd4c924b92624599f1085f4

SHA512
0eae2efe72ab297af3308de790f02db903f74233fdabe84b2d61409ce65a13a92813aaf4e3ce5cab5e230ea08f12f76b5095ec2e1892d6dc06634c2604f877ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
af21039b673c1119f7ca2e83ac06bb13

SHA1
b3abf3f0584a848c1b167ce3caee8961ed345cbb

SHA256
8426d062e6cd8c394fda07c019b6443d1cea1ebfb6c1e7ff5fb2472e5d44f484

SHA512
aac9d2d497f8f562a5f82aa77583c333a3eb44b7e036a8a359d820de5bf90fc5e1c0d64510a1ae55afd1a9612f4fd3e705d137d7df5c771ba0dd2c4785180021

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
83c08ac85987d3c1445493d5e3494be8

SHA1
ff0496d24f36084329e33fc5857f4bad822315fc

SHA256
408062ff50be5fa40d2352cb908d146e486fccc6a7e5cf6a8f3466918eeab550

SHA512
f62ec5448caac6ee560db3b8985aa92e08e528c61fab08363baa7b4468126520d1d14b00d3492020cca0da5daf6f04d6161b25cdca5cef6c293d387a235a925a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
2f8e3ce6705cfa4bfa10c57e61380015

SHA1
25c510017de4c55c287f5b7e706b9c683b6721ad

SHA256
ea6ff16ca11a53e3aa76696670139a645581ba99beda98d9d8d5b24ef2aa62e6

SHA512
75155e9925c97a0f83d8b780af3cfb2a84e3af22583875b9bede41e5e8f418b7b9438742e748d9560c95e3ab3e48985e576c6b234963ae25dcc57bd5bf2e0011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
9a8a02869d50b7dd122b6bd1ba135eb1

SHA1
7183e1f012a2ef14611a813b75d4dea63bec7734

SHA256
08f862b270ffef897f412d16055f533361a0e5691ab227389370c6cd73b93039

SHA512
696867ed4c96005fbdb8bdc5c1feb7fd5ea5476cc2f47a77423484f3fcc5b91e43c09bd14fe781f40fc00fb5798327b3d1c73cfb5ba02853889d9a6944f2e8c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
083294f339c154289420113ca9726628

SHA1
747639b25883711e6e9bc5651efefc5ad483b963

SHA256
f63d3a14f4ee2c553de3a25dc9b8e95fb3792261473a25690d690cfb41062ad4

SHA512
a8f606a20c5f9743afeb9c8753f0a45ac9619deac68daaca37d9b17ebbb13a7c579351da2dc26121d421f2724d8f409dad3c27b58ab652357df3bc9e33c7a4f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
06c65c3d79b073d5cf0fc40089fddbdd

SHA1
8122dd9cfef7ab0e401c468445ffedd65868b4c5

SHA256
9ca403ba341546ae39450a5f3cff0d1d571163b12980907870ca7aa5ebb76858

SHA512
74c073eeb41f13650f569371edf3dd056c01398835d98fb439253aef571b4d350080e3146dde8694e244c8f23aeca618f5c63ec2e75e93b6325626eb26e5ca9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c6c21991768a8fda674a9a315c3a0af3

SHA1
0394eb1436e1fbbbfe762362bfcb9c5111e4b8c1

SHA256
f93c5f8d2ad85af537cc03df4305f7d0904aa5c7f06232aa176215f14016bce3

SHA512
73879a7f0b2c15e2db79fc99410200ab8621d97e7af5f642f95a8f28bf9ef52517f5a66277324659caaf087e9544e07d50ca6ae216ac1dee62efd1dc38896a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
de530c60032b68d4e952c68244f6610b

SHA1
1ba250c79c58c299ab50ed47178378929d3eb25a

SHA256
e811a0db775f3521a394b3f001057a2cb76cd7b2040e0a59f387df59d1114daa

SHA512
6685038efc54a2011a935034e8983de7252a3e259c21bd48cbda293764d08a5d317a89a33593cc4c27c8f0f53af7939162fc082b369262b33a708d012c33bc9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
d26d82c764ab93b986e5b68ba0663d15

SHA1
aef3e67d1b505847afeceac1aa70d18e60858c5a

SHA256
50a1c285a8ed0edbb4fd9c15b3762dc37c4a7391702b5f4599c06c788176e106

SHA512
4698e99f75853cd1b459191f82598463e2b8c8477852b439f673ee733ef0ee88d01cc6d4a1485282460597985127c1da3ae9fbe33a9b995dbe4b67ca9d89c57c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
7981e5b3ee71cb10fa4e639365ede8f7

SHA1
4ef882b5543d7d2937c1e88ddb41bdf5c1ac10d8

SHA256
e1bc884842aee0f67ef91e07f4f0c79b92d6cf1ebb041b6e6d4658c71efecd1b

SHA512
630c8622066301426a732a1e159f69635662a92d17c4543000368f4c14d856d93e676273afea75e1e5bff178cb1c8423023f9d6e8d23c665d8d58e4c626ff08d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9244ca7d998e39d1d5fb91e2bede376e

SHA1
5af4a779a0c8586982eeafc44ef3782e856d428f

SHA256
44d3617fa1fc20b39232d12a189f5a242caa7079dc1f048d55df799a03e45ade

SHA512
63797db14da8abbbadf15d884353c585a4ef8a015c77bd0ed418303be0a9a145da0a52584efc8022b6f9670dd5994d0ae66ee07997c62c728cb24243ddb1c409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
8e5a747c8f3c0a80c69a0f53bad96be4

SHA1
4c39e39ed69b470427c1d91ac42e3f63fb06f5cc

SHA256
b9f7b1e69904be4883fc8ea055a0f0c123b1d07706f4319d64a240daea46c669

SHA512
0d63e742d7638da0e4590138870e3978168734a225c2782c086104014e093f78a590251262d1e094271a1cebeae5c969af75c416f1c6dbffb008c5ee0e10dba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
1e9f0121075b87f5c42a843606ccbf46

SHA1
3176326cdd75bba3e5e64a25dd2a4781582999e5

SHA256
3783b7d1b613d9ac89e772e925a156a978d8146ee06c04b6eb3edc99efc2b412

SHA512
4d1952c334661c0c4b112b47d843b8927fb0ddcd5fb74b8c2b696dc0ecd4f144798b41db7eab84e2d93f2dce9a8e7451102e21fd54f697c90cdff8ea26df3e90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5551e69d9be252b187ca81df56feda4c

SHA1
97afbf318fb2dd2b92d3ca8bf1a9461a268f83f4

SHA256
388334ca97247c646dba51090677c0f7c00a056271b3556227c1b0816f36b10b

SHA512
5470ebde11e49908026a578e94dae939858231ffbd10d4e418c221dc4760ab8ccf3f9289b063da3706b14de337ef501afe7544b6e372a7c20f15e9708779c232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
68f72925aa3536407fe2d4be89e5d9b5

SHA1
80bf35512d1ce80656ffb7c6d5b93403018be476

SHA256
a5a5a5d7367bc26a9814551103006e9ca8c0ea360c4e2b4283b14e0cd73a7200

SHA512
af3381e3c4e57679a9523dd01c8ea5b3c565508ef8718ec3d7b9b931632d3bf6c493f4dd8795d63f15e4b814fe0798a9e7d7c13a4b89fe4236e8ec848dd14726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
48b74772e2725891f938b335fee04c61

SHA1
9acd23b3df08a1c162d99e7f11a7c89c0c82c75c

SHA256
98d2df37e3eda81fed7e28f09fed700ec8cb3f6f38dbed5316f26e7d9f876cfb

SHA512
1ec9298e025c667fadcd3a7e8404fb46b42b4e810a9f4c1b197a4625154ab48fcae455abbd010327deb8960ce5b84c4660474195f9f04b552f34a3da974620ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
6677488a01f4856a4c533031c6f5386a

SHA1
a53e2516edcafa5a1659b7035c93d8fd68973ae5

SHA256
bbfb5fc9b3231a96932151a119dd9e63573b01940e132ecdee552f38b00d3c69

SHA512
121e90db7adf626748e6ba3acee62045cb9d7d7e80937fd9d337b8c48036efc6a3a1c53d93158dce2edb67ec9c64dfeb7e6b9b50b3f9038e83fbac7cb6742614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
8b7cff508ac50d431d31196c77e287eb

SHA1
2240cfdc71938d4b07cf516efcb592bd2f266e75

SHA256
3dcce4f7db7d654ae6cbb61f13f61204f47f93b6e0410cceed41e70827bb335b

SHA512
3ca82208a7d1792da55b003f42cc78d98aa5f64fdf6aa9a755fa180ab1e82c5127513eafe1a80968eadecac459649d4b0a048e8b21bf71681657d5371b7531e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
8fc3cedd7c90578d22789ab81290c01d

SHA1
37aadbb808c20e3388604ca05e8f1b4cc2627eda

SHA256
0a153f3157f0380cb44eeae1ec5bf9aa06f07dacdf622b915a1331b5ee930c41

SHA512
14791ac88573f4499af34acfb5779d69b190e27883b9c2f7e3353ef021574641d774a77679ac6547d611442e1c3f301f68a25a3fd50adcb6de5637157372a052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
fdc70d2a3e934bdfb47370c51d6c8145

SHA1
9407707e62c156b95a5036b4fdae0ca2c0586c5b

SHA256
cb2d581a4c2afbac6008ae4e9a3e017f56cfa0c212f1333c621f437c7519806c

SHA512
d6548ebe419d3c011949b5262c974b5b690cf84ccac3233ee1a88afede47357c6c0616a75041b89d64d60c6149dc37f479f6ecc57e0256d824f4261b51f3d8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
88ea3a5a686e02a5cb97ad58a0786f8c

SHA1
e946488e95aea4cefb2daee70605a63f35fb8530

SHA256
e171a387d319d44e5c267be62e838e2c18f2100aad186f9d5e8cc3c5ca52f094

SHA512
0065ec935d2257f97802a25a0c4b2f872ca4560d0dac811b5906a04c95c1e4d86a05fe010f5ba535c6b89ffbefd9d0789c60e40ab4b2be199c4f3b84d63a6a94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
249306fea922010fc01dba0e826d34cc

SHA1
1430d8ed4a48c9a33db5d2dddb2bd5d515e980a1

SHA256
79c6acee707e6ac0cba3a03babe64b2e86586dc22e5e09fe3ec1c64c42b33f58

SHA512
b0974c92ef0dd3832518debe2b5f145bfb4432fbf55837572e005c554663205d327df0a763f198ef49b717bb0904161f653aac29e22dac4f6a2c41919d9b8eed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
ffb4a6edd506fba933176e01ceb31594

SHA1
5f7c08c6d739222f34d3c64d6f0cc9644a098f05

SHA256
12780dd3a818a95c00273a3e503b8bbd7b9df6c8139254146707b4172400bedf

SHA512
48e2120dbb9f93ac975aebfd19d73b5b9dccc9b7c23ffa5f2893fc3e32c626c806c35ddceff8c9cd37cc2e1a59e1dba15fb46da4cda43f8903d6f2c4f1d2e8dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
30b53deb50b6af90b9a29b1196304fd3

SHA1
46890ccdc7b01b2b38b684d5e9a4ae3aaf363be0

SHA256
59a75972a56f5c5e7590a3698c7d23152e38c2604aa5b6f365af97eb50998b48

SHA512
370205f829f2cd803eba3b3ef5b08c322b2341f49ff15c98761a5bd522f5129a33dd13f5d62d7b5499acf0ec6d52ecc8d8e341874019545681c1af07040cb109

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
34e41e93815459fed38fefbffbd1d769

SHA1
529f8e3b519533b84c6f1da6a4d2dd675c8f7c6c

SHA256
bc2e4af3acfc402db098a94d2b14e6d9cf050c3b66a0aa8015d1a9d2577d5749

SHA512
a78044c705efc7f90e2589fd29915f9102903eb3e5aaa119a660326204b8e3aed6d1900d7d5ec3f89d7040bfd573711e26b81b13a1a5272059302f7bcb743eb9

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
ac2f9711fda27c0466966295822f47b6

SHA1
e8ad06b633b6af447722f1849baf5a47e3957470

SHA256
da513c71458e6ce8e6ec5fd81051818aa0d649ec312114242fba8a9c4efe2875

SHA512
fcad0ea9dad7c3c04236e18bcf86b543fa3b38c39047ba2e557fc632a98ce27494e0d8df5308c970c022ba964cc65f50c9e84a845c9a066c9e96088fc2314a5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
88001fc25ad11c8592e9e5fec12e2b2e

SHA1
b65b0871e27ac61098451b78c205478adf4c6075

SHA256
7ec03cc5fc1c24b9886d1b8a1b11a902db322d0012c12217e92a83e5b96bbf39

SHA512
a588a5280f55f9ddd14462aa043874fde9fc80307ce6e670b1c40cc65aaf771dfe62f1ce8f7d739c758bc27295856bac8401e39a3fb5a968ad50aa6ed22d0b05

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6d0bc67f0e49e41a74a227bdc8b04609

SHA1
320e13826e0abdc091ec1f2086d014f9bb3a21e7

SHA256
adef30b9fe61b422da4eeef9aed53e035d0b657a9e49af54851b363715fd4b9e

SHA512
d25dd575180702bba1d238d1664cb4c4e6a12b704cfb0ffe5dff6a7ef1ed989cc6dd038b43a2300146792c18c9c93cae8da040f8bde5ad23580b13375c7c4b12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
9cc76cc4d1884914b9b897c8ad07f24c

SHA1
b1dfc6b33a8293c569ff689abe7c6fad05c6dd89

SHA256
ed555071d98e284bf7777f25a1aa9cade235d3957dd7650e71c578e61050668d

SHA512
ca1722303ba6dced36d5940a707420306ee98571b0a044d4e0411e496915466361c990ddf3c4c276cec228bfe5e57ca279a3866fd55eb0e0900b99c14f8eab62

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
04db03ea89d035763b484bf9c63102f0

SHA1
350cd5a897dd9d6a34b37cb43f57ded5115d710a

SHA256
9d7424307b2c799f1d3dc325d33b0fafe57872c6aa0d2882aaa46e35d6ae4061

SHA512
7a0e026be83265522627b2e89bf6334d71b1889240800e94ea2563d79b779c8b3be45be773cd0acb27c0de018f11eea1b68593c36c042212ff38482bbfe8490b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
46931b48cd9c0357f180151e79931ac2

SHA1
22e7c0f78295723d61566c1daa00e0c6adec1f28

SHA256
cf81d04250e81086074755fe49ae79e021148a32a7625833122d97b487909f07

SHA512
07c7f9f473345bb0df00c6e0ecc9ec93422c6c87208d81695ce659a7f0b2bc3f7b5b465d0a52c1447a746038817eb623bac6c0a1253d1fc253a538c74e718472

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
add3c078dcda598f5a9fc0f9697af013

SHA1
28c4dfc4ebfb5eda80559425b1f3a7c1005e6edc

SHA256
251e3084883546bb76d84d117f4f2cc6158a29277d46317c32ed23603cef5c06

SHA512
0e756320c05f3b2dcf2eef34a5b52a19c7bbe335c80ce40d7526a2ea76b3edc58346c6e03e3ebf00f1325e1cfca329570e73efce5bab614de67178d040c91c49

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
0e65b6b493c57b9c14a6ddf1820abb67

SHA1
64d579cc05492c1f389a2ea7b7fc1191c5e348e3

SHA256
ac028349b99c970dd6d84090da0519fdd5776a2f1daaeb47cf64badb111020d9

SHA512
471d1e6407c1a75f3c7bae696c392986bc775aaf7284f94a9a04e6f14f07165f32a74338df735ee48155d49e4ef1425a3eea22578800f06bcd29b9a07a577ae3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
53ef88728778abd723cbf899645c039d

SHA1
d7ef31763b8246c9e499c0db55f44f2d3c0b707f

SHA256
13d780898cc088c9957f699b3ddf6b6240bcb1b442481da4251e2a1388cfd45a

SHA512
371cd47deabb23b3011f8032d1ebf32e1a76a6494fda7ac9845bb87e5efb788f0e64d8e6d29f2cee3e94b616a2b64a20b331f2fe26e06e429718479133685eb2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
daa7927710c92537174b0b60ffd1b433

SHA1
fc1046c23a5dc9102b1929828274509c3e2d3855

SHA256
9e37c57f7b69238cdbecb60d9157de4c12a055c412cd4ccf72a13f99bd99a7e2

SHA512
95905d0ae20d95d4bbb3fa97759561b247eb03788dd66474dbff4dbf659385734d29e224f473f92fe84d8bb9e73b2ccb01142704d27a2d54da6d97bd400ccb9a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bd93a105323dfee831e6a76438665921

SHA1
3f286935a40f716546ceec68e61bff1d294cda28

SHA256
826a9b586171f7e4f060951b196308e0dd99d6e2508905a64e79b75ae0a07475

SHA512
8f9b7c59b2e5201fe0ee1a2d68878d36618ba19ac27b0259ce0b2efd895ec5382a0376c683636204058e3cfe2dd87f16bb894de831f47656c60cb82b17c35981

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
3d1b1371d8c22256ace4f571aae5c40c

SHA1
b1baf22fdfa77903fef01b3049aada9df38263c2

SHA256
0932f2c138115468bfe1ebb5d6dba0c0d760a3428f808936301ad4844710ba03

SHA512
3f3bcd4775ff3624048bf1df784b5496c3517ae79a58fd93adaa2bed759581b136da8532b4cc29066eacfab17aee0a39ffc62afe152e8b10ff04f3a953a5c6cf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
25d650c37c6784e09fda376735e2ecfe

SHA1
eece25222f6bef8dc6c0ab6c3471196f361c7490

SHA256
167c9fcba8729895f7127dab0f031af98b7e4ec810e475001e49770cd7aa18b0

SHA512
74a9ff754c963477ba1e4e0c2a1a3b6ccb841c5efa31f5b62320814ad81caab583537c641adb5e6932b2fa1cc2fc941713dbb63c0c5d1645abab7494775538e7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
10e2f721b4937f48598d5c75a3f073e1

SHA1
c81f7dd26d3132b1fc552df0bac2478c5225914c

SHA256
80c03184ca87137f3391dd2e7fda8a705cc07bcb88501d19531437c20eb60011

SHA512
b791bc16481bcb413535b45c710d15ccea8294b61a686e64e6d2b84890d949a411a57e3e42bd691739dd024dbc1bab8ab7822b36bae3896067ef8adb93f82f20

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
42ba07475edbc79525fe721b9fa8d532

SHA1
8d4d606fee0787486f89f919085a802fb73ddbf8

SHA256
9d1528406d5a07c023948da472d93d29801d6a01cc8fbcbd49f623e3a2c53920

SHA512
db28cdf5bab73664c98a05be1ce0784243939c8e149a72cd15bb645174e5367655f0f046c45fa13c0ba9401d89b41f39a65e4e951524d22715bb3414ac3205d3

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
b4a34915b8b6bdd04393b10b9a44099a

SHA1
e8c27dfda241733f9e3136d88d5a2830f126dedf

SHA256
71f174c67d11ec5f8573f954bc9e6b115474511b39e71e3ab91a7d209bc431ed

SHA512
5fe2f1baacdcbd3c911c9a0ff647205149b5a382b4a939b9bc4a735e3fb01ac23469aacb0af4e92362ec18b55a79fd5d3c1754dcf7be1f03a45d88b46eb0bf84

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b6ce3b08f5b6f5c9f0d239b37604d58b

SHA1
a3be35a02e9ce1ee220111bbbd9f9ec77a20cac9

SHA256
6f77928a1c6b979e254219a413902f79756c4f0e105d573c4caf92c3cb051e0c

SHA512
d55bc460477ad40526bb765ba9ea6cd23c17239d673fa3a15975834f6ed81674ecad8333c41a30b4c174d7108c5bd185cc3bde38a231adf0e25f0c543b6468a9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
09513f555c1ada19c96266ce27015a72

SHA1
60931dc83ca4e23498f3c85f0510f965309fe8bc

SHA256
d31fe77e085b45ab347da01c77fe656aa58bfc6328ad4a0e82013bd88d0c3b21

SHA512
b9743707e1f79b307899fca5c98f5fe8eab502a7010453e02e24115cb2e7f307483d73b0d6debf85149feeb45bc167820655e6e8268e159e2bbd86a9bf7ebbb2

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3ca770a12e39a3bf0906ac6a5b75a72d

SHA1
ca16f48b9410f31547fef6149cb8c8febae8346b

SHA256
f51d5f0083803af5a1540474fb3312549d25e124fe759d4d261cef14aaed359b

SHA512
f1d021dd8d3d71d6bce7b4e251decbcf9d0f51e2e08b1b4e48a6fb1a34f3b57221bd87830cb0539246a10d4c63cf972a34503af20203bb1a72fc379fe3e174d7

Download Submit
memory/852-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/852-407-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/916-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/916-323-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1020-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1020-28-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1020-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1020-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1732-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1732-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1964-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1964-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1964-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1964-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1968-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1968-617-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2332-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2332-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2340-383-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2340-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2368-621-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2368-346-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2420-432-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2420-620-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2420-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2432-9-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2432-14-0x0000000140000000-0x000000014009B000-memory.dmp

Filesize
620KB

Download
memory/2432-2-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2432-12-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2432-0-0x0000000140000000-0x000000014009B000-memory.dmp

Filesize
620KB

Download
memory/2464-419-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2464-300-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2628-395-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2628-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2808-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2808-63-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2808-69-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2808-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2852-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2852-257-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2852-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3028-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-357-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3028-252-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3028-246-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3028-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3028-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3028-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3116-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3116-16-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3116-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3116-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3140-358-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3140-624-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3208-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3208-627-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4352-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4512-433-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5096-420-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5096-630-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download