66f9ba0b1a1989d97d156330348b41bc3af472bbb44da3b587acfa43fa597445

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exe
Size

1.1MB
MD5

b29b2cbc3361a125fb3a30914dc85300
SHA1

8adbe621f8c6e14633261c724980e2c63b80dbbb
SHA256

66f9ba0b1a1989d97d156330348b41bc3af472bbb44da3b587acfa43fa597445
SHA512

0a238f51f529d3efb74f53932d32c16763c3425526233124d0c8f5d6012c54ed12e4dcc414788a1789201b98d881cbbc0b47b86431e5c7fa4e357ffe6d039258
SSDEEP

24576:bFvkQVUc9aaasW1et/HU9zPjeidP1Yi/dGyA:bT9LzUpLei7dGy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2728	alg.exe
820	elevation_service.exe
1500	elevation_service.exe
3552	maintenanceservice.exe
3304	OSE.EXE
1520	DiagnosticsHub.StandardCollector.Service.exe
4044	fxssvc.exe
3328	msdtc.exe
3496	PerceptionSimulationService.exe
5080	perfhost.exe
3116	locator.exe
3564	SensorDataService.exe
1996	snmptrap.exe
4356	spectrum.exe
3956	ssh-agent.exe
1156	TieringEngineService.exe
2400	AgentService.exe
5040	vds.exe
3092	vssvc.exe
3352	wbengine.exe
1424	WmiApSrv.exe
2272	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exeb29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ada23fe91ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030388ee9faadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d44ba1e9faadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c6781eafaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a5eb4e9faadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006820d8e9faadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ec0b6e9faadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
820	elevation_service.exe
820	elevation_service.exe
820	elevation_service.exe
820	elevation_service.exe
820	elevation_service.exe
820	elevation_service.exe
820	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3192	b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeDebugPrivilege	2728	alg.exe
Token: SeTakeOwnershipPrivilege	820	elevation_service.exe
Token: SeAuditPrivilege	4044	fxssvc.exe
Token: SeRestorePrivilege	1156	TieringEngineService.exe
Token: SeManageVolumePrivilege	1156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2400	AgentService.exe
Token: SeBackupPrivilege	3092	vssvc.exe
Token: SeRestorePrivilege	3092	vssvc.exe
Token: SeAuditPrivilege	3092	vssvc.exe
Token: SeBackupPrivilege	3352	wbengine.exe
Token: SeRestorePrivilege	3352	wbengine.exe
Token: SeSecurityPrivilege	3352	wbengine.exe
Token: 33	2272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeDebugPrivilege	820	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2272 wrote to memory of 2012	2272	SearchIndexer.exe	SearchProtocolHost.exe
PID 2272 wrote to memory of 2012	2272	SearchIndexer.exe	SearchProtocolHost.exe
PID 2272 wrote to memory of 5048	2272	SearchIndexer.exe	SearchFilterHost.exe
PID 2272 wrote to memory of 5048	2272	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b29b2cbc3361a125fb3a30914dc85300_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3328

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2012

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3c9e9a114c62b1feabb536dbc90a01aa

SHA1
7f0d1e96179a6307d7470fb8e64acdfd4d456dae

SHA256
6dae847c67e09cfb59628321529beda76eb27a6b7c3fab11b3c821e59f90e5cd

SHA512
766d52f3e1c5ee0de4f287ad297a0d37e89c760aab805d92652a9bb9c95ef4f20a069078b0261837b157111a62353c8f85fa0036adeb8f9d3358a59aa49b27fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
600d96dc5de9d70706b3073578df5dc9

SHA1
64567a5cccfd41ea300ca3852a161310a01f9537

SHA256
8f8e5466d3e71c9ccdd08d6133d49f7da17311f9a570dd42619646a8b86284b1

SHA512
307128b22be34ccaf6bd28eb5c43a5303abfb376aafb9371b3b385e09400da2cc289701137e8b6db0d9a1d4317d069ae5b00bfe059276d3f241d51516f0313d2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
efff355afe3714aca119adbcbafdc276

SHA1
f04e6a7c8b9a8706855a4951e8ac6539977dc853

SHA256
783c8ea7a4ab5230a9643328d66cc56a98eb82b4543af281a47494da508a4647

SHA512
de070a53ebaad43f56035595b5473b52755b82a05d9bb97c3323ad03f3bc9a8060ae1a40651b3f5567416dcf5ecf74b2de847ce2e726b34bca0c0ec1c1006824

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
5d9af01ea270a089051b0dd581176370

SHA1
31265c7546a4a133880d3060d565cdf2b943fd41

SHA256
9fa719fdd272c7ded7c5fdb70feb0ff31989eab8beb263d6e42e7a01905bc420

SHA512
1c9a50b8eeb23fd7a8048a58cef4083112a5899a840531c58b0c402f1a2f198264d77de5bfaa523b1b754e6babc92d983713f4278d92cf472b967a30b7cd7125

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ed7b46befc615324d1a0a0678bdcf040

SHA1
2934cec6a844b45021a208d40172c40c1105875f

SHA256
2e304127a869ac93a59628643da4bb5a15dcd11a6270a2a20dbb8e291ede793f

SHA512
7c1c4a221e322fb041c2ea1afd3c26cf7e7f1c4199d2874e5e332d7520a8e565a4492b7ee918a4574a856541cb7a6807990c4e0a2dbfdef29ca62e71d2b7e8c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
5dd477806f052a3095d29359141396fa

SHA1
b6d81d742cf62cf8142fcffddeed8b27cea1d34a

SHA256
64b52db89551e8ac651e472ea9820a1550890548fbbf4f3bedbc48dda986ca77

SHA512
e81e4b624f7f29fcbf3e1c0aeebe2b21ed5a43cc553b1a1b1bd43de86d43335b78f41a93aaaea6e9f178a9b4ac52524f479fb83d91c235ea852f1382477f6730

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a43a8099ba47c16bb1b3a4e740560d53

SHA1
8c9cdfc5ab0ce9741aeb904e3404c7a5a934a421

SHA256
529f961ec986c030ee070e0d88b38c68a7faacef5fd5eddf31d1ff6a936354af

SHA512
616aa8524d8e2cd50a3de2d007e8c77de0cac48004f4fbd4b3f08c641c424d85303f2c1c420dd16118b128c4a042f590cabca8cb2b206b358bd7a1f4b72d24f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7f30cc70f9a6ad3473ac6d19ff7e3d5b

SHA1
02cdcfcb452f7df8f67f99bbec5f35fb32bff038

SHA256
fddcdba53b7e25e7e1841dba6f4deffd6e40954f412ea884619f8cc5eacd443f

SHA512
d3a0bf84ca22459c2423e44603ca50ed792cf317f6ae93ebcc88bc53f049055ddadc98f9b82cbac92fc3e81989dc26213f011df2247d333b572037d592cc86b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
296015b8a778d7a87f50dd3381e31246

SHA1
d86d438dab77a4cbbd1ad25862913c6c6dff45de

SHA256
9c05e2a536babf113274f7402519fb60abe9ddaa5367f4990250063e22b64008

SHA512
d3f797e448eb0fb55f8666eaf3d64e97854c7ef48cfc98a0f9c771e9ce294764a8c3cd5fd86fd575019abc25a9e36696db07435000fb329c85e0f15081fafe57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c7bf294762b55a78d71701e26e7f02e4

SHA1
d8ced1c29675f59120fffd415be43761142d40cb

SHA256
9861cf9063e316281580dec8f6b6d48827f284830117af2256c6fed1b4a8caf2

SHA512
2c0ae5748c29ced50a061a1526ef9c53a0f6f428703d2ce599e6d27bfb5d0a1fa15539dcba935329894f208e45e3bd1c44c101a4f8ce9019030ac8b3d18957f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
885fd469170db91f1d8a60ee725eae0a

SHA1
f54d3bdc464a9e0269c2469eb9391c49b7699553

SHA256
62d6e5a85b9d79a113b33183e31e679b5d7dbb736689f3adeed9a6d5c2bc118d

SHA512
e396d52ac56e9edc24e824323b8771b0895e51d20708c3c20b65dd74a8f24a1bfa9082b05491a77aa78387cf0965cb1b7af7c0ae0c600ff45b7f7cbab95119b6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
017901e81a3ecfaa4918899867558f37

SHA1
3fb3b95a24479f8874552a8f904f0d95277d0365

SHA256
950f0c85b9aceae0b4df64988658940df7e011a08887645d21d5bc3ef0e37c0e

SHA512
2b3d4b7f0003046b75ac61d8a0dd6dbe969034dcf074cb409781e038915ccb922edecdc358450c07fff8355793b91ae2b30704c58263be5491610c17cd57c0c3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cc3de7d4729b289110e400f1d72931ff

SHA1
e183ce20baa39352ae4c3faceadd7946f87a0b66

SHA256
793e6a77e147d791c3968e0687cbef2189441e40168768edd0e90770558e5a74

SHA512
f4b1dc75169d9287fb8ecbbfa00674c6fa60541a310700a0df51a25649a628cd7c504b5c3661d1ab2c4e6948ace23032f8ac2c09e508a482938855af9851d6ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b8c727fdd306f3bc6de931832cf3dfc8

SHA1
7e68e876f2b49be011776adbf23c04de3bdefddb

SHA256
ac11a5c0a602db7f8c410209b05242c54a38fafc2aadcae6984681df40a64429

SHA512
820ad0039d307d2b308a9ff3bee7b55c127561feaba4e932cde65eaafa12e7093e7179df7fa5c679ccb68cddb17083233325732d086816f09cfe529a3da70352

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b648930ac39a095777a19f018f7b5b76

SHA1
de51543053185d4d663725ab7a479a82c027ed2b

SHA256
d60d0f9915c65d36249c0d65c74f0975bb0cd7caf9be3bf4a8d144adf899081e

SHA512
ca4d7718ee6882644c5a8008f03f3d94bf8b0333d955f9854eaa127c9498791bf58be9fe7080a7b1bfcf29a9c146e43ce18250825e7c4a875944b21a87679f37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6bb4745254c95e58258142769e03b6b1

SHA1
03880e20ffab29417537e21d5abb33e36abdf9f0

SHA256
e1895c1490d69d1ea5ddce3a0fc55af27843cf2aab63624308624827f2955165

SHA512
9a728417733c2f5a12dae3e64b7a8baf2864b23761f9e3bceac9fd099a69f0861b35e19038b321a257d1bf169b62d2257f6cb5c1e53f9b0581fc2a977eedd4e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d02910fa8223a3af513fad82501c2b93

SHA1
da3737a8b4a8502a90cb7d40f05da551ada0598a

SHA256
68a64000941f5d5db9d4e6f8955f808d8765ddf325d3e1de6288dcd8456d2556

SHA512
759632e2397a21666d03cfb8a91efc6d6b982ed8f3ce4ec9e25726d9929263507f2909daa66414f45aef01478622a911974fa98b3514eafe120dd6a4e4ea629c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9c6bd39197d10b018fcb7d384df68975

SHA1
c3e963689753b129ba53cc98600bc5e56a14cdfa

SHA256
436f8ef6b62a1c070beee2cbb783bcee62f8a58ef11cf14db3230b148eadb095

SHA512
8850b96e25d171dde67faf34723733d15d68109c8249db38bfc46ff80d2faea74639b0f5e5954496a05c3939a99b0cae335bfc7033452aee183a0fee0b32cbe4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
82109d85408afe14ac3dce481a4bcc6c

SHA1
c465f6562a9f45993897c4af629356bd4b14e149

SHA256
3f83fca482cb0d15a8fd604122dea4def853fc3208d2c07328373a2a34d83812

SHA512
47451ab6faeba636e43ee90be17d18afd5a742bc4968bf00629f464b8578eff5ff6e4c2ccd5ddaf86fc9f0deaeb8ae182801f495603ffd82932c0fe07da5b6c8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
e93b2db903504b89810ae2315feaa8f6

SHA1
da4291de0293dea6beb040baf8ea96ac7c693480

SHA256
5f232ca4a3ba3af58f11ba59fe3b2569b79e13c22fb1d6c82d20f5dedab87412

SHA512
501e03ad11eac8d0914f6d1c949b069b9b8ef8ad8816258cd82ee0f510c7749c69352a7e01c82ce61e43627ba6dadaae441ba5f1867efc2bb2ab30b8ea56a1b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
c4bc4312d34b2b1168b489a4f6579687

SHA1
97f04fd04285eb7629b5f2ce1215c186cafd7d1e

SHA256
12cc51c01a123cb5c154a0ec2f983d2531c1f2e0342b4b3d0e0aebe4f414f5ce

SHA512
5195c7819accd363ef2db1060fb9c084f1463eb16b7a806b8d9fc7f49a1ffb043f7301b4a751af3433591afcf2e30916fdfead7498cc7b423ee1c10aa8312852

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
c4fcffb19ba9166bc66dc8a3fe4c237e

SHA1
d7c94a5a0cbed6e13bb113487042d85baf0e9933

SHA256
ae1ead4ea66c8e2e32ed7cad319b338c510ea8825385275b8953c7a555e27950

SHA512
52e9b782fa2b4bb6a92826e0ce8b14afd2f0fda20eabc9f2083374d8564101ac8fbe9562e6307b6099b6f9aad646b7433e2af79fd15e7173c95062e04eef5f75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
791d38edfe09378281698f86311d487a

SHA1
469062ef93dc23fcc193e6007ef2df34435bf430

SHA256
28472c7ccb0be25f49b5764bf5e338832803cad2e10bb20bcb6964120160f88d

SHA512
364ca10f8e234f12598a3ab4240f023e069c15736a19836fad3da77fb03af564bb2ead4afd70720a61cb77e2325f85575074bf9cc8d0e841780a8d08c51d81a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
df9f8607ef219381a3cbc89c4411e7db

SHA1
6116f85db8be65e2f0b0c0d79c44a5120ea43b8a

SHA256
36b092ead3e5cca60413290757934ffd7f3911093944d66d90a186cdee24b550

SHA512
549cffa0b216c4b52bc1d2ed952e754c4e45787148146431825ba9f8ab4e75ee0a03a99c28820f3d3f0f419fb79509f3e413e71d15b996c76bd128bcb5b1c27e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
38f4f19bc5cda8459718916dd55e1c88

SHA1
424ef0ee8c552098b02eeb4811af366190258939

SHA256
5ae3a074aa79dc4a2d9c3e52f2ebcb5b4dae650a6d5d46f5eca58a3568dabea6

SHA512
2feeafac75e9a361f9936dc8baa171be1a6e26b908bbd0290cdeb95df9d27967c64016ba90a74a1e1a953231b48e24b0581d5bfd0881a68792543fbc61a01054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
9f81de9e3ddb591c5ebaa30b92e272c0

SHA1
c0eb5c8b740665850b956ea6f96363f4a7c30898

SHA256
54ced3d18eac5916a8efad5783fb2dbddf4041dfcf0b7eb1840ebd435eda8ec1

SHA512
8cfa6d31e03ce5720744dbf83126fea4060b267cce699e6aa5a053a2682701edfeac504f7e22b186869e6cecfc1038ab20ef3b15434817a331634458d2921a5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
695e585f942f5d9d788b2d44a1800c9f

SHA1
e595fe9608f0966375355a989ac936a1e888183e

SHA256
a0f608a4551643c627579081077bb4f16453f5e9fd4dbfa23625e01709e060bc

SHA512
cb6289a9a6af4462b40163fd36cf1fb5e90c5a092ce2b24f4d15a0a15e04e6e3c3de295e32b5491b1191e3d7331064e6e3e1b5c7ec7db61c82f758cc46f08c84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
125872687e3b2a20b720b42bce0fa3e6

SHA1
d3a401fffd11203ccbb53381265931b70a2a2491

SHA256
79e59bea9277d9049890d0df3ba8ac4b7c1fa978e6f62ace56d5a9cf15166503

SHA512
9319ef9706aa853dd6082345eef32be1234e6e855938579c00d8f8a10dad94fbab49c552c5317d78b3d72e53841664ac2469a3a229614d2e5db07bb6376c2b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
8b5ced863103e5c2eeaea0e8ff625496

SHA1
6ca0f21e467a8552f003f66ed83110f3bca6eecf

SHA256
0d9424e1042103b9fc1c449ab5de0f5ba94b1688ee44156493d1680eefb13a0a

SHA512
6c9bf27f0e07509fbf7d71bd82f6f54845698fa5a602932bf503b9b5f37179ffbdb76d473adf9a98791de7d46c3ffc40cc31632b630784c8d42c3296484710f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
e542f9a76902e9c3740d9e0e6bc3fe56

SHA1
e854abede30eed21e53b0e369ca35a4a4b257101

SHA256
6c9f7a754e3ef1c4c1fc479ac1320b529227657d6d5341f4db43026048ed46d8

SHA512
f9a500b5260696cc3fc9367ebf7ccaefac8b96874d43a22d75787e49fc69e84634668d3c89895f274951daf7e68730faf07965d8cedd6392788b17d750440103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
e7471d60cd038cd33ad4c895b63a840c

SHA1
84e055eb7f1f4de37bf05484b212300e89d3ad8c

SHA256
17cc074ad3e14d369fce373040fd940b1e4252da5580bf17f2e1f799cb56f355

SHA512
313d8db170aeecbdc9e8d8ad393ea45b453b952a97cce2babdd625e9f5281a974376002146f3b353db0a50e6b134210d7aa43e634f69d771c436be387b82af69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5b2f78bfb9fe9a229288b90a2cf5b9cb

SHA1
e465128f62000d65f119e391e9478a315f64266f

SHA256
e67270d0d08ad37187c680e92f53381c72f10d4bc19cfbc766d345bc121980ab

SHA512
f0013e8e1396abb940c183dfdcb98fbc6964ff99c5ca9076371ca3a879cc1e146ae4f7ca6b9b64b066fa9daf4a5709a7d0f4cbc4fb6934aba035dd8117e2af19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
85508aa3833dc1fb895c89b08dfc7b67

SHA1
dd78ceb65ec84bd41cc888f38788f03de4490f54

SHA256
4b8c2f74df97342640a9caabca42738fe06a8aeaa040608c5bb0e0fda396a579

SHA512
6ca9884e94ebaed0e55f08159135e26045de12513b4121c42d4397450cd97ebd6cb0b58d02e95bef0deb5fa524460f713174c45ae3a280c0c2a0b340ca51b6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
62504bc0c0e4f78789c3fe0da3380f19

SHA1
c223aad92b46f862e50b88a41edd4711782b0ebf

SHA256
ea8b98d5e89467c8dfb557eb3e5215b50c0d627a16ce9716b24271ae8b75f1fd

SHA512
370b5278fed25c527a7ab37e8616dc9d3919d2ebe7b999f66d9dfd692b094b4b46c388065f69e5cc5d25963eef9beac463e341d94d629ab7b6e7a526831fc6dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
f26cb0cffa316f7d776352b1f17afe7f

SHA1
c31ca3ef27f039d6c1722edf8ee41339eb5f5229

SHA256
7faa37afdb95ef1e8e29d8167c42012eed75892f22ad092d132831ba2c186a13

SHA512
9e510ddabec9f7f79999e232ef39dfa9644895e965a1608e7b487f592d83313b3b9a8a09656eb84dd40ee9e45d7fd11088788fff30d5d01605979a618553f813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
5b056668c8a4864376212772a09f1cbd

SHA1
d75e682082fc7d974e85b186298aa3c57a2a9640

SHA256
4f7c4a88cfa6eb3cb7a30bf677b889f42a1db67eb0c9469a710e578fd7a1d868

SHA512
78b4b06e94e31f73ff31dd1255aafef498d3158f84c578878161f930467e5e0879fa255ce46006c1a5cb65ae172cde98fe6239b5b3f30474ebd963bcfed7f8cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
ead8cb3f51b9344c7830e88b94d80ad3

SHA1
cbea4e597e57edf1e48f92f5c77858fb691b27be

SHA256
497fcd1029ee12d42e20e864edbabbc6a5e6acb3ead8f7d35950fa1e93feb5ea

SHA512
b7a799e3693b37b80ddd61c8423daa2f4035038f72e8be341dfa132a486d87c2ac707af3950e09db7500aedacb3194670a740a87d9b82b89915e24efd8d771d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
2e867d1b15908fdbe2b94ac48d0f5b32

SHA1
233d4181d51ea85042a4bc3723f10d9bd5d33702

SHA256
cc98c0fb221a66799673af611ab845417497056d58a35b6687e9d6c6f7e899e6

SHA512
924ea2efd8ea38a350eb0d6e35618efd29a8ff0ba3fc9cfd1696a6ffd2500db3b42f590c2f3018e2fba7704f76142d6b92e3188c47d9331e24a98e5bdfeb957e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
329124f6c542c1e4cebdee35d498d9eb

SHA1
2952bbae168e2b6b0d2ab284833a23c10c1bee86

SHA256
a2523e207b073e1c8eef968649f8762b19dc8fcaed04470df278a0b062290542

SHA512
68996abfb1b99db63d8e94e80f94236c9e81b9eebdc70df7c0bd0d6361a4c9a24dbf7f5bbf6fc353400f82467225e7c69ea5357c64279e1e4af63349b534a21c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
e56ba82fb5020fd98906d389285cb0b7

SHA1
b3070f32ed46258c4474fad72d39c17c4857678f

SHA256
99bea390272e9162a91f7bb469255395dc008c4422fecebaf598edf6a736c679

SHA512
e7a4dddec435e29a1454b7bdb27511bc5e62f106ced68e0e550c59f3bb5337833474f5b945cc75d2184cc923c059ed7c14e1350b5b805cb49ab71c3453e4773f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
eeb2f403b073a0a26fb1bbc380737249

SHA1
f0cc87552d16bac4a63ed8c00d3c9c1fb69dc2df

SHA256
ba5623cf6868f5339b9d915aaf95c424c8a7f7d5723cac257987887318bd6cec

SHA512
2787488f0cd364b3a929fe22eb18a1d2f6beb3a37f80480cbf3ba9696ccbe45b4862fedc129e490b596b31ee2a39b116b0d391f72e51d162c0eb68371db51bc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
f513d777b4a63b6fc454d6535bfec12f

SHA1
88128c88e08bde3fa00967c33d0b6f4bf5f1a971

SHA256
00c72803b13df0386042cc169b5669a7661e81a5e399258b69a3412e41c3c052

SHA512
c9af98c2798f6deabf19e46978ff391c005eddffb6daa879cb1f78296b2b7b8896f84a27aa4c8455c0af2fb1e123cfa76d82f50f2184d2d7287b9182d12a6810

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
49f3ab20f09e74b654c1c4cb5e378a79

SHA1
b22ed9be756352607e0cdd4b5964998d12949e21

SHA256
dbe5819ea97a7b67667a2e2919dcd7ca0165c8d2f4989883392fc8b294c9d1a9

SHA512
6d265063c09e7493670f2d249ccdf02c27660a68ad429e9439f744fa99555a8984a5eab900baccdd04c57c6fcb1797b2b3f058ee2324024e88c379f0eeea42ee

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
66ac298163dba0ab1b4c0639b2be344a

SHA1
8619200abcb7b4e876986c6eec9cc8fea3934075

SHA256
34c31b03477dd3bc657e5918060d28f583d66846fb4be714e7ce81973468b07c

SHA512
25df2cd2346e7f1a0c6d86f5c51b1f8f80fddc01a954815b550eacc676c8b383571f27da889f57e34178aee13aec8d23206aa4b0c8a64b6501243078e0cb8cce

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5733c1e8721304bc37557f3670b92b22

SHA1
dac23fd53c241fb904c0222901f48051dc8beac1

SHA256
02d93ca68af300d81307fdc07557887c2b8249778a2fca86d1333f3b00e762b2

SHA512
7c5947809fa3160f772a3783bd1a21c869cd5e66197a6ccf26315603987efaa871192e905c5bd93dafa85a8cb758f1c7a770799dbbc1af94ffe84551b5da3666

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
90e2e208a98aa4ee57032ad9e5a92ab0

SHA1
413f599957374e13c9daf9f93a2046f4c029cf9d

SHA256
e2e1b00733eea41647863db672b846788e226b297b70ae52005b652b04cab3b7

SHA512
375cdfb95a924b209c83d8e0efc5b6264a4448f863a27901a5fe12b7b117c6d899fcf2303cb76e707d9457cf83e529274f57573eb345c2c58859c3294dcff8c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
996dc68dc9187790cf36e7dd6e264317

SHA1
2d3dbbf8944f23fe53e491c4e34a9972c3b00d80

SHA256
451c7f780a32393af08823ae85ec72591d0a0751c9a46a90485d0fb6b2c77e0c

SHA512
79c9367f14e3614d63a257dbe1824878e80f467acdf1a7d83458538ef117cfcbbfa07424c02b8eaf0d1d04c038bbb78d0e17183d66fb0427a558edccec3052ef

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
850ecc61a120ff588fcaae83075a93ce

SHA1
9c07423d565354278bf106cb901bf31f6efe88e4

SHA256
c87cff58baac86069a9e456f5e4dc1bff168dcad08dd9327a32eef4f68997e90

SHA512
b5200c4f19b44008ddd658636442ff699bfa0893b1ef8f3e507f12055b7390b522c1d54428af2b144e95bebce8228f1aaaba28d869e022b166be1c1406e8138b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
c58032684be7595d50392cbfdd0d72b4

SHA1
c20720e76c90b23d7fc53b68e675d7c64dc5b388

SHA256
ef59fa99ce04a0464d15a527dd1895e39846ebdedb958350b65b66f405f2784f

SHA512
6c4b1c11ae27409fef4cc632920320b6a3e337d2aaed36bc04f85e7f1b36c276f3964c6346dd31e0223ffae790b6b9e1d16ad91812203c525b9c684b7a9221fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1a26ffc19b00c4db932deac166b2dd52

SHA1
8120dda814510869e42ddc80c8a5dd2fdbd037ce

SHA256
e4dc74862e63f6bf921d4fa3d98a7046da3715aa5d17fb126e97da7035c25f24

SHA512
66c43bec3d312d0af95dd26cf7cb69b02934924c5006df56f7fd8a09f6387ccbbae394b27b9b7d1f9de708510c5bbb2514c15499ab94873e888d54d53cdfbc8e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
886516ffd68c1113f4bfa5e9810eb5a9

SHA1
3fb1ece95119b8aec8f353cf070d0bd626dbc577

SHA256
12146a99430b7e71d64502c5d0808c96ba6c3a3baaeeb3640a8f113849844c8e

SHA512
1356e4d403e0b4b6dc6d7e06b03ee2782324bc903d47f2d19f4a58ea779235307f9780cab7aaa9fafbb15d5dad8b33111a9fc38238e38a4612de4a20939023e8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bc3beb519cf6780ddfbd21ae5b15722b

SHA1
b993b6546376dd3f108e248c996fcfb5d2095207

SHA256
734b5407b1fff0e0cc0f8dfd5b0168ac93d1ceb6c6f71979881cb15b78ae7b23

SHA512
bdcc1cded886033f40b3d8d34c6b15500d324d2221b02c540b6c9e40655b45820210b402625703d125a5835bf7b058c257ae360f2174066116727752099dcc53

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
949478bee211724fc9b664953c03dc00

SHA1
75feeec7288cd1986644bb2d1233f0da1f1a2a0c

SHA256
b9f25159d0fdd55e18300ec93b2dd69cf68dacdac9db51941ab2c9772c8dfa73

SHA512
0030a63ca62df568a02916682c13468aa1262ce6c55a4025fd5c950d8a297a74b3f5e25f38566e75a2b81b87228f3d2131e0ce0739afc284d890a2990dee8edb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f167e1d3b1e502605f5438c158dfdf94

SHA1
af8d5b80bd347d9db73c51cef30716b513f489cd

SHA256
7de5dbb00519baca0b6f3deb2c790a3109415bdc0c6752c6373d05b5cf778ef2

SHA512
fc1c5749ff2ec2b8831f6d4cc522451cb45edf0e345be6cb599667ee8f994ff3af51865de0b44b5dafa7189322ba28f797ede42049d84620d1dde0aa79b1f749

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
03b6816ea3d36993a4e8f6b5bc601d96

SHA1
ddf80efa79f2571b07647163746f2b3309799025

SHA256
d2f968ebccba2752d86fdebcb3a69ab0848e25d34e791e90ce5f0315fd973553

SHA512
0c956057e3931dd0a8d3089996865cfeecf0bcdea3566fa7b33c8a9604b3dd1161ecbfe067e5f64ef0f1bd149903217eefe9a69f832db3812fb196a6b71296a6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
9d0a103f13e8a3dd6ed2a0f2430032d8

SHA1
d0c3d41135e38da186d586df582d3e4cb2cf8cd3

SHA256
b95fa180138072b74d694c7849de4593ffe178c520f76dd68399d2a8e2a4e6f4

SHA512
5f4b1452428d462b145e327f3aeec54aee474a0a847c4c5930255fab69716cd9052d5cabb79718804f34851a081152b4e5e763dd8a899bf6f73217e720439aed

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
cd92a3d97d1b3a06f5e349390ffc480d

SHA1
8d1cb72fbc7af292e4c01e78e5d7a1bdf2a174fc

SHA256
e85653c49c8d1ccb03fe3e5b53818af72cfa3c2096124a1199ef1112274d9e08

SHA512
420401ab373629d01f474509b51fcbe14420a6fd5a1921ace7f00c4f50c8100e0a5d6e657e4b5de68fb5d1a24c8397890e1bd1b33951e2408584e72a23d476ee

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
e3783a4383a98638ae986cc49a68b39d

SHA1
2f54d2c2592fb57d9b04c0fe02f88b6fc41663e6

SHA256
6de1e6ef4be3b8b8966bc5aca74f0c7c252edb956d760f18e41b7e9920f550b7

SHA512
94cce12f0a71a4c1f07df0b32f85658237e4c480d6afe2befb779cdec29a6b8f956e71c34eed073a4375612a78de32d99c29773c4f4b2da91e5ee5481df5ace6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
866e31d6e1c3697f788729da703f1af7

SHA1
b7cdbde511c080f8057e3b3973c9becf8cabc7e2

SHA256
f262b5b4079aa60b4a5980771d17f35c19eea6c9989843f8124d8e8d39e97690

SHA512
a05de937876542ed71a86ee227a3fe77c3818503d00dba42eb53a622c333e6dd036827fd3749812a455767c2cf5917c5bebea0497d6e2dd2e9558d85d6d2ceb7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b60aec8bce69143f744744317ff38b56

SHA1
17a212f1e927e77372428f0ca203fd2bd4ec3795

SHA256
852961470081f3d26691a0d4134a06ca4908fbff8923c3d86e130bb477d07200

SHA512
98e746bdf48ebf4264f506926f25897f04f411c5facae59db86e1cb8279221795c05baec38141c1e9ad6c3f734ed53d4b043c09a018637dbd96772c7e9b8f7eb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
6917239965841ded43643b4b0d4516a0

SHA1
41ddcab20b7226213f9275587ff8eca9ccc4748e

SHA256
c396186cce88f4cefc018c64e64325c51220275b8478df3a694030e80437f372

SHA512
fd21e30bfab4cb477044fc34dd93f79fb1b4e9a5a4cada4dd8fba346c4d0c7b97b261117bc1d1c3a4a18ddcd5b8bfe5f474dbb9d477271bfea4b37283e623285

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
902328e1e2a81ebe8ab5220f43ea4edd

SHA1
67ffd60e547019ecb613b93cb2677278d0040b1a

SHA256
1f207bc3bb6c7f8d82fb37cf926b6288fc2f4bc88cc7e0d3cc3b12ba60cea782

SHA512
8970fffa079d923668325828a464ec6ea4a85a39e6f8d402452cbf393de886fc5f24d823a4cb519dfbf45bae72a799b0494b2f063445ad10f26b45efda4e5c03

Download Submit
memory/820-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/820-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/820-37-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/820-28-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1156-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1156-646-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1424-657-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1424-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1500-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1520-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1520-251-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1520-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1520-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1996-624-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1996-337-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2272-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2272-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2400-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2400-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2728-24-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2728-16-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2728-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2728-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3092-655-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3092-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3116-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3116-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3192-0-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3192-7-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3192-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3192-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3192-13-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3304-66-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3304-73-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3304-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3304-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3328-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3328-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3352-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3352-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3496-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3496-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3552-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3552-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3552-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3552-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3552-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3564-644-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3564-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3564-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3956-645-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4044-257-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4044-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4044-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4356-641-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4356-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5040-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5040-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5080-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5080-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download