cbaadf61ff9b972d68fb36e6b846806afa472c253c131705f1ec6bf8bd3dd676

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe
Size

1.4MB
MD5

f1c0698d1ea3ea6d1040fc7dccadc7c0
SHA1

8af23d98ad94120bbfe43cef52f3f21d716bb97f
SHA256

cbaadf61ff9b972d68fb36e6b846806afa472c253c131705f1ec6bf8bd3dd676
SHA512

12ba88f371d1c9790b6a6a1b3e7b1261648f4bdcdbd8a55965dc8f9802d027e227051556ded76e31f11e5e9c89c75ae54a3dd8bf974d2471b601b015910c2f5a
SSDEEP

24576:O+LGQb0/HELyxjb/BKSkQ/7Gb8NLEbeZ:O+iQUELyxjVDkQ/qoLEw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2108	alg.exe
1880	elevation_service.exe
1808	elevation_service.exe
5100	maintenanceservice.exe
3756	OSE.EXE
1196	DiagnosticsHub.StandardCollector.Service.exe
1464	fxssvc.exe
5000	msdtc.exe
4568	PerceptionSimulationService.exe
4896	perfhost.exe
4040	locator.exe
948	SensorDataService.exe
1316	snmptrap.exe
5096	spectrum.exe
1544	ssh-agent.exe
4572	TieringEngineService.exe
3316	AgentService.exe
4252	vds.exe
1208	vssvc.exe
1892	wbengine.exe
1256	WmiApSrv.exe
3660	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exealg.exemsdtc.exef1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\57f7d7b7e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\ReadRemove.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3cf920be2adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059781f0ce2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f05cc0be2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000086baf0be2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b48d20ce2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4a78b0be2adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c190b60be2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d90a500be2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe
1880	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	980	f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2108	alg.exe
Token: SeDebugPrivilege	2108	alg.exe
Token: SeDebugPrivilege	2108	alg.exe
Token: SeTakeOwnershipPrivilege	1880	elevation_service.exe
Token: SeAuditPrivilege	1464	fxssvc.exe
Token: SeRestorePrivilege	4572	TieringEngineService.exe
Token: SeManageVolumePrivilege	4572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3316	AgentService.exe
Token: SeBackupPrivilege	1208	vssvc.exe
Token: SeRestorePrivilege	1208	vssvc.exe
Token: SeAuditPrivilege	1208	vssvc.exe
Token: SeBackupPrivilege	1892	wbengine.exe
Token: SeRestorePrivilege	1892	wbengine.exe
Token: SeSecurityPrivilege	1892	wbengine.exe
Token: 33	3660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3660	SearchIndexer.exe
Token: SeDebugPrivilege	1880	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3660 wrote to memory of 1988	3660	SearchIndexer.exe	SearchProtocolHost.exe
PID 3660 wrote to memory of 1988	3660	SearchIndexer.exe	SearchProtocolHost.exe
PID 3660 wrote to memory of 3304	3660	SearchIndexer.exe	SearchFilterHost.exe
PID 3660 wrote to memory of 3304	3660	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f1c0698d1ea3ea6d1040fc7dccadc7c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5100

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1988

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0166f529cf9e166a7efe8ef6edaf7292

SHA1
8b95bb22e360c27d1ea30112b161285a26ea99df

SHA256
347a5306aa70dd78f7adc5918e591314bc2a68ccacb705244b34ae3f08a600e2

SHA512
89485e23e8a634c6ab7f7f34a0800ad4dc818828eb3426157889a806be41617a3dd5b12d4fec473abebccf8f27b03638f5badfab9f0eb06dcbd65e8a1d4893e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
7d23f82e3034df0e934f9d36d40a85ac

SHA1
640a36a275eddacb096c61a349470d8db8335683

SHA256
1e00832dbfbdfc11cd9c51cdcae722b44dec48b63c62e16b955e0a165227037e

SHA512
a08796390099af16bb1fa0137e4ed63e33c3b676e6bdbdd8db48d28ce864bab47313eaee4a9a59246469efed8bcc6084559a3e7b63c943bbbf4952956b055781

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
b5e5a12a9ddecb5c467b2fa2d3bf58b8

SHA1
ac6f9d52abef1a3d591f676cce32672b57c36d45

SHA256
e2184c60514489c659a760069ea2e0f42399a36f098f26e550376ac21a8432c6

SHA512
bf5163ec0627821b17f4f598daf0b35b255b69a3a1d37577f1f0ffa140fd3a93a5a7c2ffb4e276051adeb2b86f11fade094c442513ee1eb63d28a4400a2ea0ed

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ae1dc2c7f8e3b8977ecce466316efaf2

SHA1
4cf3b4c0bd3622fb7f965ddecccb3df3fc7a0f92

SHA256
264d9c5795df3581d42c3e49aa60587207b3e848a25c9f341ab8c3fadb86cb05

SHA512
896c7134b3b7f6af12415d6a3762ab97fe016bb60d116c51f2e18a78746f7305b14b4a846aedee8bad921d589028f2cf982220e3edd7ab4484d78b3f14394c48

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
0915c4be05c0bb9d1be3196bdb67ce27

SHA1
98c6d74c44dc8a43a4f983cc6ce4cb016b061ea6

SHA256
870fb06e5339e2bb5c3abd700c9c8467c23a14d7aec161e2cbbd938b115523a8

SHA512
9f7a916e12ea4f0cdc5d4912ac8e39c8efff77272a3bb79d0662cb6a2d5d75173b79c8dd7151602bc63685d74581f3f17c6c24192adc203e9e4f65a90e26ab3d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b2a4f44f91c02d0942a03f2189e2343a

SHA1
2bcb43e684193db8183355c12ce4fe4f9e226cd9

SHA256
8a80d409b01a190cc39011166152850a60509b960395069145cbffb35ebbd24b

SHA512
f1eb1605e4dde3b4b821ab1e61f4285e54899c916806d1c214ab3c5845ff798340b1ea8b180b84e2babd9cc81bde6b1910f77da2204b65c78a816ed0b68f3c2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
65f1286ff598832b0696dd44a5807fc8

SHA1
f3f5c3072d050431ed574be5f934a327d5d990dd

SHA256
7e09b54a1e4327824023b01066cc394487f87929f28c6529c9bbbd9810a7b41d

SHA512
03ad3ec3e7af34dcb1adb5958546d19b0bf1a45840049868e5f4ec64d8749ccaabfb97e16bccfa96a2531690c84852c78edc6fbb4984c02c6246dd66cbe444d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d4dee81c36d1c43fe81d56a0b8bf0b6f

SHA1
871fee732e460167fa0a456d1c7b909bf896350b

SHA256
1c97e23d580c18a70286fddfef8f0cc9f33abcc89a27f074f7fa3fddcd3e4fb8

SHA512
0175f0bde673d6fcd4c630216f4fcc53a8aad80345b5966fe221efea311deccfa8e15a4b86c1742f50b6eb868daeae76c9bf8c3fa9d542310bfa00eb38db3d8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
6c595fa03dd2ebf8335131c8f86a069c

SHA1
0007376e9f7573c24656a26c3b873388ca8366b6

SHA256
e638efc7ee1d36663e094c36af4503d014f1d6bb61d3c57c0c22a5609c678fa9

SHA512
910f22426fbcf9261cdd4744e59ddd13ade8ede68a8c77304492177b94edc23898ad159abc2382cc06512f9a45c56dea75aa04c30c2080fcfacb2d7aa3dfc7fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8c9a1fbf9515e221a960ea186e30646a

SHA1
90b4ef2a64346b4f77125092621684ac6e03060c

SHA256
84f9e752991f107f6292cb8b7a537408ab26e48bab413998857b5b9f3d2cc7e7

SHA512
4d75ffba60987a670c1576addd539eb7368ea77d781294502651e121b1f98948154af23d3859d9f0015df961a2d2777a42e9a03b858d945dfe1cfcfade39fccb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
66dc65d19dbb0c3c55404f9c7764d3e4

SHA1
a8d7c4a891a2407c4b97d919f12c40e9a318bcc8

SHA256
c20228a338f8964b89389f4f13dfaba96e6426af0674b24c5a95a172163b8af9

SHA512
4a916278972eaa15148d1f1813aa96b3bfcb6faa734d0e396698c90a0bc24fa73b711cc08f911a8129c71758d0f925e6cc2aec9af58587d252e43b5d32d1811f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
020153aabf69599b6e1410e9642d1e0b

SHA1
dc68b03c04072f46b5ef3b41c3b2fd42d4550055

SHA256
a8225fff8bb8574bad3d96fc33dff723a57ee0115506ac5a76c1ac6d8719cfd8

SHA512
b9ac53cffb44bb5a5979b0cf3280a17d2083afb0c161204ccd33a64a61994cead8d9b8d5e7f73086119ade310e97625a87d9d3730b77bb73889571efffd8bf68

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
aa8a4b56a8ed39771aff096381f33b30

SHA1
6ab9f1b9c94e3703537f55e5aeeaf755ad41e3ae

SHA256
e2176d7061333610ab8fe93ba6200a2414b1612c33626d4a87fc584ca4ce56b0

SHA512
1863c18767756187b2bbcd9635d6b2df76a3cd0b3e9a7ca6c2844ba21116722822f834da3ceab2c7c2ce5cab386c2a1dc333f99f1431637588e287eff23922dc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
54f52ce61d70027085698adb6225b44f

SHA1
c1ea41223729021dd6af55a8e4f5109a8681eadc

SHA256
555883dd4cdc0b504f4106923652fbb7b2979c06cea65c4933fcec92359d89a5

SHA512
f81c8d29443a5bebcf7ac9d2255bddd4952f26b293194b6b2d4f35efb2802a528a2915eac7d75c9fd7ba81d534e07b7a77166ba28c1f507c3041f01baa6c0ca8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
3525cb479ae09ab5ecb4836df234a285

SHA1
11698378afca6e3b795d287b2c27201bb6afcefd

SHA256
64e41e630c37c43ed0c14175f0662fe1b222d7e7238e3c90f9ea646fff28601e

SHA512
cb499462428801e8dede694a15012af480e4a41f820053a9c45282c2e1e267b388f0f51d42b022491bd0210ca3e6b3fe9cbf319c5635e94a9a42c1214d42d0d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
4121e1478ed0859b4792dd20f084fd4f

SHA1
8968b6aba8c14bac112abee31d273f4490e506eb

SHA256
9967f16bb2914a7af2503d0e33972199927e715ff30a7e9bbd629cf62a10e9cd

SHA512
6a9453cc99c9747e72f7128e08298a3d8b08a1fe3b2d506e34e598848071db78be4bfbb395526b115549eb1a17ae19509cdb18746b024cbd0f897b0034e14503

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
63f1e216abe06adb19abf2cb1fcbc25a

SHA1
7b45add0ba90ad3b90e4b5df47dd1b9a6fc167f4

SHA256
1284416ee76b844b13ce4208c6072f2c2bfd613801ae74a8a8f574e2da1bc5b8

SHA512
51f28570558146fb82809ff4d0899ee189a2e728b86c030bc19f7d82aa12149ee01ec29ef536f6228ff9de89c1fecf97c05869d2ed831d82ade750bb8ba0e8b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7a8a1b42ece58c4a8ba03169a1bb4043

SHA1
ed35d2541bdf79a20ca9dc6f238f9de8ab4bdcc7

SHA256
8b64b6b8753b2372b38bcdbc06f420b6bd0eedd4b10b7461a578b28067410b4d

SHA512
c8a6993e642a3ee29ff221f89fb273197a5197881d72bfdf437fae025920da0f435de01cf09c2e4181a8cf0104bcd00cda06f29fe2871c20db75c7afb8c0cce8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
18ecd66f7bfb513f6ae4ba460eb02add

SHA1
0dea839525a90e4051bba44fd860e19230e752a6

SHA256
507aa83e4492546fa2f05d6e7d5ed67c8e6f21c3bd8d63bc6d1f81b7f41619ea

SHA512
095157554b4a559c0e060cfc15662afcbf62adb4c5e6fc4f89a10fd14b529362a695fde66b35a38d88b93261fda2dc8061dfac549587f06050ecf267c36738c5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
dd65d327f450dd154498fa856b2b669b

SHA1
ea38b8a58f498b158d3de8ebebfc81c1124395bc

SHA256
274bde3c9d0081e88bdb1ab6c45bf919c3599303a0fad0c320e8bb45f6c2b9a2

SHA512
3010a301f19e2c492fe83cfc7d6f8dff21e77b9b5d6f7144489514ec5566b21bc86a5a1b3a4aba6f17f6389256427d93e1e2516c0ddca8f2f0366ff9a548dda2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8d9f14398f788f7b02cc1da06309eac3

SHA1
e90bc92312ac9cef1e9cb632e2eefea749ad33df

SHA256
d354a0d8ebcb60e2d854b3edd6f6bd1f89e152d461c076d03f2651471f64d76b

SHA512
4f36eca0daa3d659625105cbca61bff06b7252dcd2e8527351b948f872a89d348a95aa9d1e234c6d58ea9df98618c49a4ef0e294dfcf8f29533784e0189eb25a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
2d6c47994fda7114596a7c7270971c9c

SHA1
cb20e4a4c4dae759136dc933f9ccc884ccb2d734

SHA256
35400f015573dbc2a2b99ae5c089562ca84d80f72397c557bfda333697386f41

SHA512
421563e589901ef43bb162f29bc0391f3f50cd8a53d46d8c2f367e808aff25e19020c8ce23b0e8c0ed229ac35d7b0c15697548190427f4c91f9492a8a7dc3ac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
afa5ecf7ad9fb099ebb1a28fd8032110

SHA1
b93476281f98fff12a7a2c72a2382ee17d72dfb5

SHA256
1f5ae650e294b0e90c969bc8671cb684abb6de34616735444d0d135ee6426205

SHA512
2b7c4f9a1029dacbe9035a4fe0fce00831c188189e2d8be3f6d013b04c2de32dfd4f60fc04cc4267774f45b17ff2d6625d4133586fc8c0371ea1abdab7b57682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
94bbdb977421856c281f955515280400

SHA1
ebb576e36bc8f084c182b411f55f42ed347b2fcf

SHA256
0726122afb3bf3a313fdbc4f6a6226f96d789f62f7989d5c340f915161048743

SHA512
44ecb585a1ac71ad3cbe35dbd6301ab3360ad19360e8df540fbc3788d55ce6d7d65bfd83fef81ad8640b6caa1e3cfa1a95df6d1d232112bb7095bb3899e05014

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
6cc0c5b5e2180eaad95b3186e53e1c8f

SHA1
b85358a4a1cb3713b583d7d77621583a1028d6af

SHA256
cbfe44549f1bcee1e9dccba67839d02abfb56466306e4557814c5a77890fcba0

SHA512
f65f2704f2c583ce5b8bc630363cfcfad37c2f1282e6f55fcc75eaaba7cd614d00bd91a045b65b154c6d21dcc45c51a22d832c22a52723f3a071a48c0e3f676e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
d252a11a8a92c1ae0656019c13cff7e4

SHA1
d14c9e05060cac79198b72dba139b99143f004f8

SHA256
eca252cb00ac7ecda3f03c9320c9d059317af88089c8b4ae360c06cb35990998

SHA512
7acb9501262d8658f3d41d885fa42961eb2b369725ef130d59d3d966d1f8dc6be413f5ff6eafa23297e5e9eb06f1b853a53cda04cdf8fd5201211974b9a32eef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
5f8cc429a1795fb4e500b21defdb0bec

SHA1
4a999086afd6eeccae254fe11ee55a9d319de881

SHA256
79c292f5a2f1b8d17392c868698e78ec05849aed0b3d55912ee4159d8078588b

SHA512
9ad54841d95a2393194c5c7ad3d49d28fe0aa1a0f69d5ab5cfee999b0ac7bd9bdf2d10d0839b87f548971f332d8a8a02adb27423c5f9c438a73a5948c1b731ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
b90da8a0474e7f501e3a29057a98b5f5

SHA1
31adf140061902b8b77622d07bc2a9d7e5847a2e

SHA256
2f500fa424933d6ecc0d6ebf7b5de82ac4e1cab1524ae05fbc45d2491113377f

SHA512
8b8d207cc83e180aa74eee492f601a841946371a9476fa359b46560383304a627083435961efec2f2f420d0f75b1daf59a14f4bde74f551903fe928d9e58d5cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
dea6812623ca867ca6d31d1359ac18e8

SHA1
71d061dd18f9453bc1c9d9f941e9f950008ed5e9

SHA256
d57da0a65473639a382711a2a125bff240a27a713522c2262583935cb9b3a99b

SHA512
31c4bc2191b984a876a97a6da4df88b2140956ddbcf27a2923393ecd2edc96d037c1bf9bf9cf4a27315dd73e2af58fa2b4f7350660ff7980099c7881870354bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
a00dd07e8f3dfc6597479f420a4a04c0

SHA1
2c4432ba40436787498703896d1be5e52c533e7b

SHA256
bbd2222c4ef2c923135a0b3dfc459c913afa665a65b5984c3b6449573a418ce9

SHA512
b180c0d8706288363bd364d5c71cb3556864a4fa5dcc5d04eaf1a9841112c637a59701d2c63ecad456a97c11b56be1c6ab603a69600675b19c17e137722e3b51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
49fd9e627d5a38ee8844a25418c5ed08

SHA1
57903103f63a935951bf89da6de124b1b8a1a52f

SHA256
6487a76c3f52f672fcc3ccb9b74cea1d06e8acec33a57d29b988db7ff3f8227e

SHA512
e8fbe6edd4caa859dbbc08ad1e0d08117cfb87a1ec55f831ae61b2cd468b0d770fa49adcdc10742b2d0a7c3572a45f7967139f4a2f2f4889b94140245c21755e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
80412cb8eac9ff195e7c954799bcf990

SHA1
d501cbf9934756578b328424d07b4d4628354e17

SHA256
9038324c3836e66be887eef1680041c852d9a40845a968d9f8f32250997439a0

SHA512
71266a53e21ab7c3b5b711b53e0211b13b26330608fbe0dd621a9f21cb174ff6b318d115eabb369c030e1ae2652391dd264449c7dfd0162112cae3be038eac79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
c6ff8a7c3ec1effbde0e5ab03fada227

SHA1
3a43ba99b97e970389d028ea7f1511a762a636d4

SHA256
52d3f2e5a753d55167c4ebc072e2f7ed96737d29b589d13cceaf54156487fb23

SHA512
959538837f04ef0c55e418e4b7fbc75c52711311a8e5768da8ce72994d7aff4d8cc2336a658147e52f92b07a7d5ee73243f1e0f624233b3c6b615f09b2854509

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
1f2f19cd711ad8d1e6e96c851a2eafa7

SHA1
979bc3c3bc857ca6e2c893630acb08e61f13b025

SHA256
86ccc859a87497be51fb753c581eba02bec182f2cf305bcf731426ef3c5d5abb

SHA512
59dd8b9d2da1ec199c4fa564ad0c8057222c6cc9c2349e03eddc5ba178f487cf47d615f976c0326b71865d2057b6245e950fc12a80c2d350b0c5f1f700e4afa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
58b13c37278431e97e25818f52305fed

SHA1
4f097e0cdbeb1ebf9e98cfad277a52ceed2b236a

SHA256
6799fc5421c7f4323a54a2a0d403557bf827eef8cecd70d73cd2a26356cb3302

SHA512
db2278d99b6e5ac141bebccad14041a43b763eb85654ce73468c421a19460da49ee0fe50b3a409d984340be40820925a29a3aa93559bf4493129c9e6b9c144f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
4ea54df8d199b8ee760dde42b841ab68

SHA1
a873f43a95d80d2da2c0cac5e1594691e5b0927f

SHA256
e1de8ca81d4a4bea015839f5f491a56798a7c9d678324da43966c6360dc8d5ce

SHA512
73972c3dd5b333370fc4595fa5e3570fb9311ea638aebd1ed04b2f44b8b84b96e20ede927e25c35d04c353ceb629d2087d80603a044d9c1fc4304b018377c2f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
0673a3576750fab529ebfb74276032d1

SHA1
63c71e81236bada52edc0f2732236ea1fdbc1fa9

SHA256
481c8a5b38c1191e18bbd5b5606c003026a901125458db4a4e06e4b68531e90f

SHA512
1f2be039f810612d62178ff1bd127150867f78948ab8be1a1665a1bcd022a52067bdb2f72f7f157db195c8254b9c445348791da33812ab51d7575e4ae82d1f0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
9829dd39df895178de2e9b72da12b6d7

SHA1
43a9d29f1c198ae4943dbe2aab4bddf01ed2f901

SHA256
5a10d3fc8e93cf6239dc6763d43590ac19951b5beef7e0024150664878db96a1

SHA512
95da9a96df82d116c36effc291f2bcb545df108d300173440c2508fdf62b9a8bc9605d81f38d4f967597f14e247a24e5d526b8a265ba9c06da45f21edf8f66ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
d767abdc1737801ff24f6e5da6f5e4c1

SHA1
c3d5599df8a95a2f8dbb1c4062ca6bf9c5e3b753

SHA256
d6d4fb5436b3e5d7210fe4268c7c2a7b1fc23fc86d40ffcfd7d976c85852c8a4

SHA512
3b9e20f5298a823b961bce9afd60d8981a6d888a1f4dacb3111d301bf6ed6b7ddbeb9ba3c9181458602217df346a839330b5982ebd7d28f276651d9b26040aa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
8b7fdbb8218326214bfeaa9fc6a2f0a7

SHA1
acd9dd6a2a43388568d40743d91994bc8752061b

SHA256
96420a9d7ed2d0e6ef20214fd238ebd8bbe380b05342724415dd7b54289cb51a

SHA512
3db352d0584a57d9b666becc1f0adc80c1ab513f09c40ab7de4e1fca2fb0908e852846931115988bce380eb9310c87b6e3a853574ea2603c19d4be14c67553f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
09f8d89ac7ad6cde628a38ff119aec1e

SHA1
2b31465e0e241f2cf15e6e7d378b5599a0337bd6

SHA256
802fcf84c07813806cfc91a36cf2d6c7b6c3a55f99113fa56808b179c57521a3

SHA512
79ee655148a2d843a19acbda0cf50630da5776b8e6f7b1963e44d14bfa2cbfdaa272cb393463f20048ba8b44eaebbe26e240fbc6df8a515b441e9ed65df5ae74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
c46a14b99230ce7aa617dcfbd14f7ac7

SHA1
30780098d00d98e561b17e7c4600ee446864c381

SHA256
a907a1a53d18c5c4a7191b3eb20cb078ee95c108640bcee878d604ac6c7fb032

SHA512
5ee41ac59e8b894341a861e92808889a0749e8ea471a67d99bf85198f09a800b09ec83c5213945782993c0f5503329522ca1d26016473fb128e704bc70831174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
4461de7bbad3767a5d6d6d1188d401df

SHA1
be99920f57cc6c8566ca011770625aed28f1700c

SHA256
d09618a3c1bd91ed963c064c649bd1ee172f61a7a746e19897fbb1b74d4819b8

SHA512
d767100e8ca869dba73898e65e732719e47cc437c4ff3375d8f368f7f53900a02686a4ae9d50af4385d068720ae5fe79bfe4035feac0d36dbb0e8db9d27ae50b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
3da597ed57f685067669ba51b9a310a4

SHA1
450c4c237379dba7a62ea7c10f924c3cdf84b4e9

SHA256
0b5917a01b67d6192732adc1340dd3410ea138e5263383228117e1998d3e3b64

SHA512
27dd92626051db3ecaae0fd0a6e08e17a58a677f44d077f0ba922b9a4d6e9ebb6322eadcb1b43f0ea67375659b1da20d1e9e1340cda2900ff84eab06f521626e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
51b1fe0ee1be6f1d66a3488c5ffa9b9b

SHA1
a3466a1e0945bc62a33adea2e4e9c7833c18be2d

SHA256
3dbc67cd1fec09699d7534e4ced2fec3d1d124ab4140a2e52d67b44653d31bd4

SHA512
1640479a3fac2c3b9d6acf57d0df60eef21471067915f7b94d05bbde02751938f9c72a506f575e73ac80f9eee973c83adf0bc130c60a1d10c16a6ac946c97b77

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
18faf66e4d9e8bb6650826cd2bc3e3bd

SHA1
ba76dd8929e82d2eca06e838930227e7940d3f01

SHA256
d1d2baeb9666d62a7c6d1fd14ee6dcbc138d9eb3d5975067f1bf96d99dafdf5d

SHA512
798c8c178a33c83572364fb70e6ad775d9b0fc1ed42f96da8a3af8994b889b900469293d0bd00af11aabfa05fc3bfa5f5efc2d38b81ebaee3e7574e77371e41a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
69ee6f8241f8b1301821ac7c8ae94f76

SHA1
3413c61e83ff0e1eb311233a340993151ed51ab3

SHA256
84d7b24e14fd0b44db335423e450b3ec38d84f047353e29a5770b57cbd13a613

SHA512
8b4d0fc168b9ad2157e27d607e09e40107f9878d9f0fd998776b9e7adb28b7eef8bbee08fb35cfee217c488c61be5b898da8e395d26d9b770e896ae3c54b27a1

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1c342a6e9506a4f7de76b696c219fa26

SHA1
b2162184d6df2c16e3b12228387c75e387f591ef

SHA256
bf38de7b21591b6c96f0730abcee1a26f59f8e43ca8e706db2ac8331f2253be0

SHA512
863c2ff22169eea01ee68167470788fffbfa98d6174b408472e4b0a9753950a29c68d3c6097a52934677ce3fcbb43194b69076e86e01e4b618e85c5eb0777c22

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
c25988b9d7e831463c7928d24ed62e29

SHA1
2588fd58a283204b25d6717e7a7860897e08b2ce

SHA256
f6e20f846184dff85c8c0398cb261fe579ae6c16a8454bb8bf2cd341fbc2160a

SHA512
0a858eb6a3ef8ce238d000651f550a66cfbd999643ef5d422575a7c3abd4e5aa175a478ee4ba0b8bf5ae4cc5907f0164197fc68b718a017ea622abd2fd0929c2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9cf96b1a901d4951483d38d6e669574b

SHA1
623a29631d263cea8d9591b502f26a8f0f9d90ac

SHA256
dc26642c75c0b6307fc210e13fc4eeb3bd1bcb4b713ba0ba7ed7f22181d10512

SHA512
51dbbc17875bdcd19f3c7370dca03ac31fe38ee6f6cdf368711fd0e91c38d6c6a0366c1d94e5708a10daee8993613836c1ffe4c4dde43221bdd3447cd6cc7be8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1d513d7b783c1c787a14a018d1f00089

SHA1
d42e77c508a2eeaefd7a11a4bf623c04e1c76b5e

SHA256
32e7e6c0046695b8a36818c57230cca999b1ad67a534f84f5965e33c55526c40

SHA512
f866d2237bea1c440b3346f50b518f8487514f91414ddeab9167fb1688f1a6487120728ccf836a55751dfd03a775c984a8311174f56584cae54a2c32536caa74

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d1f646fb47fcae8f29067f8908b6c8ab

SHA1
675b3387351dbf01fc91fab774174dea3392674b

SHA256
bc805977abdf8d70287448787ca5e7d5c72d5919db07561ed2c574519fefa432

SHA512
064718528dbac3fcad5003b4cc78f2664f5b2480769da93775ba78caf5a624d1d19bf22a54d11c7ba7c20f3c33a4a3f4bda35cd743e7f81295c3e1d1da490532

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cc3add26dbb6ba282f72a674c688584f

SHA1
d61bb164a391b0d121d6dad8a88ae6c45bb4e5f5

SHA256
a6093127c7eae329a682a98297b9c7f9ffd0285c0686f1ad1783ece584fbd1c3

SHA512
43ac9afea8c48f581e4b71c0a0c516c6c6890cfb4bf2493ac2ff90de7a6cbb4c8e2b8cabd3658d6db075dc13a25a4daa4224a32342bd871b358b0da795d563a8

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5e8f71b05626217f6cc1ad65d9a9496a

SHA1
8e1709e9f354a9b4afe6f83d352b2591af778f52

SHA256
0c52ebb34dc11cab13a5a8ea75ffc19cff29cb83c61691f43db378ee1663494d

SHA512
ce11a7b3e6e9e94fb764ab21cd8827387b68c311b2d0b7650b448a52648d618dd37578f9fe8a9b0abb88e3236d1b6b684e1ebd092b805b8ede37bb96c11aad6f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2a27a0eb74c248ac124013db2bb53e98

SHA1
3c8183daa14f90ebebd08434400830a689f6d47d

SHA256
250bfcd4e5e2721b294b6a63848641e7df9b342e3600fcf940adb6c101015a50

SHA512
a06bf4d2f92b2e209c8239fcacd032592dabfefcb33d0b8466e0a993ca86f2ef689de4e3ab052cd3a6b5f92779fe2285a5ddd64692e2baff12b6e991c9cd0dd1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
515fce861428256c9f09935546068203

SHA1
0e925cb9e185fc834717a9a7ce620f103e1c8eec

SHA256
f3adb7b27758ff3cb6104b13d1492a44604ac245ef98bc6e47ac1926e10cd20c

SHA512
cb8534c1d35478452f5f7fd5a02dfe10e93e410e9e1ee504bf4bcb540e4bcd1fe84b072758ec7339aebe6661e701f311fc54c8d88464f422e9d01647eb058c03

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c6860fc416c18168a1bcd9faa63a7de8

SHA1
a6198bbe3512a5e6d331cf277c338b3a348e4dcb

SHA256
8a6a4a1587376148c5d536e261c828d420042201d9557a4cb410b81653e58ca4

SHA512
af8bf800e4e755fe3b3ce7b884e74887a5743f71d463d34187eb5c2f01a73aabbb97d944942f3b6ca24ed7e0271958f73727e1870bc9e33c525bc45b7c3b0254

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
b51799fdd381cb76a66a138779ed0a13

SHA1
46261659c6a96d694a46bada14ab876465ae8c2f

SHA256
c20a8dff61e53c13656ae2e7c911168f72f5cb4433a990921f71427f907cb8dc

SHA512
d528c8310f1e28bf1373fb63d132b50d52d98694e328e2dd89565290b8fbb617c945bece6f5a8f5f1fbe106b4674664cb12bb9a0b866945d4f680cbe7a9957d0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
0b624091b40e43f9c4f35cf9bb81b06b

SHA1
b7a9299d77099617743636372bf24c4369d14dcf

SHA256
4a1c3bbb4db85fa8bfdaab1c8cb3809f23a1328fe867dcbae40f629dc258fe66

SHA512
0ffc358a77f14a144b49e4a78780329932daf475005e0ca5b07e3c769adebb7919a37372a49b95f80634bc418f3063dd3784f53439dddef36748a115dbc41553

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
ddbf15278bf04c23e7361437688dbec0

SHA1
a98140c6a34716b849a3520906d5f3c11ffc2e25

SHA256
06115fe49cf29f2408f3a44adcae0e13a8daa64c61953e0ad74e87a004259e6c

SHA512
c25bb298dc777d829339d06b96301d87924d81958075912e97d5b349e155a8171b5fb9b75f106c8488d12d6a5803229e9eff2dc1c6f81e5e954f0642fa7ba165

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
bd852cbb6c88cc9d813f592ecb9dfc12

SHA1
2b29e8ec9be5239004bf87a2bd929d30af9e2a89

SHA256
a850764e655d3e5728975cad04221bef6e646a21283d6204fba49e2141428c20

SHA512
965cff8cbd9924881a01ed7fedc9241ffcfaf5dc3fec14690d5eda8755ed503ab4da42f0ba0ef9fc651669d9a6f23f49cf69195e08a409446942ea8bfc65a22a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
663635f99553cc6c51fde2f518fccdc2

SHA1
467033c09a1867c0146d0ef0536d295792795fcd

SHA256
d2ca3b5b26a43dcbe5b346eb20a5896dd1b91c208964ba7152c5be2ad764e098

SHA512
92c79c98085c5de0825a0ec5734e07cb4bb531778636db8fa91c613261b2d2a1b252227a1bec786bc46a83af1a5df3b6017fdf81a4b90d2d017e48d98600ad67

Download Submit
memory/948-639-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/948-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/948-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/980-14-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/980-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/980-2-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/980-7-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/980-0-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/1196-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1196-362-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1196-244-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1196-250-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1208-647-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1208-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-649-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1256-433-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1316-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1316-523-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1464-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-255-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1464-279-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1544-642-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1544-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1808-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1808-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1808-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1808-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1880-29-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1880-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1880-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1880-35-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1892-648-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1892-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2108-25-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2108-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2108-233-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3316-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3316-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3660-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3660-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3756-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3756-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3756-67-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3756-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4040-432-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4040-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4252-646-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4252-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4568-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4568-400-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4572-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4572-643-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4896-412-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4896-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5000-266-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5000-388-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5096-620-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5100-51-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5100-58-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/5100-53-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/5100-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5100-62-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download