f2143393bf170f412785f5aef4bb0cbd91fee19d5d34258d45d3bb6f2149c990

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Size

5.4MB
MD5

3e96beab31d73b035980abe929ab7aa0
SHA1

ce11db86890eb2c7b4394a8daa3cac28243f2149
SHA256

f2143393bf170f412785f5aef4bb0cbd91fee19d5d34258d45d3bb6f2149c990
SHA512

244f2c6e9bb2b4b1f67f711f4e4640d0ac7eb05fd3cf89808dbcd89aecf41537e5eac7610f66bae8a42b2f3a894df2e579e636a635d3fb5f93b9d4a0edddb4d2
SSDEEP

98304:IuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0q:h7wq1W6HqULS8djZDTaNNeCKVP5ORsg9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeSetup.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1884	alg.exe
1712	DiagnosticsHub.StandardCollector.Service.exe
664	fxssvc.exe
3916	Setup.exe
2352	elevation_service.exe
3924	elevation_service.exe
2008	maintenanceservice.exe
4928	msdtc.exe
3920	OSE.EXE
2728	PerceptionSimulationService.exe
4936	perfhost.exe
2216	locator.exe
864	SensorDataService.exe
3616	snmptrap.exe
3960	spectrum.exe
2296	ssh-agent.exe
4248	TieringEngineService.exe
3324	AgentService.exe
1760	vds.exe
2812	vssvc.exe
4820	wbengine.exe
4184	WmiApSrv.exe
3384	SearchIndexer.exe

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

3916 Setup.exe
3916 Setup.exe
3916 Setup.exe
3916 Setup.exe
3916 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fde1f4c092be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dad810ac3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e88010cc3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008076cf0bc3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000380be10ac3acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006590470bc3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000410dc20ac3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de40580bc3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Setup.exe3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe

pid	process
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
3916	Setup.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

640
640

pid	process
640
640

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeAuditPrivilege	664	fxssvc.exe
Token: SeRestorePrivilege	4248	TieringEngineService.exe
Token: SeManageVolumePrivilege	4248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3324	AgentService.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	4820	wbengine.exe
Token: SeRestorePrivilege	4820	wbengine.exe
Token: SeSecurityPrivilege	4820	wbengine.exe
Token: 33	3384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3384	SearchIndexer.exe
Token: SeDebugPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exeSearchIndexer.exe

description	pid	process	target process
PID 1680 wrote to memory of 3916	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe	Setup.exe
PID 1680 wrote to memory of 3916	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe	Setup.exe
PID 1680 wrote to memory of 3916	1680	3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe	Setup.exe
PID 3384 wrote to memory of 2208	3384	SearchIndexer.exe	SearchProtocolHost.exe
PID 3384 wrote to memory of 2208	3384	SearchIndexer.exe	SearchProtocolHost.exe
PID 3384 wrote to memory of 4856	3384	SearchIndexer.exe	SearchFilterHost.exe
PID 3384 wrote to memory of 4856	3384	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e96beab31d73b035980abe929ab7aa0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

\??\c:\d163029efe1985272f2c\Setup.exe
c:\d163029efe1985272f2c\Setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4556

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1148

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2208

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0467b0df6fccd7d1fd11c29477bff7af

SHA1
bd73e11afbbaaee5e70537dc00562a077212124a

SHA256
454ad5db61d62f6fca841886366876e96da6aef925fae997eacd6a6482c8f32e

SHA512
c2aea8ff47a894fe2f1b0a90a78b678398db11ffd6c809c978c058029fcffc5e2e79c1efe56a3231cf9914f7dc7d3e12e125f0a4eb81c6cfdb2a49155af0caed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
b7f218a1816864d0f750b679505057b8

SHA1
774d2c7a2d6e8f26978b4ce434b68e95866c83ef

SHA256
d9f972189d93d41bea089f9e317f89d9ebbc4c336c722a1da5e67d4130632318

SHA512
ac4c75b93b5adc27e8c3a5c7028d7083d88366bbdfcfb3d7e943c8b15857f6e17d5bc162d24d017040b080cbfb4c1ad0c7ff7542311a039f91b96d3841607a20

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
7f09aa361952221aa729602875d38074

SHA1
143aa7295749b754bb0a06cef7646dfc6a60ae09

SHA256
8ea72ddd439f38daada21620d725b216709a1649790ab08b9fbca34acc9bfb9f

SHA512
9317eaf15bd4d73e7a2a06761f99952ee6b87bc3206072b26f717bcd6ee4fa9321905923ed394d236bfc154a1c2cb9b7e0dc3a53ad45a75e7337df6421ea4f8a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3f3d35d051a4e092c65965e4b8fc92ab

SHA1
bad4268124a9cb475cf21e456d1adbf1fad08ccc

SHA256
c4061987c677bd8bec37087d2b9feea4411e2e48617d13158921d6757b28e700

SHA512
14d3f75e4b99fe58f1ee9bdef33278f08fae483253cebe50460a417cfa0174c1c8b5087414fa3291359b6fb1043988c05c4acbd91b2826071d41e0d646280575

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
3b976d603592f69abac6e7433bd35070

SHA1
492da2ef5557287876e72eced024c4ba2b2a0637

SHA256
1006590652abc92164f9482513e053d1f8b5f7542d4ac69e410d3be3181613d6

SHA512
ba70327ebd0c3583b9fa3bdc57a1ea465b47812517468a69188b37428223203b0b76f80c6109cdd7b4bc516ee6d63345cc250e983416f6df504c4d3834fe5630

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
6aeef996aefef28a51cb352e386a9a07

SHA1
644739d82a2e1e9c29d85d55e3e78ba0aad38756

SHA256
55c814c6ab0c1f992ba1a4b81fa2f44595035d3eac71033899d1a247676cbc12

SHA512
d39b920b4ecc7022cff4886a77ab5385f8864a16113550d64ab90c9d6d9e0a627e8016801cdb5c00a770f3a311724907cd1f8d0244ec8a79d45c2249c3698d69

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
85d5c593cecf8db916e3e9a4feafd994

SHA1
509c9b0c2b56cd5ed7ba4872c36cc5c5026fc4e8

SHA256
628bd54a0e2fe034c96f21ae492804e310d4a50a7995edca8ec08d6015839db3

SHA512
c793200f4baf6bd1ee54805dc43d9f539c531210f4992d620c4a848c22e036ed381d117c10bf2993507e478cca9b069c9247a86666bc7cabecb939a07fbf0a5f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ff86b1bfac5cf40f5d4bc751305a69eb

SHA1
db4e85017e7b429f787ac252f0e9baa4441a47ad

SHA256
534e8f8403648e32b527688eb8c7e2037fead8cfcaf71ad87a0ca409f1806806

SHA512
4bb103d27539d0aef971e53d231aae7726d3801f5b5f137344a955f7b9ea73806eaf8a01f196e0eba1b809c88298e1eddc6d958beb1a1fc8bdba4819966e421d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI422A.tmp.html
Filesize
19KB

MD5
027a7a9f70596ebedcfd3ddbf4ab0ba9

SHA1
75359002d3cee32f36214f3bb22c3cad54317261

SHA256
208a2353d2b7a8cfc8217b91736a388593179b695a5a45f22cbbba21a710d1d0

SHA512
560685f1c2cdce91e44bfd8510b2041dc07d056190ecaa6a5c538e4c2bca5dd2a1ed3872e15b66789567337efb640df328a498676a5d23357a6d7a391b026783

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
817a445b507bc58cf464bed48ebd65a8

SHA1
4cfe53d084efaf3955abe0d1e5ab74c982c9cb81

SHA256
92125031aeeeeb81e6d0e5192e3a091e6814e317813cb35beb9dd81c0fd07288

SHA512
7b38a3164db90bce6e057858ce400af7d5cddc8f29d8fa2888ad7e465621f25502579b2dc379fbc82fd2e1f1615201eea252ccc680988e193e21cb8afcc89f72

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
96da3d6a5a42faeffae50330cb0d35ef

SHA1
fc87e47726c3e1f47de6fcb96613e99761d837b7

SHA256
d4c30a050d53fabdf36d678256a65e276b7b57501003297289b64f9a18e9d0b1

SHA512
3d3a6d0c0cd9eca625a9d459d1c7a45ef0882a8d013f092573280f3ffced4610bbaf10270702ae36e1e0b57a57307f11f745b7338db78cbd8efb50d8e7654957

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
f48a6b2940ccd026c2d2cb9cd3e43859

SHA1
93cac9f12ea2a7f146635ac763d259b443c31b58

SHA256
39976a1c06a98ff96441cc05cb7923b73da9323fcebc1ccb32e2c5e82f58e219

SHA512
8d9ad37d612925df85f4f9255929434d9d11e67012a0a94ddec602d81874c6ea19c82544b87b83d7b1172a1fe911e67ca12b229968a5416eca5cd141c091f9a7

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1957d885dcb78085f2ed8a8ef7bb749b

SHA1
052017fe0ff9fd2756bcfc50f5d0f125672336e9

SHA256
9a0d29b9ce9def0710a6613bf0caaf7b58bc8d92277308b0ac71d6cd26ae2e7d

SHA512
cdd48cfef62155946922ce2acea99b7c29832d0380395b4b756c7d88961e3f2a23dfe29ff6606af1030d44efadf93108b42949a07e91dfa2cbe4663041a1c0d1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
5c44d0c81957a1e444c93c48ecdf2845

SHA1
736e8721f6bd39ce13773feb02b2b8a47f7932f3

SHA256
5447cca9a46e757e02613f802bf1905e465ac2e64d205504e6ee85e7ca5d0da4

SHA512
e66c6629ac09f6e3f4274e831fe9354f3d8bb8a63609b53266547fbef325ce16c24dae7234d22da242b7ba269fb6a07cb67005c7e349ea1fe00fe3923b046e75

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
155b88ecff1752dd30985639854baec0

SHA1
d9bddf8aeaf6b257bb7abeb2f99e91b2ca643800

SHA256
2f1cf60c216f0f5bd85b908f04b9ca471226e1580f9d2d58e49504406568c25f

SHA512
cf833d59f7ff2ede494627241ab438d6c81a78541fb66503a4c1833fec510aa9b3f53a135478d18d52bb4ec93744f8a91659105ffc4ff519f91f27113fda579c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
f474480a2bda539cea3a17c2e48658aa

SHA1
76746f7bd72a0957eaff4a62fe4b5f9f322b882d

SHA256
e7b93632f505f2bd20def5e3e85ce032afc78ad0a94550f2a361fe18fce5db87

SHA512
a428b7017b2a521605133defee4c6a20479b960bdd238a95309d228fc543047b9d9514a51aa098517227640324e6736e9f699e606bc8cfb912defd0793c71c8a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f8831b272acb7aaa12472594ad485d1d

SHA1
2646705021d8b35b29b5167269f7c38e80e40a75

SHA256
da23fc5a682cf4ff931ae446881359961bcfef235e8e6ff23c9cb1f17ae11fb1

SHA512
22dcec30c01c7a5bedb3820dd2363d464a345d7f369f16a1ea71c23a0a5ac72c687749974b8bc20d1458dcc31939abd882ad4c526df8b667fc52496f0984671a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
71470d1a2d781b64d92b145897f0c337

SHA1
32eb0ccb0451e0881e76ca83215a21d08a062c00

SHA256
4ee19e276a74ba492e84ca09be28af4e575faadb77b096f49fac9d708a099751

SHA512
0f26ac758ecdf4a310e51a911d7b8391e876e9803a69d9c862810cbdfda57261633bd4d0e1ec0c0a8151bc007832667aaa80c02fe944a7348c2f2a3c7344a561

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
cbeb9fedb22b20c10b553af1e1d553de

SHA1
c908b8e44d2fb8750f8ac59e9d80ad7499d7bf09

SHA256
c818ea8e2835943ee7aa8e98eec3871b9ecb6bf3b5b12dfcd4c018a134aae17e

SHA512
00494ce50e500af639caee286f5740790595adf345be4c0f4e1598ec704abff8f1130f4b2141de753b758dba58982baa929558c350aba5c98fda77634be1b676

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
57d275bb55f4d5301d338773ee893495

SHA1
f252c15fa749d150a602e2c1b4260467c23e5be3

SHA256
2977d6fac6e7057b63e2ba0c9acac7dbd1754c895bdc9139dd3f116c4dddad60

SHA512
61a421d04dca0a839badf5f02e3bfa9d3fccc75973988af9a2e95d5905f8bc659ea26f1af6b10fb850d46da1d1ff83081ee73e5b37f4b1c83430c0bef0512b9d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
2b6a4d5d51484bd7fd458be5a6f3cbd1

SHA1
4e6b8d8636cf3f8e7ce8e4f7a88de68a3c7ac019

SHA256
38ff1d3a3d7553395f69d9e87f534a48a3aa373c16563ed03845fd3552912c50

SHA512
b3b550a76bfdc92c6f73ffdc056002e3cbb519720c5f27832420097c7f309f0743de95e1178b38d0348d5af1befb17e05573a15132825492c985eec6d7d18585

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
66eb6d0df13e4b6c19cce4748f8cdd7a

SHA1
2a1526a94e4437fa72c6cd6aeeaee6d834bc0db3

SHA256
a58d64ad492250e5205c440d728c87a2917a268ec79333e629f37610e7d1baad

SHA512
c3d24700d52b1c201bd02dfd05999c447266f5729f17dbc0d843746f1abf3849a8e0089c5abdefa25c34c2d550609de3cbee2f1d6f62aa50c679f1b6ae29ae0f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
19356c84f138e7bee1139f2e22257c59

SHA1
7224763efc1072cd89b170894a5b9bf5a5827ac1

SHA256
6b75b5aff0523f82d04f1e674f515761a53e44df3fa3c2df42788826fd4a8faa

SHA512
1e4b3401332a55375b36a06156745b87205cbc4a10197c03f192b2c4e078c979bb5e5151ddf94a9db8c374afd16b21cf9593d304447464881378b6ed876369c5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
1ae95d420d9d585856291939e32d9f1b

SHA1
cf0a47068ef620bf5ebbb783521fb94a68775a03

SHA256
888c5659739a87d849240dab5ec6e2ac3cc3655b12e290f7d42158810763d9c4

SHA512
8289011be9eac57bbde2ab1a656855166a04f4a01d1ef0afd5d5d85d33351893545d00f8357a62b5d967830ad5b862d34159e30e285d5330c9376a5f2f540a68

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
88ffc793bd5c0ec83c9dacc6171b137d

SHA1
0a868acd0bc903ba9feac5b208500aa085102cc3

SHA256
04a3c0a4c5e766eea01d119764f8bd91df853c0b0acafbdb8249dfb414846cbb

SHA512
5cb3af392f50aefdb0344c35c69a638a909de012eccc58b1172b0a596ca443932d7d6490aad0657e09349d5ec63e4f2e68232babe92093a47ff165ba4750bf33

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
68c407d76a64fcc2086ff0f4bcf2cf00

SHA1
209398f9d0471bb5a6baefdc96591b7b11591cb6

SHA256
f33e2a5ffe1bdcdce38bc134619db58af203d42fede31bb8ecc869ef335dbd35

SHA512
f00e5397d575c266542a00c070553f31da1a4a9b098bfe2af531bdb94e9b553939828d249e702766f4577c08298183241f5347155a9e38fb448b243fc219bc3f

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
04662876394f0a290928a10710ba8058

SHA1
7eb64236008402a9dcd5e44c1247c11b1efe93ca

SHA256
f6895cf5d0e2344693d20c9fb30908f1c59afa7de1421c3a6001dc37cb3037a5

SHA512
c8617fb121df869ec29b46710390e476452ea036ff5feb5829086f79dd264db30db201c457d9171c4129d678349cbfb63bdfbf8ee492936554d09a09856ece61

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d7fb847fe67bf79ecd7e5901830878cc

SHA1
af93a5b99b4adb9fb15ea1af5c94e1f595958773

SHA256
acb0fd2683520fa8b3e8379994b027c3f82317bd91c518a31d40e465ca214dbd

SHA512
5b4cfc0ef05ac4aaa746255e1829e2a0dcd81d0202660877b221f24250ee7e910b4e6d182cb9502631ab61457dfc28ec7a840e769188a48ecb9d247c615eba2a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
562b185519d8d2ce58a1914653bcb5fb

SHA1
15a208da3e7654125740e6c568c73d3b716e1348

SHA256
a3d1dc8d5ebd6d611f0de3e58c3f8ce7419b04d7fca4f218293d85d23bc42904

SHA512
ccf93a0cb0f683854fa1806b68ad95ca03066f80d98a0be86ef73714fdfdee6ec9780860234d862c13d68ce991b94a9be7209e3d10815d4d3cc58c99fe76e9b6

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
f50ef487dced55a62cbee31676a5a466

SHA1
0021f3c5d04defa5c9d6c51cecac678fac48212a

SHA256
b60d82fb1acd792678c800749accabd91a15a9b9bf73d55ed6b35ff32518392f

SHA512
7ff068ba0a54317811ba89d9f4d1d50fd3d33a12fd8e8da20ed84a4677f10c9f5aef0f6dbd58a6589dbfb6994dd1c4f4e15ea55ed5fadaac917f9a19f83640be

Download Submit
C:\d163029efe1985272f2c\1033\SetupResources.dll
Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\d163029efe1985272f2c\SetupEngine.dll
Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\d163029efe1985272f2c\SetupUi.dll
Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\d163029efe1985272f2c\sqmapi.dll
Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\d163029efe1985272f2c\1028\LocalizedData.xml
Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\d163029efe1985272f2c\1031\LocalizedData.xml
Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\d163029efe1985272f2c\1033\LocalizedData.xml
Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\d163029efe1985272f2c\1036\LocalizedData.xml
Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\d163029efe1985272f2c\1040\LocalizedData.xml
Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\d163029efe1985272f2c\1041\LocalizedData.xml
Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\d163029efe1985272f2c\1042\LocalizedData.xml
Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\d163029efe1985272f2c\1049\LocalizedData.xml
Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\d163029efe1985272f2c\2052\LocalizedData.xml
Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\d163029efe1985272f2c\3082\LocalizedData.xml
Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\d163029efe1985272f2c\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\d163029efe1985272f2c\ParameterInfo.xml
Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\d163029efe1985272f2c\Setup.exe
Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\d163029efe1985272f2c\SetupUi.xsd
Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\d163029efe1985272f2c\Strings.xml
Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\d163029efe1985272f2c\UiInfo.xml
Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\d163029efe1985272f2c\graphics\print.ico
Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\d163029efe1985272f2c\graphics\save.ico
Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\d163029efe1985272f2c\graphics\setup.ico
Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\d163029efe1985272f2c\graphics\stop.ico
Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/664-125-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/664-108-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/664-99-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/664-126-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/664-109-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/864-244-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/864-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/864-625-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-6-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1680-196-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/1680-1-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1680-0-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/1712-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1712-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1712-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1712-37-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1712-226-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1760-336-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1884-208-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1884-20-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1884-11-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1884-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2008-184-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2008-179-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2008-173-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2008-167-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2216-241-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2216-364-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2296-626-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2296-287-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2352-114-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2352-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2352-121-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2352-274-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2728-220-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2728-348-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2812-347-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2812-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3324-312-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3384-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3384-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3616-264-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3616-581-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3920-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3920-311-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3924-280-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3924-161-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3924-150-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3924-156-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3960-276-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3960-622-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4184-632-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4184-360-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4248-627-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4248-300-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4820-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4820-349-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4928-197-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4928-186-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4936-231-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download