4ac3ce9711018610dfa2314510cedc3ea80d4259a91a48fbce5ddd6b37142464

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe
Size

1.4MB
MD5

94548ec6630bf08382d4dae1bc6aac00
SHA1

c82253b7672b4aeba25567bc9b7153050439ba0b
SHA256

4ac3ce9711018610dfa2314510cedc3ea80d4259a91a48fbce5ddd6b37142464
SHA512

592c994bc79d282a5a6d13d7eb84b6ccb7cc30114d390c032f299938a7c3922869df6f6299030986daccaa27a1dad632bf71d81eff740eb0cb59229d6b95811b
SSDEEP

12288:ghMDaCZEpR85+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:gzkE385UOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4544	alg.exe
4844	elevation_service.exe
5072	elevation_service.exe
4860	maintenanceservice.exe
832	OSE.EXE
4164	DiagnosticsHub.StandardCollector.Service.exe
4612	fxssvc.exe
4052	msdtc.exe
4032	PerceptionSimulationService.exe
3672	perfhost.exe
2520	locator.exe
3956	SensorDataService.exe
3488	snmptrap.exe
2116	spectrum.exe
772	ssh-agent.exe
3212	TieringEngineService.exe
4872	AgentService.exe
5116	vds.exe
4952	vssvc.exe
1628	wbengine.exe
2472	WmiApSrv.exe
1496	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d2570d22bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005786e6dfdb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dc2146cfdb3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de71446cfdb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011ae3f6cfdb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092e3b66cfdb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4844	elevation_service.exe
4844	elevation_service.exe
4844	elevation_service.exe
4844	elevation_service.exe
4844	elevation_service.exe
4844	elevation_service.exe
4844	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	632	94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe
Token: SeDebugPrivilege	4544	alg.exe
Token: SeDebugPrivilege	4544	alg.exe
Token: SeDebugPrivilege	4544	alg.exe
Token: SeTakeOwnershipPrivilege	4844	elevation_service.exe
Token: SeAuditPrivilege	4612	fxssvc.exe
Token: SeRestorePrivilege	3212	TieringEngineService.exe
Token: SeManageVolumePrivilege	3212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4872	AgentService.exe
Token: SeBackupPrivilege	4952	vssvc.exe
Token: SeRestorePrivilege	4952	vssvc.exe
Token: SeAuditPrivilege	4952	vssvc.exe
Token: SeBackupPrivilege	1628	wbengine.exe
Token: SeRestorePrivilege	1628	wbengine.exe
Token: SeSecurityPrivilege	1628	wbengine.exe
Token: 33	1496	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1496	SearchIndexer.exe
Token: SeDebugPrivilege	4844	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4180	1496	SearchIndexer.exe	120
PID 1496 wrote to memory of 4180	1496	SearchIndexer.exe	120
PID 1496 wrote to memory of 3016	1496	SearchIndexer.exe	121
PID 1496 wrote to memory of 3016	1496	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\94548ec6630bf08382d4dae1bc6aac00_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4052

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:764

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4180
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3f31dfc8fb9ab53f3219fb7ef66b25f9

SHA1
ccf94ce5d9fe93744be07ac8d1938cc6450fafea

SHA256
161eb2efc82b9212f02dbab6f1b3caf2f9541613d8efc02443d55bcdf991a103

SHA512
74623503d9152fd18bc6a4b21f369014b725b2e8ffc7418a6cf9b5e30001628a019568627d14eff59e1df253395619ccfbad91520aa32d55e141abc9ad79612d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
fd9ba8c55d69f798b9ff2c6c7ff16d2e

SHA1
742b974e2e359f7b2a0082eb693c43a0987c91b6

SHA256
e4936ee3b963276ec6b7a6291f50ea00e5b420e183ae2b92775ca02cd7b0299a

SHA512
1344b599bdfaad4de03be178c039452ffac2c5c186eee3493411a77aa9244fa45e9b1a77fa6369f8bb768875606b4724ff299ad6af423de776f27dc1cd861ca6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
645b879146397d517b04dc1506318455

SHA1
1483dc008014fa48bac85c4bb57460956a6491a8

SHA256
462a89942823edab47ea972a96ff76b63c69872f470358b96bc00573939b5c13

SHA512
86a906a71647ae7eb6ed73cf1fc04ce868bfd569981c99a920aa7cca2064420165e70158f1e1f2871d18678970cfa0b31e99f18c78edff9f83874e09ce6b9c20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
427f7a159d1299d446ff6ef42530cae5

SHA1
484ccc468a8416369b2a5cdab9b1608ca6030668

SHA256
41bfae53920bed194647e3740ca1b384c1dceec1ad2b92d130b4f742016c1d5e

SHA512
12ad295d7b3b9ce798f572cf4fe0d3ff8f63c92a0597858909ea60578700d3e1e397666932090a15c447b5ed946ebf4e21dd23afbd4ce6e32b4bd85dcd970514

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ceabe7c1a1617087767a531f59269aa2

SHA1
868fdc3ff39e769663889a4d1a72f5aca303bc33

SHA256
49c529b0b6f85c64d132bb94c89ed602a45d5b7aa449b9cb5da41d76c9584222

SHA512
d580a0ca25e3e954ea06df4aeab6d944e53aff7a18689d1df11f62d17cd218f87c3377e8f520d179c3461a5e515016b889367da011de23f322534a89efbc5d2a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
a12f3fb5c785fba1fe3d1d65c20a0232

SHA1
565db89b81bc53fb73914a63ebef300cfa5fcca5

SHA256
9eb139c7edcc3caa44c7e5f5fa989e532fa9601e98f1903d6dc916c77c663960

SHA512
25306923c4344940032168eeb72659337fe1b52c20b355e946f26028aa354f23ac1e0608093f2254d92a30e61f69ccb449e54d4affde9432d03539eb61e47ff4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
cebfbb9b8d1d1302253f08ed54f198c4

SHA1
c6163b1a8b8f98d0a496b17484e1ac527abb9035

SHA256
5a32aafb24e5b32a9ed52f3f07bab51f3bab187937724a5f15e6177943511199

SHA512
d682258a7e0319c20f93f24911d7d1b72585f769fd341fabf9323da988cd533ed8bd3f881e272a8ff68a916b96ae3b20c08ab6ec2deff194879b78a7dbfbd10f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a161a83676d70cef75462eabdb83cc12

SHA1
de86698e52d181dacaa6f0d7c4ee6b011401cef2

SHA256
d07af25e2799cc5c9bb765aa3d4b21b66d9b9f0d383e134825fe60fea831c992

SHA512
deccf38d4079503a36f816f21d99c75806fe84824001aefc970dcadea448378136ffe28f3e82fff69691c8fdfb0d1be541e31426f898bb8e2f735f0cc9d26323

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
196e72f9fea981e7d4ac5f5b57adb0a7

SHA1
bee9dd690cdeadba04924a7cd7bd5cda2a32445a

SHA256
6d7b282998566abcad0bf32283b36d70e248e8b71b4b44a033779328128d12e8

SHA512
1e8b250ac4843d6feb3770951c605a66393d97e2a34b463f82051cf3c8f452e88ecba625debab35f6681fecd094bbaa6b2fbf580e8d97d88f23252e56e0bd2e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
44ea198327b30925b29a2624094ad299

SHA1
ac051bd77701c581cc968616e5c278fb1272b0bd

SHA256
07ab05511e965955298848a7c00623008d4d0a5eb124920b06f2a582fa798190

SHA512
df6f0c787b0e48da592c845eff92e67c83141e92540ac2d8ea1b3fb2aaf5323cad5eeef61e1c42e059fc0c341547cca437d27abfcf855808806993825b4f0c61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7c95fdf636b5a1fc0fa5683e9864acfe

SHA1
88653117d082a794b0eee07ddebe6082e30b8d77

SHA256
375167a9baffdfa6b4ecd060c72a088e598a27b19b01cac6576d5eb09e2dd3e1

SHA512
1b959ae25e46767ab415216c4af34f049f0cd84468eb1e42b98dad25a53f3e203e5eb8576b766c56592b864b973c0f190821880e3ee786bbc88466bb6afa1156

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
51733e9b8c02bf3d973c3b62e5c20d8c

SHA1
f32683da5b44239fd4bb797776acc7ac2e414712

SHA256
b134af1bd0a51263d206d1c892f00b4068b0fd0aefc15b577768e198bea13fca

SHA512
754a781d04dfbc0d3dafe25210865ae44cc077766f493a0e8001e9ade64a4c5d12ab2028f0c583c2f70852dba7ee2ae1a7b103839d47d2af1b46f93de457bc47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0f4aaff9ef0dce00ab9bdbd4ccf04082

SHA1
2352ce3292a634b535331b47d1501a957c6ffce1

SHA256
3a62abbb2bc39c7acc558ddb013e0a519ea2a7d54e357a0ac8b18eddd9564eb1

SHA512
b89ddfae8842ee612961ac534b87c47d3724c66b86c4096fce5950aa8ee124ad04881a20855dfe7d8e89dd12c0a674e59895b54a876436da7e57d22a1379e27d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
50e7e139a67e1313053405ec232233b2

SHA1
57d345414453b5783f37deda0002f7d69c456a5c

SHA256
fbc9e4d9b844f7e54dbadf1d3e17054cd8f05db5dbe81f28df0da58ef0979ba6

SHA512
9c977344a41d5950cf48a29222e525a720323058dbd1b7ec0a4971afd729c7dace27496597f60918498aac1fca041b52fc1bfa8dd3b35044a991fafdc89d0627

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
393e002a9038a7f21c0b0822f49948ae

SHA1
250ba8f3d28af30be93f22f9659de5ed92029d05

SHA256
46e1b451fb10bcad173ae766283afeb4c0073de6187fd05925ff4f190f5509db

SHA512
5e1499c094791ec22cf49d12498c1a74dcf52ca4c21bedec1477924c5a6f8737904f1736de97fdf2abf9d9bd413cb98270979eab1e27c8d2b842fe55ba1e20b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7c4565b2a12fc812099b04b1fcb891ef

SHA1
677bb59be37cf84981b4d0573e4e579fa7dcfad8

SHA256
bbc1543c8198b2b0325f6ffc96e30a6e5ece9e3af94a1b340b1f35e45acbe89f

SHA512
1209c51b4831bf435f6ace29f2c964dbdd66f73b714cea840409a38587f6118b59955d83168a6748efcab7be5870ffd17e92885cab4a2fada952ca3e0cfc4218

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
49e1c56e01672e56ef89a3160c75a59d

SHA1
2571b21e06af99a8cf4d55987bfe8840b26b0dee

SHA256
022bb3093ba9b3239444467e2c26de6a56bba832b65de18b568bff45a89865f9

SHA512
23dbae3169c31299321fbf8519d07f4ad922bee643232d232ceb31cb5f5b5b41ba9c1447811b351a28ca96af3044ed0adc8f59e1ea4e7920cebd9e8942900de7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7e1ed145196469b068bf94d52b21088c

SHA1
79091c4a335f9bde2b0e56b3ad603cfe09028049

SHA256
318506fd997a9fcd49cb4a2591aea2537862c409015511f1b993d579cb0f5df9

SHA512
04e8632f3031279fdaf2f9ce496f7c83427b4a4db4c6edba10735107e3360c5fdfc2e430b47ca94ea8d7a2d430d68e570070f945d62312b45a1df04282611dfb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
47124fac47d44a5e31576158d128fd2d

SHA1
9c83774bc85be6426a4aee58d0cb6bd4cf29f0e6

SHA256
c4271e1d3b677eb0c3d0abf091869bd19c9bcb7c45bdc287396dc3b675114f9e

SHA512
46be4d28301a95c240e13571042caedaf582424d6eef457ecbecdde9751e48d68f5d94e0ba6092f1d13fac12c44fecea183181f0ed3e66f38f1dfcbb052c3a3d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf5ac06de6159a8709d20885a76f1c83

SHA1
09a2b14d646d270d55aa0b74ca107cdff1601bc8

SHA256
e4f3438ed4ff6e508b83dbccf9c6a2cb0a3d1b8bbc2bddbe7b4c1daefc041550

SHA512
e64b803e4efdee2ee8e878995dfa12173d2824ac7f1d86045c73d631120f0cb662e6fea4f8e18e8621b9d33d96c0312542a0c357990c7d4077872e0e927f5a85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
11910ac7d2324622ec759a6547372285

SHA1
ef7795c20af86bf8dce677ca94123b6817087b1f

SHA256
dff35830308daee134467efcc07829052e6c583586ff98a566a8933c29336a8b

SHA512
bab8e9332130d79080897317d907bf4779e179e137c589a5b6a208ac24eba974e1cfa3106f2c475ce097ea3dca9f1ae69902444a752bdc8a0fdb972d49aa4fff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
7576bbeea2e9c44d36c06edfdc7fa207

SHA1
e90d5ccf271c17b85ea08e5b2f0c4895da59edc0

SHA256
3e6c7fa27834771c129b5c4900ddf978987a81b970b8affa35ab1f3574ce9ec1

SHA512
9ced64abb0c912e2017a4bf6bc1c4089c00c812fbbeadf55549027f90c757e47f6a3947511b857db52aeb23e3957a1627714fca6b48a31af0ed94baba55a2aeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
6b321c5e48310bc91d3d3dc4cf24d13c

SHA1
67c8997ef355ea470557164ea912eded42ce4e70

SHA256
17a9429634d4b3bc2174e1512343c2b97d19217ba1ce64072abe9a68dd71c34c

SHA512
32ea1cefbdc1de397a4332c23f29e1c8c5a2186c196f1a405a3a66fb8e953bfa759e24072fd2001114b4ab7e0deb5429b751b8f055b548f062cb07845683d7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a96179ea07f07c9260526374a2529454

SHA1
e330f4d8f0251a3bbe2657e361a7f4ebfcd44e2c

SHA256
5c61ab03b68e73dc2698ec6e02b51b10c60c0784a75fc1a7b68b96fbb46bc4d0

SHA512
42972da2ceece4de5667155cd7ac09d828babb6d2eac4edf4127f386d4f0789bb5ecc3b3ee864fd60b1f9b39c08de501ad6f4d5f1a8bd4af6ddecb4c9003b655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
c4a896dbe20543c7da7e121869094ef0

SHA1
123d570b71f836fa000530250b0e588a89aeb4ea

SHA256
02f0dcf45ba7117159017225fedfc0eb8cccfd9035bd00bbc1f6cede73ac7fea

SHA512
ae9f007eaf0ed7f7db7fcbc8a38971d62baeb6c23460a6b809f265a02fa5f87a1b9bf8c97f46e9b6f1e58a5e64dc26caea5cbac7ac3e4a226ea86424ecab9023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
e7d0c5f17693c1b31e866781429ed58f

SHA1
e0c9c7d9e9a613426a81d79d4daafc6dfb7d3a83

SHA256
7f203f72c648fa353ee415fd9cc92c39693b95a97b7b1a7ff3fc0ab00b7f58ad

SHA512
6d567db0100560ef3023db1a37fca0ceb173ec258a109c0f7d8ee564b39274be7365292d038c644c17d35ce56bfcc4f55b7cf6a8bda9bc9dbfadc03d8e2ec26f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
dfa05c22de6c60199e6b40d43b0a790c

SHA1
06a812c6f54e5391f4a1712d341338902c0aa5cf

SHA256
3e0c55f7bf94af308e3f2f2261fa80ad94e3430db4cba9a38f2b2559e27e778c

SHA512
62ddc95e40c4ecf298c08bd19bd44a28f919586a785f466c6774c4e2b4a8ab644befdccf43f2abd0ade88cc8bf2b12531854372aca69077cb927ab9c935919f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
c1e4a9ac1a2b8f012b345f43372a8160

SHA1
aff8a25a3c59e3a79e2debcc7d12e3f29ccc1353

SHA256
d601188685e9a2583aeda778a338a79c78beaf47a405c57e7a407fe494582c23

SHA512
e04a350dc1d31f082a5beded3ce71b44faa68dea006d785062760186ad605a1591a8f8248210d1691cc5f656920edacd120fa748aadc3c198a234df88b49d563

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
c2c2b8f064dca7be36bd6c13146f8eba

SHA1
2de0c6861535fe3fe33cba356a8c5104d6ebb8a3

SHA256
ffc1bfa0046627a0f5bf6ddd02a9560f8c6580779fc7084c15ebb651cffbf1b6

SHA512
173912dbd5d60b10b185812a5b79498f0de4bb18c416be40aafeac4abb37d31b0954e9c3e8622667a0f5c050b954c7ee64138530f47c5fd8b04892d42e8ad70f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
dff66f32e5b9ca8297f6d9ab0b32084c

SHA1
09dc54c06146ca87cb21f2316f324627d1a862a4

SHA256
bad6661d3f8c5355cbfbc5666ca357831e12a9609cfbd66b1f8c21faf0bbe50d

SHA512
1d120f3652cccba53217210706e25b3c2ef14f517ccc041a606efc2b4dcff4135b23fbf22a3e3f914706d59c65b7351fd0aa9f4c442f0a9e2ac4d8b284b40ad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
9df8697f754cbe57c4a015657992f0d2

SHA1
befba6ef06d2dffb29a7e64353ed56c63857cc0d

SHA256
948630f7f44d8e5b7dd39332cbe1e65187027d3a328dec912f7c955dd2f9c0fd

SHA512
558efffb150b67a81296603f9a7bf9c33d6098f717270f0337c810d50acd8c31b7153d035e8e02ffa7a43d8961e5286484bc2187eaf498eeec7703a308f73a99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
e78a02b5bdaf34585f02d55b075a5f9f

SHA1
55af4e5e86e16254c11cf58e5b0d7d549da23611

SHA256
4f3d9f67dedc95dcb18091726803bfda9e62aa42b3abb0e91cbbfd2c285e6776

SHA512
cd5b56b8bce500ed47e7b0188c73abdb2befeae8b78c329ff2252eb8d2845d851c2ad12a04de6e3f5369ec9926c70468d8a211a568619c71570669aea8a90096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
a28b213c70f4a1a4a74ada348577c186

SHA1
9ce0e3d84d3b7a39327234f13f88d4bf8ace41f2

SHA256
54066baa827f2a45edde1301379bfc4e8cf29604234fc4583b96791f060a721a

SHA512
723cd1806bd78df4fa8eaf572f26b7b2806a6ea7ae018f3939891e75c12c153bf4f1a8e5f2363d116173b6e34fa04e37176939aad63097af427d5790c6e00022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
9206f8d12d6711d44a04936684c918e2

SHA1
02fd4fbe543335a364c322d6aee15ce7857263f1

SHA256
82c20d07b8f0dcc32e86cb1a8f441846e6fe1a6ab4f27a3a975b702824baa7ba

SHA512
10d289d292b5ca0324d6d9028766495580d5e0e20ec22a965b498b9eb94c51c1e8b86fe60c77d55a1fe8b81d0275de70a8fbd789e1477a0e5029a3e75cd12c7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
ce24fa5929352af3ecf04a21d7441d51

SHA1
4391b134d6cf8c92b5fc37f333c09b3464817463

SHA256
dc4199a352aee60cc5feba6b5d4f4011aecdec32baa3137ed14fd966ca3fb60e

SHA512
1a43413cb2af64833713b1e580ea136581d89b0d22ac88310171c2fe2bdfecf3a336845181ef99c32ae6969d6771b00056de023d076356f2df1baccc5c162fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
cfdb7545a52c3475ca1d1a342d8d9724

SHA1
f8e58c88134f1c62d10d05035e9919c6ea0fe02a

SHA256
b642f123c247660402db5facae6bc1deab183e6cb0ad2383c4e607f2b06b599e

SHA512
45347377c76ede815474e833982e724d0d6050e8a88d1f52362a3ba40253a6feb987f66710726fcdaa784c37f380b8a98ca0dbdf19d0cd565c54c78d9dc66567

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
b7ecac6d035423eafaf6b1b7a6571758

SHA1
9a6bb304c5474f0282b2d1cd633ad76784583705

SHA256
e0d27cc6a9825472edd8a52d51d1ee8c978e075fd5badcdd66aee7e6fcd13bb0

SHA512
3e01a309dc82a17ef37987e424d503ef6310a4cfef131fec1ee930654f6b4858bcda0e9bd0dcfcd4a150a41d0fd9c0d79e19deda529549500dc160277cf993d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
7a287b896c40ef5ab90f4ab3c5e474d5

SHA1
e0ed51f0b321888bf5803d1dc1fecba26ef9e883

SHA256
ae044087705a8177332057f4f4d9d19d12ec2cb45c49d2626047b7209bbc3c6f

SHA512
baeb8ee56047e7c7427acbfc76e9e67cbd589bd4560591b6588b94a70e7857664ae40087408e5a19bbebd2e88979eb4a98dfefd34d2825e71be6bbcf468770e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
d730afc534fe1d953f962d2b2f7d01bc

SHA1
de053fb643905194d4fccaae6fe5e2b74a5ccd45

SHA256
58e34cdc74f5f5e2ca3c12fb19af6702ade3a13ae31e72188869bee9ca5ad3df

SHA512
78c14d20d01074f7d6c28b0d2966f3f4d4bdf4e7d0d4be2aa426b53f2a778df95c845ebab70d2b14fc348e949bdc1bbc955996805fc7bd6eca973b193be07e20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
a6aad1c9c376329d0e07f80cb51d65fd

SHA1
37c1c62638fe10d9461a2ca49ff2b22bfa7ef5af

SHA256
e14c30b41a29d244e046b985b5c1a9f2e0da8ef475475b027cd8a6d0599460a0

SHA512
d5b962dfe2a246c720fa54e71007027ebf7d7a573724627be06a23a2bdafe592649a1dd3b7379102b513a78b38080d1fa710c0d9310174ea0c48f31a9dad1ec8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
f740e3baf243e739ce9f0feb8bfba665

SHA1
af379671c221e7d4532f2a2e18eb2e7d7eb8d716

SHA256
e70029c906b60c371a157c40f79dbac7a3b484bdd2b3d78d25d27056fe924f1b

SHA512
8f2394f4299d9f09f588383785758dd960e16cf8dc606a94b09593836959e3a117ba9f7472fa274fd9a693cf3245a097e59df93f8ecae297b40adf8c13e305a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.3MB

MD5
16e9a846839881dbb5a0340a847fdd01

SHA1
2cf215671261daeeef90f81831fd7ebbc86588ee

SHA256
d085fbf29676893665c531d0f5648f17b64a0c204c01020ded711918fa7eceee

SHA512
6b91bd0ba1940f1433337713bfd697caeb49d79d61f6f6f421ad03accac2fb10f8eba53fadeea60a00875be79cc3181cb05720b8177f1692e77c36e6f6994913

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
8bd3f461d72781535cd6932209e6b6b2

SHA1
97794ef761b7f929a4da3214f2ae75154a743017

SHA256
06c4aa4f51b62e197e1fea4aecf371d1884eae7192910f223f9e7e268c60b906

SHA512
f31edd94a9b6d82b42201695ea9b7d1367e284a982900e2245165d57e14eb5e7509441e19596900ee531faab99774b8caa9cac2e7fb50a7c95fc0e54262b0902

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
d57aabc71aa0f2028e670ac98ca62805

SHA1
803d2763980383df61b137976fd3366d40c20547

SHA256
4397d337b1b9cf247794bf91c5d5c8b59cb9a272199ced7ae7af599757c387b0

SHA512
010346dbe4eb571db13a3c5c5a4f1491c66d1e9213093bfe9a6101b40d82934b6025417c3ecc27a192f8a563299cac0ae147dcbb5c73f971e2e286f91550982a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
599f31a46c58e6105be36ff14b3cb25e

SHA1
832e5ad8ab30c5e407ae9dcca2862ca134a3932d

SHA256
43cea548c62070af43f2c0617336663b730d8a16076db23371c48ae753a0ccfc

SHA512
72cf4c07a436659135f791e69bdefabdfcd7f55cfba622434e67c816476e5b9c56d7e89132ca967863c6697ac2639d8f97c41850038b7cae1b3c8126dba91888

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
6707912e7e1214f00d569d511eba3cb8

SHA1
b44f10b9e4564afd98fea8e1ac0d2a906d577133

SHA256
2259f699fcaa9ba609106049d0fe09c8ea484e3155ed18b20ab2700760e67713

SHA512
b33c2d68f0ad761fad14353869683f56f899b9c9a9a1d6771ac3750454ccdcf46c6020a18d3468f9e4b1bd9153fbc22653713f256e9cacf21d05ada908c17482

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1483f39b091fd41e63d00d58516cfe13

SHA1
c1df4ae2a1a115726b25f3170e3db3b2e3d78a56

SHA256
c426f61577c4ab5d9bcb6cf16061569f9f43a28bf229ef74bb3809caff594587

SHA512
ba0d2fa49646f785e5811418cf7a6efec8edb1c05061f1dc59f7fb5d2fdf3981e6cc3a72c671946f535158d9e92dde17e355d4fbdd5d82ec1608e845d23f5776

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
d6ce56e31af79d8e75070d934e8d5942

SHA1
2eea30cbe17df58db602fd3ba159af6751c089f5

SHA256
5a22009b0e53e6a099215e19532a31c8d171ff5139ee70eda5058e87e506e5a9

SHA512
f48cba2868c5734dab017f0661e5267c1839bb6d7a9f961cfe3e28c63b87f180d3d707a7390028f5e5c3d0e0984d7b988e85f970554895c0c5bc04c44b3ce71d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
254a96ad732e11864f85bf257d5f058c

SHA1
90838df108c07a62dd4c4e062c734e26f7d065ef

SHA256
9ddb4b95d55501cf84a780d8eda488fb1b288d31cd5503f99da9119c1b66ed8f

SHA512
25db64884d36d814e8b7c8b1d305fc5d92893fddf295f353f282a0cad97cbd8b4c29d67818c11b9102e708a0bb4786abb86c17046e9d1554e8e2d9683eeb40cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
7d3ab9ec0262ddbe68ce09f13c251cb9

SHA1
115fac5d67ea8255647fcf95895d90f5346722c6

SHA256
d3eb5ba0c60981501762fad7a7ec918ce511ac38cbaf04df23a1550003a294d2

SHA512
027a1cd09620954f3f5719a10a034eedbccf80f5399da9559b6bf8595990018ba88e31bcf46be31401cfe0237aa1a2b56054847f3c9f7ee2988dd5c3dbf5134d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6480f00e942da158573f75b183235f4

SHA1
01a0d38e140169ebe782efca5b9fefb5dca35516

SHA256
8019489a674fd2fbb09ca9280a29e2e1568a91fef306efb922b08d29b16fae79

SHA512
0b5278cd1b7a31856d52a744de7bd53bf61f5eea90dbcca3ab7c58f3d6629c72d95b8e542ff16ff4f9521bb94e061a2e1a774a68aca82aa1ad927ecdd307efb9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
819836854328b4106c624d7d00798487

SHA1
cf8f0ea638767fa8f7230b68cbe72d4ef7fb5be0

SHA256
07bce2f9b82e89b76776b103110ccd870347e27c1af8eba07bf964d0ae909f7c

SHA512
a2b98b4bc3f5fc46090dc5242ba2d149dace8020efe8ec82274ca63f7da72a3b3fe713bba8220136f027f3eafd702ee53c8378cc60529fb60af53a5e8684fefe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
137389b36cf1db2c3206915d11fc5cff

SHA1
14323ddb2cd222652617761b83c2938a3caa00cb

SHA256
460c3073116e127dc1d57c9cbf85276f2f98a65ae821dce06951ea0a8550da82

SHA512
a9bac9464ab5d9f76cc5b956e2d2fe93895626192f7b605694ecf565322b9bbac0800a05d83ae846e1add48f2e9da53049d5d360e7969bd5372d97e40920f787

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
b44855f7ea098f773e5efc5ff8632654

SHA1
3bf7bacdc5bae771187ceb1508ecf9b922767c0d

SHA256
028d943b2a988cadf0615efd766da37405ea3cd9f0845bb1ecbb812c3ef0b334

SHA512
24bb3fbca7fb396269d856e84b0cca907c08f3b8d24e19f73c146c69cedaf92affb9fdec1bb787d6e181cf7e03a7d481032176eab697e5fe69e26d6f259b1de1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a7d8b27a30e2de9a423a519337066654

SHA1
0e1cdfc182865b6f6a206eb9554c8351110e62d9

SHA256
410fd69b181aec41dcf2f169f9a0419663e39d2c745946903468ae2012e37e61

SHA512
366b8324d82aa3f26cd041163f12ec3fcf9a283eda2a3433c47e620ba5f74ad81e948fbfb0f70c6442d29aedddcdbd4ec59eaad4a4402b3575b4e9edaf3db29f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
83bb2398a03f64cb464ad2608241797e

SHA1
dfece72b0da000c90286fa89f6bb0b5e9c26e759

SHA256
aa1f784e24e8657f8f76b4021b623b1b7e3a79725d156fd8316482d52307223f

SHA512
acc3f6bb647663b8dd01716c25b5089c0305343ce64c585a7febff25138fa7a6d21e3b7844821b076be4b2a2774c09baad054facbb1f87fc30ec005974013c81

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b8e76a21aea9c297d8a3bbe7cffc27fa

SHA1
f3f537aaa679acafba1422afab2e8f0840e660f1

SHA256
4c350f1dd160731058e564673831b5e04ea06c2a9de223a016f315f85b0ab4cd

SHA512
c6c4af7a4d3750521394c14432924d1925347dd61f8153739af958f74e6eaa8066b80c481644be821d6ecd7b17be148fdf36a7dcfc9c3f70a00ceaba03156d87

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
dc471b98707a6cb2f6de7826bf866d97

SHA1
e1d7db69b95e0111d18520c6978b82378d167b18

SHA256
b8f4df4daeccb851e1887c9810496e35f6043a1a733bb67806cc5cd102d8df4c

SHA512
7f23ec656aecabedd431f802356ada716d26c61744ffa12f8c4128461809765be5ab728398335c5ae750b3c9ced58f4571565a101186fbff80cdc2f3983702e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0d69552fd74211f1784f3363abfc54b0

SHA1
c91284139d05060335e963d0fac16ec67ff2bf0c

SHA256
a67dcbf1d125ba0bbb817c3366a252e2f36c723f45b143ad2af0608b36bc1eb8

SHA512
c7160e64c9e37929cdb0886e4d5d572f23ae9441388ed843f623dbd5bb513427ae58d1a120ccd239f407c96d6f06ca0219edc4e6457b611731db39eb7c7ae998

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
81237c99c5e9948d8cc02ce65c1ccf33

SHA1
166b027ae6b0207c435cf3d1f372dc8c948baaf4

SHA256
b3f617fbb5ef791b62738f9b1d30cf0aeca3f6f758e09eae91744528939a2e08

SHA512
d7b93dcde54b951334887baa8102ced370693a7156f1c895b739f7f87a756570df5af8a5911393644102c288b6ef867f126be13e826976a01ce55b39ad7808fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
99dccd962451409da6f9c6818cb42d82

SHA1
9969adc8ead4857572daa8932ac50edbd8f007d5

SHA256
9410a2f85a9a86c7820661a1beebd2793149b8f2eba634b9ca53c4447db46aea

SHA512
1cfa43ff63c097dbb080df8eb3a3335b07e6268d73739a18cb2e1f98124461dc2b17a2fd8f5bc97a744f7be49834f139d644daf51742c7003b27fbc0d3d929e4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
85c7a63ccbf3190e2b3122616ee51f9a

SHA1
6c89a4608ba2f111da3d41e94da716c5ba43543d

SHA256
815670ea4cff7d03d56e4323c496a376a897f670fc177bfd3c92c4269501a510

SHA512
bf9cbe402fb93727566f1a067bc53a07f8be620a02ad7efddefbaa07f79af0ecd6b04972c06c665e90a3dd166be43a1525ebe6af6a1d0712263bb719422a04cd

Download Submit
memory/632-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/632-25-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/632-7-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/632-0-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/632-9-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/632-1-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/772-650-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/772-356-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/832-76-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/832-78-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/832-70-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1496-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1496-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1628-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1628-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2116-641-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2116-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2472-427-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2472-657-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2520-307-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2520-426-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3212-373-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3212-651-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3488-573-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3488-338-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3672-297-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3672-414-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3956-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-644-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-295-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4032-402-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4052-270-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4052-390-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4164-246-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4164-372-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4164-252-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4164-245-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4544-237-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4544-22-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4544-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4544-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4612-257-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4612-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4612-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4844-30-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4844-39-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4844-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-54-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4860-68-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4860-66-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4860-62-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4860-63-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4872-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4872-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4952-655-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4952-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5072-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-654-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download