87050d6310cbf2fa2171f5cfa671020b9c38ea2d198d1910a0e405b1e5a66712

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

885cf238912cfa5b9823e2ee7fc4d3e0_NeikiAnalytics.exe
Size

800KB
MD5

885cf238912cfa5b9823e2ee7fc4d3e0
SHA1

a539422817798c1e44cc3a6ca9c78bbfef187b20
SHA256

87050d6310cbf2fa2171f5cfa671020b9c38ea2d198d1910a0e405b1e5a66712
SHA512

1bb801c8a9c00469d853b40f19c31dfd49f851900b7cc434dce9bf31176ec80744f5801fc7dd9453ffa8cd18ab34f140fed673caed58e07ed79d4444986a62ce
SSDEEP

12288:WmSclqvP3N+shL0DudXezE09Si/ckGHt6pshsPSGkYl2XIQCb+Lk1TWbPXQnAN5L:tqHrogXe4i7ojhsP5Lgrk1TWb4AN5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1808	alg.exe
3268	elevation_service.exe
1480	elevation_service.exe
3344	maintenanceservice.exe
728	OSE.EXE
3348	DiagnosticsHub.StandardCollector.Service.exe
4256	fxssvc.exe
4640	msdtc.exe
3500	PerceptionSimulationService.exe
4216	perfhost.exe
2652	locator.exe
2800	SensorDataService.exe
232	snmptrap.exe
4972	spectrum.exe
1616	ssh-agent.exe
3296	TieringEngineService.exe
4496	AgentService.exe
4984	vds.exe
2412	vssvc.exe
908	wbengine.exe
3520	WmiApSrv.exe
2164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8339672c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	885cf238912cfa5b9823e2ee7fc4d3e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025f5583aadc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004843673aadc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f148eb39adc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1e2453aadc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000015cfe39adc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002645483aadc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008698da39adc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f37f433aadc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe
3268	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3260	885cf238912cfa5b9823e2ee7fc4d3e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeDebugPrivilege	1808	alg.exe
Token: SeTakeOwnershipPrivilege	3268	elevation_service.exe
Token: SeAuditPrivilege	4256	fxssvc.exe
Token: SeRestorePrivilege	3296	TieringEngineService.exe
Token: SeManageVolumePrivilege	3296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4496	AgentService.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeBackupPrivilege	908	wbengine.exe
Token: SeRestorePrivilege	908	wbengine.exe
Token: SeSecurityPrivilege	908	wbengine.exe
Token: 33	2164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeDebugPrivilege	3268	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2568	2164	SearchIndexer.exe	114
PID 2164 wrote to memory of 2568	2164	SearchIndexer.exe	114
PID 2164 wrote to memory of 2244	2164	SearchIndexer.exe	115
PID 2164 wrote to memory of 2244	2164	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\885cf238912cfa5b9823e2ee7fc4d3e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\885cf238912cfa5b9823e2ee7fc4d3e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3344

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4968

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2568
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b6bdcaa56f848f914cda9d4d8bb5b31a

SHA1
3d8ef7ad50f5ce5e651155310bf96c27400cafd2

SHA256
58dafc3fb0913ed2a29b13580bf695178e7e548d0f9634b0d9f5c8a5ec8e8a62

SHA512
2eca103ee2d560c4f64fc6af29a8e09394c7c36e3e541c51e4daf79cae456f8bf2149e9cf597e3a68c6d094f16c0cc53ebe8850cf2c296651835d2b9ecd4a5c2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bda6303870d3b77a60c95677ea98bc56

SHA1
4cffbddbf3ccc4927172b3d8d893e4bfd2c173b8

SHA256
c040ee568ca2de9def66cb9ab3be15ea308a4d17b6d8588c95af2260dd0963c5

SHA512
890f3396b3633db353b66dcb492e3746ed5e3a1b6abae2d97e968462ae121ae84e477ea1f029b1a1935db07f10cd11ffe28081988b441ebb2cf1e2e3763cc6bf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
748f4df2b48326642f404b552e7f9588

SHA1
85f31b976dcbcd0b8a098a25e816e56bd442712f

SHA256
55d9de71b491c688ac943019e8ec55a1cf355a4575a597b6247d01c2d4ea05f7

SHA512
10936ddb4ac5d33cea22c329a545864f4c18753ba177b4fd420d1f9d23d7b9299c7bfbb2bd0ea1fdd7d1092aa2c1956cbb1f8feeb10a8b237cc0d9aa5f836643

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
395596802939abebb1cc178fe6267d29

SHA1
3a306fd5c61b8a5b9b6f53217a0c8b70ea944318

SHA256
beb131ab0d035083375ec60242db0376fdbbc7b96dd28f8fa98b3bf8a16082f1

SHA512
84daf3ba1a296a844ecab4362ba452d12eb9c0a36414a99918a1fd1a4c7c00e290b453c87bbcbdae7f9302bad83f2cdf495ab1d6ef65602f184a6d7dcfc3ca2b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1106356f2af90d6bddbd536b1b019457

SHA1
2f4fee58ec38da9709ccef7cf1036187a5a27bde

SHA256
7cef50341132e8b0bc776f0549361f4970d84c6f797a8726942c9b5a05d3fdf2

SHA512
3cbb770622d03852456acf6f37a98dd5f79e5eeacde6fcb2cd54e1aea5744f469d21a37b6cd3b764fa92af56f175115748b6683a1e30153c1517284def31189d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f6db104e2b8e43cd1f7f2f25859444b6

SHA1
cf0c664f2c35f0e732a7e87dfe5857077fed9350

SHA256
13f0c57ce2eedfac611476c71e1a95775ed55041395b46991a6497da76b0bc63

SHA512
0d191c07988b136a0acbad9119b7fe68361743c305932330993cb6d261bcec0561fceea6447a338c3a0ee94953a5bebbd94e6e94bb21ffa122ec017eb07e5f9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fd55671c0ff2a967db809e1362442251

SHA1
60e00246eaadb9abff66180aae84b2c38ccbbfe6

SHA256
eb553fb6c0a16578af90f8bd8d7cb139724f2968dd949a4ffcb507cd562a6fc1

SHA512
609531e29febb678a6d3012bb265c8c5f0d16e92436351dfaa63ea089d740bdb237364a54a2b6bfd03f8048be231608a8488e2218c1c6403a164bbf4c56b49d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ef3e2a872f62e3870ffb4919063a71e2

SHA1
574297d790c47f3f188c38d66efb77fbc06d46c4

SHA256
60f514b816ab92fdf5abcda0f001ed4cef40cff8e0df6c4fd16f841324a175c0

SHA512
6cd4b4df0d289dff60049eb576226b077f253edae3462352249e99c1c887403db65a069fae1984820d9ea14514c4875a2378b18d18d452763c6d3c6f63a7ad41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fe73b67e7708e5840cec3b188857bc2e

SHA1
7ef6f43e2b343adc06da3322713755bc634705ab

SHA256
d404d46f49a455b22537f84d44066a122a86d70f1709b3a61d286fd5322576dc

SHA512
8071acbbdd14d3c7f0eb30f42147d020104f311c14fd5038c76d91c98310985957800d080134e3f102ee4a308aa311fc18ece32876ed127e49651f1886887cbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d1581dae927cdffa4930310e86896932

SHA1
70bf84a794ec5f9875a63895c575f14606e78054

SHA256
ef724787a466c46e883007eb43735febd89d06df9912073e3e188c06a6fdeb8d

SHA512
3854ca5bc087d078ef9999202d9335759db9e33e11a630046b94c1c71d528552ff9ed162902a3bd847610ba142d24125ae3c86b8a0b6203e2432963caa98562b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
87b53db57399b00c28ad89560cd84e45

SHA1
0f8ddde2a3b8eab8482bda2674961ad60eef9349

SHA256
8d042bd93f3a77d4d5df0806d30467f95eeb5964778d6587c34d31a196831c59

SHA512
42962f3f0939f879b378919100b3f3207e6ee9444251b2d5bd6e65686ccef38254d3c5fee164d80c3ef2fe3a43d5901e02f10df93dd2519c98ad05cf189bddb1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
87977836291edc856cdb46c081ca11db

SHA1
74562438fdfa84b425530909d14183040887ca3e

SHA256
f8785bf792e35188ce37a86715d0aafa100696b329f9f6a56b76b585f0aee172

SHA512
24158a853e87d0e62563eb374cd0873cdaeb74cfb4a8faba2cee36030d72d90cf1f4129fe825ba7f29b3986dc0904f0151eaf4bfd58464de44fe9314b4afa6d0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fd0d4038c02f97ccfa1005d8c7f55c7b

SHA1
5e8abef0bda14650602916fbe925f800eff24aaa

SHA256
7969979ea443bd23b423865ce30dc955143d442a80a288c8600a98ad03b4b39c

SHA512
4026c012e4c89cca98b90f0f9f40ad37359d07003cd4c1cbc339ea63c187f89ef5126e51fedfe66dc4ae47ca8185e9c20d3d385bbfb4e397fc29aaee572a694c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7354d8f6f62a99b83d044a78f7d8d406

SHA1
b1f2eca375e791e80cd739de88a1f999c3b099a2

SHA256
c0578d177d8cc3f8c74a588e6dbd5620ca0ab7c2f656bab31e0c4112a751811b

SHA512
e2c9a089c51ab44e47658607b8b1a5f13d21c0f59e7801d98f7a2be6249d3887d23b1e146b8427db9f7ceee047cb173dd591a70faf9fd741fc2ecab456b8571a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
21fa9019da26b90e36637df8c83730ce

SHA1
abe99bc5cce621f4fdac3b85986fe7f2968bbc40

SHA256
afd66e8bbceccdbed8c3a4adb2e9275d19e66c4320056749272947f372c53ca0

SHA512
aed2d0033222e8f19466c6492102125832905edcb1883a13dde845e4504306dab0173792d87e489f117ceaff024524488d29226d165944ec2b74da3e57a32520

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1232977c62f8486fbe86620db1371467

SHA1
3f83f865010ca3f6cdf3c3983df3bed4f258f9bf

SHA256
f6f6328093ce8f34d4ed7c134546531c0d4d26aaadacf7abe436d3cc3f752704

SHA512
03777deb97df7883521c8769cbcef0ba652d06301106caae6ead62355098e993cb1dfc03dcc4959b3cb9ab457c97a529e47d9851284969c400f69725a5e924be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0c6f35561eb8bc6277d88635811259d7

SHA1
4ad2a23d05182895532d5336a0255894e7ebe86b

SHA256
ff3fcef25c80d4b5a417f8c8b6fab0bc0c2c28858e45f361b213649d0fd64543

SHA512
cc5d82cd154e854e2c13dadefbaf4509ca432e42efcb65090b3b0970bdba7f66f1f14bb79955d4a83c39e66aa86760cf19855a47b765902d964ff1675e459c12

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9932bd37982b976e57f38751a4f6d987

SHA1
a5a3ac93b0813ca266d126201b0eb7a3dc99cdf4

SHA256
d53398293a43553c17f7a12c4de274680e1249a4c559374bf618cade9a8d04ac

SHA512
4a9b88015095cafbb7f280bcdb427971bb2a10ba09c9e0a222ea453174a41bed48714a357b84ef92b52fca75aafddcdfff360f429008f28dfe50ca307d732bee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
026910631609831c213bb69e62f1053a

SHA1
5bf1de1c2b4f44a37ecb6fd56757a9e4c11b9d68

SHA256
daa7d0b3361fe8127f325e0af17b8845c2ac3ac2e0cca3158da60f5e0cbb40a7

SHA512
83d1ac0f22963b7c4ec4ab72af07ee95b086b8a400d491bf1c752e4c362027c6039c6e65443f91f38cca3eadb438667f3e431ad267234146f66c419c693cc944

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a4d46d7e4bc94cdc1d0f1fbb65af22b1

SHA1
8c1c44c7643d4a0705ba8278efff3a0f4093f765

SHA256
18979b075c5fb45acb32471616318cde39f4e994046d22457c9caf3c3e1803da

SHA512
04eeba07a67018cceea7214a06af0dcb95bd401a4ebe1756d6ed4c34d92b69ec022f6f2e39dd4f055db8bd3217ba4f9f51b32ae8c716b1d8857d04882dd57202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f3acdce2e8948a446607241cdd5bd763

SHA1
36eec903e0f9e8db75727fd8444f60037701f906

SHA256
aa4c801026212e77c02d251f204f4df3fc9adb7f10695393217f27af37ebbdca

SHA512
3d6de434677a3c5b8ac3403dcd3c5cc49e3c5825cd41cb1e53d38d785b7a07cc60d216d78ef808433ab83b6fb752d761f2b90bca52823c3fe9e1a65ca03ec545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
520d5c236c69c16fe15d92f56b65ada1

SHA1
17aa4dbdfc68b3876f6728573b312ecb1de173bd

SHA256
509d9f5e0ad943ce6ec592c5467b0eb21960ac98e9f8245bcf13c7521e59c5fb

SHA512
e1bbd14b9dc9b2ea20ec0675cd4031b511874bb325140d66e00969dd7b54defe90288df3f14bfdfd2c49a37e345af32ab282686de43f90ef73d4ebae666967ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b26b9cb2d35d764e0e6484e3a7141b57

SHA1
d3f4a42556753da2cf871bbe0394b6162008cd46

SHA256
7e7e9e05a2b9b9192914413657b87a27179f8c06168aca93d1a99f9160191c28

SHA512
8d60970c392f144eeb83c9ee157ab71119e2da51557631bb5e9171763dda58ae72edac99160e31088fa13999bc0d0988bcebf981ccd4497cfa156e3c9f48d255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
84b47b1fb6676dcdd4bcf679dacfbec1

SHA1
e7daae83d93d7786b95d7f3f7f136b314deda2d6

SHA256
bbcf0b6cf55dbb32b3990bfc3c00f655b581293f5e404271fba6bfff62a7cf7b

SHA512
037e28a5560b719ebc496e14fa4cccd954100108437bfb2c97255c25f5f4a60d8d3aef3bf459489da895ab6cf7e1b953242bb0974c42eb68a0a6abde43737da8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1d023e022e7f35f6f1daa4a1ed531579

SHA1
aa99d65843e2a13a09a27d7ba0c410a3c902d895

SHA256
b677782f2c3e0655a7e869e59dd5b50c1000be0cf7eaf08c7535401fb455f683

SHA512
2f42ef32eca78d81fa998b47d371bf72fe19a0dcf43d27bc6ee29dfc60e9349d8aa30d975e163406d52a1f99e02cc2f2f9922e9b20d21cc44d81a98cebfc10b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f8c3e4fb6935f01e04381be6586881b5

SHA1
a553d22900ab1ec021845b534b92403f8c63f1b3

SHA256
42c8319d97e52b7636213e03192c35f6c4465d061fc8eb7457511f05dcde0ce6

SHA512
75730cadb26dbd478deff6ec3dc6d7568365a6e3169afa8b8f29280bf8927eb50e6ebe51126d872fc9d3d39446df8bb5cd0a1453c2c8b65053bb7a3a55690653

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
baab531d3cc39b39d65b5f580f01de32

SHA1
1277fa20f5f00c88f819499f5d5c782f06ffbb02

SHA256
3fb8dfce05ae2813a543c8cdaad4b0e59df7d2137755bddd6a61f30132d0d14e

SHA512
402507689b6ee477187d275bb303871bc3b5020f6b2a7fdc0da45cad00827b7722a86e11fb9f5558fd40c9e1eeabec581e5c2160ce716f754ee72d09ec500415

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
74bcae27753567cb8dc1749ea68208f9

SHA1
2c51b16342c1ee99859c318f0f7d24c386fd0332

SHA256
616d87b6e78a96994d48f0afdcf22f62bf2d7c3a83feaa3ae1236086e1be2730

SHA512
410b105c68919757b24cb4107843fb44b4bd8356603fff835a3fba2ba443d62735226ab78fbce67e41065c4739db0b118f552f901854038e684102429659551c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
330590b2d571f6f1a822e111dda734ae

SHA1
ffd4a7c1fdbbd8dee07eec9ec674f764f16673b5

SHA256
b7f62550a39dc9f9982416f8441d3a927c87bc003b32ab184700726c4765dc3e

SHA512
d5469d6e1c69b9113d3b2c2da61a6a7e5983fab8d59b4d6382198a5ae69acd62c3ac755b3426335204742c468535b621aaa547b0fbdd77a7a84242faba9c192b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9ac5f66da95e99d718a539a90b96021a

SHA1
265554c7fd14da98abc1f300cdad0cb1c7cdc2c6

SHA256
db97632deaacdbab8a4bdc3bff93fa359653877d08db6f974a84d33d544de7b5

SHA512
93aeabf821211e4b85c9dfbbcbe23dd3b05d11289bfe0441181ca8dc40a53ca1431fc7861d1fb6f5712c0b151144f048925aca630b4cab3e2a5c3053e6403c34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ce383d4e54403bba6e4451f9e6d62f21

SHA1
16894112e1f51666bfb9407938cd44d3744a2f1f

SHA256
3ac63f07e2cd9d92f287f6d40685ab87d89523c0226a6d939fdc76b15240d52f

SHA512
e2a9def3d9016f4f4448be1026b5aca3a75673398523d4475ded05474bae2910fed6fb675153395ad1527137e30717cc8078b2ab5443b15a7ef0450d7b23dfb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b9b000abe2abc6b5283ae05ded48a563

SHA1
c29116a203e8c73cf1cbd460f2e0f728ed0bdd94

SHA256
b89611e535aa7a8cdb1013909c3087786483735b3ffa539a4613e914cc7526c0

SHA512
fb31af880f6a9daa9d71ea993a3d805a77f0f0f90e4f66829996260fc911ce4ff00276c7e845c3b3928623f5f8abdb990c28e005a0de7e2348aebc7f4ae40987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
df4823dfee606a3c0707827b62a018a0

SHA1
688fd8b8ee0efeb233bf052946e756e3e85bc20c

SHA256
51c9bd84d6248f5ee1959944f89468871265adfb7cbcae1a282fb48be414e19b

SHA512
db75bc7218b3d5a39d123de4a27d7ca3aa970246f54d5c211370cb6ab0b9e0a4a09ba26dfe41c7227ffc455624801d35922335aa6d79eda2bfea616511fc6f1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ac9962009f3c39f940933fba85794280

SHA1
fae0601558fb576701a51756d7186aa5b0e389b2

SHA256
e3a3a99693338290c339072caf629e73aed7d0e735eb3f5d48801b7be44c5847

SHA512
6761948f465f69fe2bd4f82a64f2182d0cc8723453f1552dc1cb5ba0b9b3d00af958e5deb4d62e3ea26dffa958a34902d8e278eaed188c7029a2df8c9a2d9d4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
23e3c0a40779709563f7013994cec94c

SHA1
d764f3bc93672ca926685bb5d5d495e4ca09e46a

SHA256
8349bd463aed8273127defd3afcc26136c6fb003d8d2f4009a8f6c4e9fd613db

SHA512
dc72daaf4d808e303536ba09ddc167c829e3bd2cd21e77a4c9bdb8cc45fd170032a355b7eb5aa8c31afb0d3ffea7e61943239efee43beb224d3ada4457b8deb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4c91122daef806f72e8c54958339d5a0

SHA1
e7adb39ca788e03191b91dee630f211baa019026

SHA256
e694e8344c6db4c42426941c9051643317847a3d95f15ea9e44c8c5963b4a1c4

SHA512
bba1a671654582c620c7e06de5bb0649b792ed9d9a2e4948af8df405e1c9b4e581d9f6a7b6a7c05639d2b40c4add3ff080ca4f817d414b0561f32d9f8499d0f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d50c1e298694298a0ce3a64e5a0eb0cc

SHA1
0b6df2ab0941413f3a7b1602f5a15d10769ae7c8

SHA256
8b4a863e31ae7be0dbdd68da0c0119deb096d22e2d0886bea2ab0f1022df8f68

SHA512
45f4ba01026a8c6f7da5194a88edd45244838d05013ce9bf3855f2d0be021022a2161f80e1ff4a80094834bbd5a580445196ebd0f323ff10de5806af018e4806

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
2aa21ba302b47f781eecfcdeaf783952

SHA1
caab7addbdaa5a97b0fd86f0652571ce8ae9e66e

SHA256
8538917e697e773b6aa9f25c337404a31bd82618278e8c16e77380533e851163

SHA512
9f8a47b03f87b5e10672385bfcd4af926d75252d6d2d951148ae4df6e248dbb0d3234de121b50ccaa6124ae9e61a1f253362b3ffa1176e1239e416e8f0538451

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b70f6929d9c3c8500c1dce6ab07e48a2

SHA1
fd646a1daf5d046394df3840c637f65efd96bbc0

SHA256
6900b8411feb0f59993d73218d2c33122553881a65659d88a9387206f23af30b

SHA512
d2f4d40f8deca887d187ca8ebff6ce32e0a43c17336f21cbadb4aa33cdb05c2999909b284d49c9dd15c1e2fa03efc5a54bb42ff9ebea62c3d252712c907e5d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
ed021ea33ad3f82312014b3f97f9b09d

SHA1
b749eb19fd69fe30fe151ed4788448d795bfbf5d

SHA256
2dce51a388ffce57aa6bf01e5bf50f753063fcc1a18e3e0ad2c369b5954e8ea9

SHA512
19f658da6e139e2cab23800ca89c880b1748cd225c9f949e1a8eb36bae38d9d2614369f6a21fbae7a6df50f0411f67ec1f1da62018ed33b353b9a7f4f096fb50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
9203f3ee8a277ed686768319b4d39d29

SHA1
a9805219297d63c6619ae8c901eac464f75c611b

SHA256
265c894e38dc68c16c34fb1eae1c82ecbfc98a23b298024bff254af9de9f9c49

SHA512
f6ec4440892c83c5a4a54044ebf78aa1ce8c827454f09721b56f44444f99409bfa6223e578f339ed77831c098fbea1806b4e31f37f4dc61deda1584f26b8d741

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
859ebe64e4075ad4ecdb72d4ae4f174c

SHA1
a8d5c56a9ef2ebb211613568a9da91b2a45fa116

SHA256
3e84e74a350401db867e14638771890df869032e2aa38d3313b9e87930dc8571

SHA512
b7f7758ba78c377eee6e8e4b63d11b60ea4e51005d075bf3c06750514a8f67b6ab3084ace9911f0a487d7be32991413fbc33f8cbc29aa9641ae37a9d84ba43d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
b6c1090dbf9520d4836662bb61a7f6e6

SHA1
0eb5619109b8955732ca3a4df29f3a0dc95fbd21

SHA256
9f9e6782f0900e5325191dbf0b05d9be18eac80d185d9f85ab9b27c84d917663

SHA512
b7c5cc256cd024616902f91c52728c91755ae75fa61801a808bb59f2cfde2d264d2ce3b74b027b124a1ea767715730d18d7c7fd6b7829007809015b15d5680ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b14680aa768c15e9d9d79205440dec9c

SHA1
0f03dbd70bbb9a17bedeb636ee597bb6e12017da

SHA256
6e033910caa84bab669e09f1a9efdda5faf15edfa857c3202d90a465b822d7bb

SHA512
8cc528d246097d83fdd880b61f51584eaf6bed73691edc702f8bdc1d0f9dbd997509d996d662781cea9ce5871444ca8c779f8c195899f3252de25f5f83c08354

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a541d2fc1e37613d1f392bbf22c3eee9

SHA1
87566813b6989b7d9de541a65f87bb7b50278364

SHA256
49b184364421aee41a5e717958c31e5ce13de53343b45ef2438f31f9d9dc5917

SHA512
1cf2519022c5ff4853b394f6a885214b6110100656334451c57b53b7d32a4be518b123eb32e77a813a937b0f43c08b05500f6ff4f2de6dbac471890fe9a85c06

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da82050047615030a109ac2ac7f522a4

SHA1
953cb2c1baf1b441d0cc3a2bba85cb91f2cf968a

SHA256
88c16356c483d69862c1af9f70fb3dba344f478258b14336a9c36dfbeb3c8317

SHA512
cadf4549606396426f065069b92d7cd6705cb8f64fd3a93ec8ac993c1572520e25f51b1cf066bd7c6267c63d75c7775b868cc2c6821bb6889c7a1d7df3f26f85

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c2df206976d243e8aa2b63a24d9677d0

SHA1
3d0908ab8ae973a803828061968eb9af5c97a70d

SHA256
4fa7f55ea90882cbbdad5f713bb44f1340623412d28a83677d2e4a49b961d7a0

SHA512
97c61d88156d252cf4de4aec94e95137838e9680c94d0a9bb3d75e40892626f38c674d628f7feb6362298daf2835d219c32588a2d7c7d8553de64ce0a9375fed

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d11917ed1d05fd0eb94d32f142811b30

SHA1
717126c4eed5b7136cbfd0c449ad7245e02f67e2

SHA256
cf094f0f6ce2569c6a78a2e6a8705498ee3c8e35a925acfb32177d6138c20ede

SHA512
b2e06cacdc818cd15018ca4e02e5058f7056f598625aab2ab1bfaae881f137760f26fa9ec21bcad1b112e4936ed3d26f30aee7771556432e848d6f304e957536

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0a1d73d58321fbcb41b764a4ea3cfcf6

SHA1
7758676851d81bddc1c7ec91042abd7f2d77d5b3

SHA256
00361c4f5bcf3409099c5429e403ecd4329f6e0b0395ce910477301895909c39

SHA512
f6dcd33fc706de78c5bf51445c1213a4613f6b5cfeeaad0da6984323ca95838e66d38246a1cd8917519a7c5a229647291f9eaa2759e01ee1ac55ff39836b3291

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
562b759d83251fd881983fe2e897e446

SHA1
c30365e50dd0f51318b9c8d34a8b635be3573f14

SHA256
2834f55ac65330fdf12a78f6699965aa8264a3e839ed1e38bdf6ed442a12cae1

SHA512
a6491d72d32437a6583f016c2ddb073a25004cfd0cb7f1f75b5be187559e03ad18bfe6d7671b70b83498e573ffc0463f5aafe9f0ae02f75ae683bb61674714aa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f274e13e606605e011a65cb5729cdafc

SHA1
1fbdb5ea2966342cdd81a531fc9f5cb706aa90f5

SHA256
780dd8a5c39570eb70ab251bbd93421221c3854216518e153490d6fa3b3a1fb0

SHA512
146d20ff8009171432ec213341061dd95c745324cad4b324ec88f5284df288d0459441b202226048bcf1302e9725d9a1d97be500846c3e3b8331e8d0fb9a0d98

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
995c8ea00b77391eb7af13cc108b03ea

SHA1
925dec25eca6c9e5cef5e4b6965b924f159f1429

SHA256
5d70d9c0c185f268e4f9ee6d7030080378b0a258668efd04a7d529360e2f1b35

SHA512
4e8857b98b1c84a926b16cd258d7e7fb934400195708542a8ed6dbb713d8614ec47e797530b89a53925770d7373289af7d1e3de5741613d2541e60870b4f3c9e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
786cd5fd7028b690788607b038630674

SHA1
dc28b94ca7b987d8323662979fb03fc4448d0405

SHA256
79df8dc049a8c37c630253f2d87b73d822ccb9378baeb609624c916605e5c1a3

SHA512
fb5e71a8c362bb21ff5fbb3cb99db7841eb421448a609cde2232aad880c42b2e3edd5ac19649ef7e8f1036bb9e8ddabbdbe4b236433fab9690f5c5a1f0a8a102

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
54d25335c8d859da4f01becf971bff82

SHA1
8334470e29c4879af23512e69643f0ddf38667c6

SHA256
c1a87cce62df89aea97fb30667b3311be5afd39c8a5ddf4a3ea4fc40f319a7e3

SHA512
86660e40513235161c7631a2daf116d72259aa717fe06648d5a858ed70db9cff6a56bb5509698e175353f005eac7055feb38c429a4769ddbba3623fa16845713

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0c8c96b3dca52b1f7533b7269a1a6381

SHA1
9676572f3a48a6f19d7055c176d1a2228d65a939

SHA256
b1fc6afeb3b2d6b46637062aed45c9fd90d6a81f030c7cf337b0af1e615c5a69

SHA512
2b9089fa090c6f4989f68530e48e80a5d499e066a567938b1113d7f6a769612cdd7ef93cba4bc679c61f47fbacba18f51e524c4c51f95c5c3ddea9befb4764d9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c900a7609987f8d58370e3129c2dfc94

SHA1
8e3ccd1256c03a3d4da0af682ca9f0a80dfdaf50

SHA256
f2eebce2ebb4a85a7757f5433d086a129f131ad9ceb8a3afab55581d94619022

SHA512
9bb86bac06e3c4d54c4cb1195c6c97852dddf277036429000f11c8484e4d353f7ddde5acc30b700485bf46604a9f9695b6843a2ad541239ce9c0051ed3e4c904

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cd42047524941e5a92c8e1e6d199cf3d

SHA1
45a479942eba775f3e4a94e870b69c63a103b8f6

SHA256
7ac7010453a11543ed404419752cba3c5507cb66e45d982aaa65229f1bda5c22

SHA512
d4860be7eb3cce4d60d9aa4bf1c701605116c07766b7193a75fe5d3461da24a3085e2f91e8eff83040e9e338102603bb76f6d83bae73b2a9a5ef4444f535aa75

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b33c5b5a80c012655238844c6cdf4379

SHA1
97010cb828a26e0fdb58f586de25ee0c9b7a9136

SHA256
550f647aae7d7d60b5a3fe6ff261544f65e0962be8f976b7cdf9f914be8146d1

SHA512
79b441482df4d5520c40df4dce3b2be4c5f6f42d0c31e38a603d35c326d072d405946e0606db41145dbfac4fdb533f3bd7ca8d8523d738c627c80e1bc4b8c1cd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c504f4c4fbd3250da1bcac919002d7cf

SHA1
00e4d101b2e6f11c29102744fd98ea4d594eb834

SHA256
2c2def0c823f66d10262ba13ce5ee7d564622f2e1107ec284c209a584cc43764

SHA512
7439c1918cca9b631f3b4ea822040a2206ba0358665de05f834153502c7fdcd284bf0811ff7e106c687876e169fdc8b09c895347bac91b1f108df404c55220eb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
27c07844d81b92b210b8942634e8561e

SHA1
893ebdf8c8404ac9859b0644e5b170c74cd2f9a5

SHA256
501d36a1d8940850e3bfe2388740f101a71ace803eab60766f8347298c47431d

SHA512
7d9e5dedcd4feacfc8f8b9ae0ad632d8a0b2136ce5447866fb51dbc6ce7c056f9578d8df6ce70498359d76082d3c85f07c6fa680d2907ffc1ceb77e242f6b76a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
091686b9ef30a667dadfeefef14aa135

SHA1
10d063bbd1c7ac713c37ced9c724556553788a37

SHA256
02bf102eb8a0f06585a2cf4397700f01d410e76280e7529c3dcb12d14a540188

SHA512
49ac8384d92fe5d5603e1e196299f261429c2a03a166952ba1c2044d4d66e6fc0c940922c4768d4ee6ed219ab74eb7418f6d479dc6eca6a0f3cdf45d0c59b14f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3aa0660371d86e4cac4a3a08b865a53d

SHA1
75d66176ed80c39b71462462e038de4e706b7cd8

SHA256
f7c5d2bac88fd6b028bbb0f05f6cdc4baf6c78e7d6a215d49b0f8b6af8a86b0e

SHA512
04330950095d9423f77984d46af89065f110963e1021c2703ef34066624fd34e737c41310fc9af722c749604e6db1c362f9afeceec5f334a81f11da9718d2818

Download Submit
memory/232-323-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/232-634-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/728-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/728-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/728-67-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/728-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/908-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/908-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1480-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-346-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1616-639-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1808-17-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1808-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1808-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1808-25-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2164-648-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2164-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2412-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2412-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2652-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2652-418-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2800-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3260-13-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-14-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3260-9-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/3268-29-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3268-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3268-38-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3268-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3296-640-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3296-358-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3344-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3344-52-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3344-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3344-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3344-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3348-246-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3348-357-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3348-252-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3348-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3500-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3500-395-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3520-419-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3520-646-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4216-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4256-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4256-257-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4256-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4496-369-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4496-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4640-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4640-383-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4972-635-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4972-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4984-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4984-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download