501b20dab38e6c67251cd039fe52812fb3d527a89ec0b58a831fc4b4d507c1fd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exe
Size

583KB
MD5

6d0479623dc50a91b45362b64f5f5360
SHA1

e15a5f05a52460882260c1655001f6213634e838
SHA256

501b20dab38e6c67251cd039fe52812fb3d527a89ec0b58a831fc4b4d507c1fd
SHA512

a5667fba7291fb4d8a85920f2daf86770464b73e2a894cd939261ba423fc5dc54244bb6ae1e966967bf928f0e037372a5571baf45e30e4aa9937bfb8bb92695b
SSDEEP

12288:RrcaZTWuKTY0eBgob0gEE64ZKAQmaZ/W3Ig8CidwRisW:2UTWuKk0fob0gEEVFQmic8WU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
992	alg.exe
856	elevation_service.exe
4200	elevation_service.exe
1688	maintenanceservice.exe
3628	OSE.EXE
3264	DiagnosticsHub.StandardCollector.Service.exe
2824	fxssvc.exe
1308	msdtc.exe
4420	PerceptionSimulationService.exe
1512	perfhost.exe
4060	locator.exe
4864	SensorDataService.exe
1988	snmptrap.exe
2124	spectrum.exe
116	ssh-agent.exe
4948	TieringEngineService.exe
3968	AgentService.exe
2100	vds.exe
4028	vssvc.exe
1724	wbengine.exe
4236	WmiApSrv.exe
2228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exeelevation_service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8478d66fb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a99fb661e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a22c6361e8acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000838ca361e8acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080562c61e8acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5930861e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000edd7361e8acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
856	elevation_service.exe
856	elevation_service.exe
856	elevation_service.exe
856	elevation_service.exe
856	elevation_service.exe
856	elevation_service.exe
856	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4524	6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exe
Token: SeDebugPrivilege	992	alg.exe
Token: SeDebugPrivilege	992	alg.exe
Token: SeDebugPrivilege	992	alg.exe
Token: SeTakeOwnershipPrivilege	856	elevation_service.exe
Token: SeAuditPrivilege	2824	fxssvc.exe
Token: SeRestorePrivilege	4948	TieringEngineService.exe
Token: SeManageVolumePrivilege	4948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3968	AgentService.exe
Token: SeBackupPrivilege	4028	vssvc.exe
Token: SeRestorePrivilege	4028	vssvc.exe
Token: SeAuditPrivilege	4028	vssvc.exe
Token: SeBackupPrivilege	1724	wbengine.exe
Token: SeRestorePrivilege	1724	wbengine.exe
Token: SeSecurityPrivilege	1724	wbengine.exe
Token: 33	2228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2228	SearchIndexer.exe
Token: SeDebugPrivilege	856	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2228 wrote to memory of 2804	2228	SearchIndexer.exe	SearchProtocolHost.exe
PID 2228 wrote to memory of 2804	2228	SearchIndexer.exe	SearchProtocolHost.exe
PID 2228 wrote to memory of 4424	2228	SearchIndexer.exe	SearchFilterHost.exe
PID 2228 wrote to memory of 4424	2228	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d0479623dc50a91b45362b64f5f5360_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2804

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c16a85e32bced1d0f8954c56b3842823

SHA1
c323f32a74ba56e5915065ce2cb386ccc22dc418

SHA256
fe75e6f455cb602c98dcee1a29eefbd2b3c04bdd370dd4882e9d7ce46f88c97e

SHA512
a345c72849d3c417ea757e0eb1276a97060303fda5548073387d0bf0f8fc9e73df71b0829653ce0e6d5f04d25ce59cba9c810df09f26a20b4da772ef5430bec0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
e43b0a38ac8623549abd1ea1790fe8b1

SHA1
b252297e36c85689d21ad96af7c6655ef6323d0b

SHA256
3ebb010fb7aa8880b0ae314568b89f55cb8214831e1d8dcc832e1157cdbe624a

SHA512
6dabb29a5bab73459e2ce55435bea576d865e3948d5a2ad27667e07924addbf3d10e5ae4f1f9f24324fb1015e1aa7c509bb1ddbf83498984ff7a51afc534d92f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
84942e30cac08c7bb63c55b5fc5313cf

SHA1
c197124a4e737b50006ac76e4b64b56d6b99807d

SHA256
afdae1a9767d0a05c17b5221a93f48ed83b223a6032d55bfa217783dc96a3402

SHA512
9cdad1e846a8e787fe95e0b2fcd3972f401b0048f8bf320b4b6bbd4f98046e04cca3fefe2f51e00b2393bd9509ad49faa5256d0e5ac793031b21dcb2ec7f7a31

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
558bba9bd366fc6aa16f3ff2453dcaca

SHA1
12f0061fe41d3bb58d34a628c57e7380154eff89

SHA256
0cf4c06be1035373f3ee514d6900b27bcae2e7aae92f3a401396025275d1fd24

SHA512
c3588ff6f5af08e95181fa5cd4213b39eadec63ae68e846d95637370a5a7b86928842412033c7edabc057ca6868a3e9e4e3745e3f66284cddd375beeb69948c1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3a2f4d21e0a25dee474aea3007cad1cc

SHA1
b5ba76ee14cafcf00200ee6d9466bc00beac8946

SHA256
4ec2dfbc561b7180423910e1ec32b84960c3b70fb346bb26f2320c1448bd1e35

SHA512
157f4ddc31292964f1a40019d8d959ee85b787692074695f3a9364b79b420d2ca5820910f842abfae6d04c277b320a7be506cb17106cbef2bba0715beab76c07

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
ecea494ca261f32f6ed6eb43455aa394

SHA1
84ba62c98a6589c5c6a8269846fa170e8e57bfc5

SHA256
3448e13199eec147088f3adeb3359fecfb97be04cea6fcb2a9ba7b80cfa15bf8

SHA512
75ef90db2efc6a22f712701492dc389b34ef1b9699152f182ef6bc64ae870c0ff45a026acc81f4b3bbd3f7bd56365361a21c9ad8b8e8663bf37cf345c46ff3a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
ac52ac41eceb05c3f2c6a43800f2fa04

SHA1
79baec87e34e090e6be63136499bc656158cac0b

SHA256
3805bc12dfaf82b5f6d40cd84e4ad89ac03f6d984e265a385aa61f0280e6757e

SHA512
4c6b31b03d1bb63641c4856a24bed0a8cb73faa6289c13f15613346ae6785c7c17d022ce941ac378010f3d7bf49010a4828b8ca3a8bd10cbd4cc5cd59c5a4231

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
3fcb5cc4ecf570a68dcbc5634118fef2

SHA1
e689d4fa755f2e859ff5ec66382bf34538f3106a

SHA256
654d98c18b7c84494c1f3a8a880a1f06b7a0cd8df1c50c499398a5431f84cc4f

SHA512
3512455042ccd9acd2877e55ed799970bd2b84dc86c025da37c7189b223705618d988de466e8568675806a474ad4a9078923bdf299162b4f788f45010caada77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
78afc0e469f186d9760b36414a36bfb0

SHA1
ce615aba67b3e494b3b9790e30ad819ac870fb25

SHA256
f01810b72e3158f21b14b3b1f298c9c1db810b95ff68248bc2cfe23843126c6b

SHA512
2424c142034f27ced39b5878d51f5306badf7bcbc8c565e4de002b805ca26face8d67007c47a88e152f99d5db91a0867008200290c74562528ba0d28a93f7abb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
cfadcaa0412caf9e9f02b4f33aa6c6ec

SHA1
8b6d79c64b2a9ff693a0baed2cc0949b64a4c89c

SHA256
0ec9eb856c3e8fb991290d6d03fc3994459beba87186f22ed0a69297ecb54680

SHA512
12677cf453a881a99822aa4e6df9b08cfae4720f95e93c1af5a6997b4ef7f050097a1255db96bc5f070bc23aa0c6d7d1e0a1610b40fe8620d8f6bc2c68bfc6c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ced41cb0afdc13b53ade099dc76ba249

SHA1
9ea0c89c32a95e4b77682781fac4a2e4c66882e3

SHA256
5eff881fa23bded7ceb05832e04695d6cfd00afe2559dca4edf2fc7861f18956

SHA512
f330aca48ad6b0038c045e499010260127ba39b5197c59d2d3c4b09bd531ab32a321453b2a50852b0125494bca3b996a4d881cce808bb3b642ead888c7ac7a80

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
76ccba46690c3487c86c450f8f8c501d

SHA1
77afce6ddedc82e187e407ab4c76a7dbded12e0a

SHA256
bc136f12da951330df95ba22863ae46e2743ce82959779cc92604a8d0c3b739b

SHA512
cdef4d3d3ab67d907639b5727c24abaf82ceafbac356f27ba026fde2325de086e8215d5caac2abf7a46dc80beda73cb1e0f7efd85e46c496b74132c11aedf994

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
7805e13b66e29bb384cad2678c16aea3

SHA1
5a4b7c2de67d3b3759d3b4197501ab0a8fa58019

SHA256
e0a05b6bea3dc1b9a788855e96f5221dd561dcc43ec9bbd9f678ce0fa55ea9a5

SHA512
9dd49bddfe090f5bab5747595ca88e2e7494bb3818f78f179e9e2af7495313ea6ae5ca8ee9a205747afeb73217c63c7563430c50555db4ae7c7690a0ccc90718

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d0c19583b2b963a0e6a8fecea922e956

SHA1
6a975a28d0b299254d889979c1b03438d75b8a58

SHA256
d1b4950775a72624d8ec660f48b9d41c37d29dbe918da58bf03599f9e853c153

SHA512
864eb383cafcc27e28f5ad2e977fd5423914dfb20056a7444b22d13d493ad64579dcbe0d210428c626662c21d9d43ffd9e4e1262a7cad5a1065c2af2809ea354

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
de0a62c14e41fd89a64df41a3c0083d2

SHA1
d16c1fc9baa57038e593257a0fab7781f5514b6a

SHA256
88fd1eb1af54021d1e282dac1e4e31049ac4ad5b1b8432710292aa48cf8acceb

SHA512
29cdbd0cb14a71fe8df795e8a74e291b91d42a7628ddc398ad1bf2df6903fc8afdf1569675a1445cfb0b113919a61428eac86ab3ef0abaf6cc2310b14140ad51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
17a19ef72e62206f0c0abd40e249a3a0

SHA1
136f74346c4f6d7ed2745a3697d6cbdf0ad1e1e9

SHA256
95596155594086bdc8f73cfcd338a6a95f6f38ab424f468af38b68e751c553aa

SHA512
21be4a4fa508c823f4054012d6fd633f86d796176dc5acaff09c51df8a150e0759d72d61ae1327df649813516543dc55da77a5ea75815848723156cb51b937cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ad3ca7335fb1c13720cc4b958bb3ad53

SHA1
e71196978bb497100f6b618f860806a3638acd83

SHA256
2e8506d80e34fa6633598330a0e92598b8aab025dfe18722425e7978dfb428a2

SHA512
6aea104f88fbac35d00d06ba8bf7925733c7328eb300c0b90ec557d7a6e70063cdbdbf312c3c66df9c5ce995aae40fd5d9dc46b6c9b6af94b319acc430949283

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
760798ad806e82a61ac9dd0e94cc2679

SHA1
c710a6ef4e5d08f2d0f8561c9fa66342ce1b4f19

SHA256
fbb7cbcaadb2127ac3e6d1c356b09e2f004bc0ca9f98a4f9328dbf89318bbd33

SHA512
7c2d09c396d648e977d62e4a0b1207da14e73f495b44ec642a6c2d85f5e6eb012e7c2455d912932bfad4ea45351d20a39bb983281dcfccb131190adfdf298d5f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4e1e458d8cb1d67f5b250729bf0fb3a7

SHA1
1cc37a95e9845c375878b70cd0b1793d83d5b77b

SHA256
e6afa6aa917bb32a19ba1b19669dc743d7f2b172a98f12bcf52e91b5a79e41a9

SHA512
b66abed5ed7472005bb23af6fe0161cfbadec369e42cb2bbfe9c3d78e73536585b8cf2dea66a138af14e3ca130ab2437bd22b664d72d9929b8bc3bcf8ad0a22e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
061d2e63efc6ab9277a6635bb066570c

SHA1
8252ad79a067f3c1f544df2cd63707c7ab3f51ee

SHA256
8dd5729fe245843c092e8bfe4334ad579df2ff8badef29c49a79bc1e3137cfbe

SHA512
835c156351182c4e4f4073eea43122cb6871c0f0a88f315256f5acdb77b5c2989a4b2afd840edf74988ce944e2857a04a9681cbf1ca70987e54b11815d216fc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
a8acf435e31ca7f31c1daa8b5790f64e

SHA1
55c40f4bc4a1cc08239e99d51c900610770dde6b

SHA256
bbc79e7cf5107d5223b340e52701969aff25b3b6a1be72efad1f6190a92c64f1

SHA512
badc9716b47ad758e6ad7541cf6e72b44ce7b9dee51c762d58fbb4ade0acc9e40f8f8ba9b9027caf277a12f7f598fbc6e45a896eb3f3867f57ecd03ec52a0799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
af2e5bafd28cfc0da1a49b052bbaca66

SHA1
66e32dd54331fc2b723ae09ba59ebe6b6f8b3491

SHA256
2da6a116ea46bb2e247dbe318e6b04c11d23843ca3e1e41288aee51359215b71

SHA512
bd7c5c76d2a8be3cd9ce65ea81445bf88e9412cb0777dd8dc2a0ef097fdf16f8ff09ba5891d8b16a4f7814a863d7d31e35f0f9710029ba9513355dce6b0774f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
f494517b836ffa6018a61d993cefe31f

SHA1
b494b463db80950455ac889f8a5dd3d1c4636f7e

SHA256
575efbf69b4cfc9eaf697c5d3250b00bee11d24abb8985689765258761335449

SHA512
8f4e49633b80bed2b19708547e8de844c09ef9c46cf35c1ede6e04809673fe53eeea24c98a68bfc0f5b1ff33bf98a0a847e1d4c261893d8aed0225590b033bb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
56df3b32b9e8f1124f4619d991601f92

SHA1
56ae11cc25a819f1cbba17a02c6a68a4e65c61a9

SHA256
8fbd17f78439e25cbdf3f2bdb8459e1da1196a1e78e4ecc3b6b657b846ec8693

SHA512
af7827137775a5176c04eaed8e3544e30cb76b4019bd545f389a3aef0e166ddf0bddce681fa012c3d025bfcd148c170b54803d37ce3222d0e7aa7a1405bc7ad8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
e74028a22a4cdf88370fe7b2d5254f94

SHA1
661486577fe2ebece6b570ec3c6c9541d34f9497

SHA256
b313f8cb45a3ac3bd74595f6510d3daa86232d628b66046321120eac312d67df

SHA512
056133d21c25413145c066d8ecd26def8923b6cf96cebc6b98add8a4d0d6e261214d250813b81d7fd301648fe6a297d4249cd0905366e5c8446c04a661f1ea34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
ae49fd5c2a240b614262310aeecaf362

SHA1
5612a1010e1d47a7f91424826870545db41b2d87

SHA256
558f6a85d8857cd63bdf79c28cdf391d43dd2bbd720c53f448fcaec3c6f24ec6

SHA512
3ccc2022a02f9cc4fbc339a8d5369fb90f7b964e32c48a97f57b9fea9f4408db52fac5683224d5fd2aff7a1e3a3c4408c6782fc94e68ed07e2b34632f9e96822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
2649f08efd0302ce0189c9353c97360f

SHA1
36429789404a61a5ccbab6d068fadbb12d934ee9

SHA256
20093861b7f29d334a9f3820012f1a91f8e615870ed8b9a98ae279aeac53b037

SHA512
bfa9bf50b493cb1f05e5377fce0a3adde3b36b52b6862be678fb0ed12f81dd30cf7396db20126994a4e6012295f4910f42febdd7e6091f125d95fcd47c684c6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
5a65fa1a61b6060cb08ae32d57c5e352

SHA1
b17e4e54933cfe414a816b3b3a78016dccffc787

SHA256
ca6a5091a55ac272ab1d4e9acf3d405bfa4015b025189994427a8860f2564f17

SHA512
20d6878d7770a7bdcc3fcc26c00ab211a649b0d255c6c6cc124a3b27be7303ab2a40ead47da32d224424033ed54f0cd69cb6da72f73cead4ce9deb5a0ae42f86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
9612285827a111fd4641ce49a694de9e

SHA1
3e8eda447ebd91e6a3056236d08e02009388ae74

SHA256
7ef7bd1889db73cc10bebf9cd20b1a052f646734500f3db981441a90fe12a488

SHA512
2e9bb592140856316c7c02b9fce7fc51733bcbe34c2e7b8b5d1a3943bc1fcbbe8bf3de4cdf15324866f22bae1fa7c2b423c59f84f71f0bfb14584e76ba5d8a22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
cf46d38b17d0d34e1a8e1b89480bcdfd

SHA1
fade5b904a0ff3e76d7bc7c86d9aacb4a2248aff

SHA256
1890639e5d3cdb4cf523ecc458bd8d12fa3018ec99a4ee245ac3a633c7e1afe2

SHA512
01fde1afa77471de33afc0c6cd46e037fd78d985183a6f62413222d1faf740de8eb660684755110ca6f894aafabb0994f47abdc0d0977dec5dc6637f62800023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
9c26551a36b1286077f03f0631c65f8e

SHA1
0a6efcd3eea05b23e157cfd5ad8c1a178a3bc334

SHA256
fe2ef26e3cf61d5dd726bc48e4e34288ba34fa36473df4451945002d3d80e778

SHA512
9dd737506071dc1851be0884a1c297ffc546eb6824e7cb5bc368c222c7109b2ac195a63adc5e3e3f2d5cb482e7b409c8950b51ae7bb841a0da81f79c27bd5d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
e3d12dc3f953043203117d2ed4fe7825

SHA1
27b986307ad3e9b74b36c7f59bf7bbc32a3b330e

SHA256
4651fe3fc7ead0a93c69e50bd8dbd55af50589cd3348e9173e312d39a4dbef68

SHA512
8cc5f0a16ca06b577b71ae143861a6aa6b094c338868f7439b110a187b1e1183dbecfe34b3ba55c939b8586a1887d267d032da20edced5a20b668dafc73ee53e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
f717b7b50f8b295a59ac0d7250ad5bb6

SHA1
fd426b0a4934ecc1fda1bdcfb8b7a4417a8300bd

SHA256
44faa270c6ccc02d1c10a44cdefd96a3b70e0fe5dac20ef5febcd33490560306

SHA512
67a3a164e43da10089d16be1ff478fc6740ca36859b38aa3929b4ed605ccc0b58cdc69c1763bc2d39ecec530733d039e12d566dbabf1ea631910e82e976c7122

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a0a05c28a88b29cd719b2d194c3f6097

SHA1
3376f7e601a302750572b4a8e63490561f540c62

SHA256
3fe1e148b7b5703e08bf93f7dd8d6afdbf8ace92d7c9139a0b1a9866e093eb0e

SHA512
2355eb9ff80c68b6e275a646f9077158d823cbac49182555068da85daeadf66a5e24c5f2c8f3577183cc9a75c232f74186ab98b5ce064c452a2a2ed953a59b39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
7c78ba0d58d0678e484db4c9b69ba467

SHA1
7fe3a020b286598237efbd8872190f5a04260aa9

SHA256
2eeb0a781de035e8d1dd7a03d352a6c75269abf9467495226f8523c6a2210ef7

SHA512
a526031331660be5556d00867e4258fee3db9c3719d24867bd0b0b03722148a174b1902edbda41143ff4930366871d38473b39c2610f225f24d9a000d73617f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
c9f5e4bcef19e2d958fcfc840d3ebb82

SHA1
c1411fa8e9a30ba0931a0e468d43d749b5d0e4bd

SHA256
8f24b09d958f23e61f99dc073fee8b0e03e36a6b99a25c3e46aa2033c75631fc

SHA512
967b8d61307c1ee5553cb32d4aabac38069c13319c169c8346daf1c1f1de9b16814e4f9c828a7cfdea833f2c5bed2b00432ac52c00f0142bae50eb34e1df72bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
70fc873351a02bced1e603ebdd19c7a2

SHA1
cf2d6f1bd1e293841feebf6d47a42d670f344746

SHA256
4e1b0f7b4af11f58eecfe2f61697591de870fb577cb7f61d53aa646761507f72

SHA512
357778379bbe8e1517cee157e97bc92709a7c7ed7bb73848e6a2729e80a577241530cd48d7d6bb25d261e8e5ea3186277dc0d51bbc72891d1b694277fcbb2b41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
c88c1551f811aa25268352cdeaa9d84a

SHA1
c06d383c8e99f69211c4b3cf208ba31167da867a

SHA256
3337920a062cee3b5026a4a03d030c3c524b4bb2c9db7554a8837dc8858c2181

SHA512
8f7730ead2190331cc3f2d14a38176c6c11db780fc811c42c0e25a5bd2d803d8fa0b77ba009f4261fe9cd503af25f307d5b18c79d831a518581c73d480eced31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
7a0f7eec4aaf8844e0fd1504c30e1385

SHA1
20db1dffe1f4c03f2e16a311a16d9290978a6520

SHA256
78572654e3564ab775e9cbc72657a52dfa428bf20a9bf9e8f0797144aaff57ba

SHA512
5e4b4438a877d56e166753df6205764c4879685ab26748da347c2592a4458be2639b9505effd41065c932272f7192ba71b140b7d4b2b77768c1c42884bce9e23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
06e5eb928514c3cf1a9899dc68e19c6c

SHA1
cc7adc69d9b03593c66d0903b3b920a44896d504

SHA256
1a9a2fa8866cf84d18d55a56a5795ef6cc392d3cf640392adfa457ba2f77be2a

SHA512
6adac185fa67a6e8aaedc05cd3504494d0643e5211101b010d39de9908cd5b239976b77ed77414775293a6c375400ea2c4e0b7a725c19134f9a7aa73b695110e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
aee2b3360e29640e602b825d107e2a11

SHA1
46583b638431fdbbc5c3bc141f833974e4d4532b

SHA256
d9c675b8d8cc4fd49f321c900ea6eb521264f1b312193f09624f70ea1dfc4cd9

SHA512
9bbda984b79981b7a7f3f5a84983cc52c90ba49c828e0722bb10995928a2644d4c38fdf6e2f3885202fb59b4f9391bf0da1d2f3fac41ef360d46b9b5f6e52ee6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
3eb6033161d52390d147e9d84ddc7926

SHA1
f7b8f084f319f23d938791b75da06a0bfd88d61c

SHA256
77d81cd954964365a46461c581a135771be2aa71871e544ce17a1e9547a9b6e6

SHA512
b77d3db74e171eaa38189e8c79a558aecb13d9d4b08c930c48e87403600b2ff195374d9da0840ca3d605f26e69691279daf9b48236f85c7545855ed0ae29e662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
44676d0c8de3b0bd8274e09aa37f764d

SHA1
47c6b3348cff5a70c6912f6764955ba55d48dd66

SHA256
75043ff541bcc5d203d976f9681c6b2262872890339344135ecfd82e2767b5cd

SHA512
acacdf21ff513a96d20b442c40c065884b58a88bf38947b4e6338bde402644c047cf0a3aa295310983e8594d25f3d3697e95ac5411213fdc3405cba61453aa1e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
4d09f0fc3395cd61c93111453b3ed8c8

SHA1
14953ff57b6a29831ee6138619975030edf1abcb

SHA256
a2c466317436af10af2876e8082ed135534787b0ba014c0b7453ba86bd49c9c2

SHA512
c7a9043d49d7a977d1dc38afc21589b481cba180d38a773e202c5e53fe0d36b06470c73e4e26c04dc0867bca1eec6204654b8dbffde67bbfe5e50f1b93322c69

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
117f8d0bc8f933e9fb3be1257bed2fd0

SHA1
b9841ac5900015d3d1963909b288d96793770e52

SHA256
89a85034235ed5d36fd59da3f4ccc9f16e1a8bdea244702a856d62628964ed6c

SHA512
09a2eef9b9fb8b5901604d11426ae1577d6cd9d4652ffa4c7deeb012468ef1eadb68b93427d23fabdd1e6d635b2a15a0f0136b08af56fdd46d8419bade3c78b4

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9f7cc4a2454cc910a7aaecb999f94f85

SHA1
db21179b794ac9a32e4bf9a823fd16e5cde2442b

SHA256
2b2797ce3dc6e85a3f26bc8089a628be798426557a321b01405452bfed4c1cfd

SHA512
bbc11fc00cdd51345320da56a16bac41f2441ac0d8744740cda9d13d3c417f25ad573386bd8b2faa6e80318dbc8ad3439b9c162f3501153952ca3eb7e33bfdc5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
fb2544ddd64806aa3cdf6ac22cb70457

SHA1
b849c1d626c9902f8c15ff78d7690688e4b9fc82

SHA256
e94e8490744ac03904eaad3c731c98abc9a2a84aa47bbff4e1485e8e7f067c21

SHA512
c883c13878f34ba300639ee5648458edb387a58f2f9122b7e623ab00f7d5a63315eb3d250e44a92385c877ce0b99c30a398fcd54d1897b7d38673df4c0c3f5d3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fb3bef2a4a356a63cd30b8a2add64694

SHA1
9fdc6b29d4e5e54cfd6b08f3f3dd8df5fc1b9805

SHA256
131455292266e32769bbdf87410e11919d4e0a88dbb75a5d54e4a1ed61198eca

SHA512
96c2d55e945829807ca8dd39aed5481f44fc8e99edc75ba3f1b14538c9bb5eefc5a651d7c738cf079e658177d47243b9f34b1ecfb6edcb487eab6ad222439049

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
37fe12e0d87b4fdcd377d705e81dcb43

SHA1
2cfb7f2c7c0799dae34838fdff14513bd2a52e6a

SHA256
24b42e467b80cfd00219c0aa4cba602c1909cb1e234fc44a6b285652a44fba8f

SHA512
b1c2fc433abd6afbd2540a899e13446eea3b066986caffa63eb3089cd741b6d31fbefe268cdea78366d30f9d1c176fab83b142516da8913b278283332469c4b5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
d37642be6983bb90d896c54362dde340

SHA1
be48269abc266c5422d9b7fc5f6138201e1d78b1

SHA256
b50535baa4b4e1ed084cde1c5a47124b3bf1d07a6c25208ef805f845ce107811

SHA512
525b586d6485177f5ce4ca0166f56caa263f2c676387866a2181e74f92daa5b2239fb1d393ee986f466518e545b57dbebf5e78e0ef2c43fd918a22f38b83c0d4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7261718dbc7f1be2b73d5adff4e2074c

SHA1
9e5e726de5d8e12c21d3e67d0a5a3528b408fa31

SHA256
449458db41a4bf9d4b6a1b9de9c1ae192a94a4d0156cbc153f25f9c334d4dcfb

SHA512
d686595cb7eee2ef677d939c8a481c72d772a174ba5e42ccff08e4d71e03e89b1fbebf86b4cbd4ac7ee6fb65f283a19cf8179620ef2c57bcde34b2a3c17bde1a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
5b36ab7941ec8fe4dce6fb01a52b1b36

SHA1
009617cfe51db63733b645f75c0cfe3cc13f9d84

SHA256
d73f85858fbb677effd75182cb1c53854464119f31166c059dea114de00fdca4

SHA512
b30317d4cc4359a608002e90b6e890923ca793c5e97514cdece4cdc338daf975018b1a113fba2fb1a747447b1fc69987b3a83cf5133baab63d9625e1e12d9b7a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
27e6e03f1e8e27c0fc5c8da7341263e9

SHA1
6a17964a995c1420dc68fd1c9d8773b50cc1d4f7

SHA256
36f3893ec96c58933b8756e5c1add61cbb429d180be41f9510160350a9918468

SHA512
704978b4a05fe97ebb3199f3d6699ce6c89359127c00cf371af87daa13f9ae47de82a681da34882b24fbf141adf25686f919ccbefd62eb26defbf5663d29a264

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d6bcd85f9ce0c41f68a14b4ab10d87a2

SHA1
dd466a94fb2327f8f99d6d3278ad06e965059612

SHA256
a7bf4deecc83ed65b0ba8132f1296eb843c9ec13f8aa688cc33508f4f750e4e5

SHA512
3d35193b67df03a4df4e193b9f1675ec7e33e2288e83f516d478e8eb9b3513b4fb28aeec2b2618bf6d9e4d58f47bae55817b1c1d179fff0d20e9df3e29dada0f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
1e7d14b7716e5dd55bceaed09fda9006

SHA1
ca6e889f793a6d1413a1f8624cf064720341952a

SHA256
dfea0791b2cb1855e3f78044c82c592aed9d2054d47e29f078c7dcce035998c4

SHA512
902846cd3021036a26d0caa34a9e4ca0e9cca01786d45c5bcad2ba4971d6325261e03c4ac7dc81ce217f41ccfda4b846c5ac0725225f448bb7445faa16318a6d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a7d8c510714e60384a4a3b28a9b39547

SHA1
dd58c092805c40de93b9ca29ddcbdf4c20f978a8

SHA256
bc631d28393456e5e4e08a7e76241d527fc07223ba900feff437458a810e974d

SHA512
2bdf3d449eaba858272aa5e37acf9b22013198eaf714859064388ed316a99cf31916b53f3a15b094cfbfcad95cee4702fb0635add4c9c9cfcb5749f9ecb01bd7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
baad364ad109438c7292188312642bb5

SHA1
29e6b7b401a0932fe62c3d4307d87b68fc0516d9

SHA256
29e32ec9cc92c352a157865a65a5509c4052fd5f44b6cbb1695e3d0beb08a733

SHA512
b6cc6c5f8ce32a012a28cc524cad144e1eb5eafd39c5dd8e131c17f0fc4f5d0b0c9493e74afd453becdb51659c0c5c1badca163e8db15d8047b8039ce1e56e04

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
fc964d890f5cb458bf00327afde19438

SHA1
e14f6021f869abfcc4363400e3926553196e31b3

SHA256
53b95afe3397d41bf5542bdf7fb9af434ff66a9fb5346566b91730d24e5197ce

SHA512
77c119633a52d718680a79a9acb03d78f61a48be48942c5142177bb22b3275697f626fb1e09dd0fcbf1764dbbb6c95b64dc8598b3c7999cb20b3c7d8b5416255

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
79c750c5c064dffed714d296379721ba

SHA1
66a7d9e56cff8f526b7c7aa68d039f52e82ccba1

SHA256
9f2e709fd94607748118f0ee1d132c6efb1800789f9e803ae56f55e0d0747894

SHA512
9f2fb9908c2f3e282b825e47458e9c7a135fbfe3bd7c94d4482f622fee8fca3d6a2cbd57c85abe58ad0016528d6ce849cfa249f2cff76f681691c76b4e7e394d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
951938af66bcfb02e7604ad1d2c5e9b1

SHA1
2e5fd5575ebd705ed8cea796ae7839edd1f83f72

SHA256
6d37bf36f53fee2130d05a6c1d90b36ccd9e02303a39eb503ee43edf9101c100

SHA512
c6c4594f02f6a709562fdaaab09ab3e3df70c8eadab757e510f71842747e9107a1dcde894c5ddbf4a8feed2314ce82cd31f741ca68e40d8c62027dcf6c832015

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
791a9f52de99bc3b98d27dc0a8f501d9

SHA1
02af465bd8856e1eb1f2b594c9dda16d7fa0ceaa

SHA256
2d11a42bad2cffe04dff108dc6acab9776829001b0c14cac001f9d8f68aa9a6a

SHA512
2533cd8c1328e33953c6c51bc8aa86f320755fe7811be1e65725153a84f159fced12af54bcd8a562a2e2804a68f26b6fb4a6a2bb1c1519dff650b22fd715f650

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
fb3c813b5e5e314cff9f151fe2860d05

SHA1
b81a111706dd4e8cc43d49a9db921f4383e038fc

SHA256
e8f5247080528bdeae91c45a3419d0559946dd9e80c2efbd17976905d5897865

SHA512
5022741b3dda55eebdbbcb5e4c5e8ececbba09ffe78fc4a79dcd2f4ef3110be927c35e4b571ebb906ba4a470fbe45ba34abd65049897c79d1b4db581d53c76fa

Download Submit
memory/116-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/116-609-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/856-28-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/856-35-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/856-36-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/856-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/856-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/992-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/992-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/992-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1308-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1308-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1512-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1512-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1688-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1688-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1688-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1688-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1688-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1724-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1724-617-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1988-524-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1988-331-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2100-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2100-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2124-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2124-348-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2228-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2228-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2824-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2824-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2824-256-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3264-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3264-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3264-250-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3264-251-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3628-68-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3628-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3628-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3628-74-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3968-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4028-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4028-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4060-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4060-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4200-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4200-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4200-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4200-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4236-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4236-618-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4420-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4420-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4524-14-0x0000000140000000-0x0000000140097000-memory.dmp

Filesize
604KB

Download
memory/4524-0-0x0000000140000000-0x0000000140097000-memory.dmp

Filesize
604KB

Download
memory/4524-1-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4524-9-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4524-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4864-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4864-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4864-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-612-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4948-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download