f224e138e7a07c00e2e8b05eea4edd14779eb402d9870d6b969b54fbc65f528e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Size

5.4MB
MD5

35de4859dfe7b39378dafd1b8f2c5950
SHA1

ffb9e74ef2b8192054fc1c99d86edda775c2d435
SHA256

f224e138e7a07c00e2e8b05eea4edd14779eb402d9870d6b969b54fbc65f528e
SHA512

d2607592f14dd2d137407a5b1b7c330e0934cbaa759c92e40b93920d4203d0eacc361d6ba16482f78765d459ba13ce4ec68c7d2c7d280f275d990632adbea4ac
SSDEEP

98304:/uLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0g:G7wq1W6HqULS8djZDTaNNeCKVP5ORsgj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
1952	alg.exe
4068	DiagnosticsHub.StandardCollector.Service.exe
3332	fxssvc.exe
3140	elevation_service.exe
3528	Setup.exe
4076	elevation_service.exe
4616	maintenanceservice.exe
1568	msdtc.exe
3396	OSE.EXE
2944	PerceptionSimulationService.exe
2804	perfhost.exe
4768	locator.exe
3956	SensorDataService.exe
4720	snmptrap.exe
2964	spectrum.exe
4104	ssh-agent.exe
3628	TieringEngineService.exe
4756	AgentService.exe
996	vds.exe
2272	vssvc.exe
4668	wbengine.exe
2368	WmiApSrv.exe
5116	SearchIndexer.exe

Loads dropped DLL 5 IoCs

pid	Process
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\19fc650b4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc882fcf90b8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000519961cf90b8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f21617cd90b8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067a6f0cf90b8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecab74cf90b8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
3528	Setup.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeAuditPrivilege	3332	fxssvc.exe
Token: SeRestorePrivilege	3628	TieringEngineService.exe
Token: SeManageVolumePrivilege	3628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeBackupPrivilege	4668	wbengine.exe
Token: SeRestorePrivilege	4668	wbengine.exe
Token: SeSecurityPrivilege	4668	wbengine.exe
Token: 33	5116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5116	SearchIndexer.exe
Token: SeDebugPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeDebugPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeDebugPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeDebugPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeDebugPrivilege	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
Token: SeDebugPrivilege	1952	alg.exe
Token: SeDebugPrivilege	1952	alg.exe
Token: SeDebugPrivilege	1952	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3528	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe	87
PID 1608 wrote to memory of 3528	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe	87
PID 1608 wrote to memory of 3528	1608	35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe	87
PID 5116 wrote to memory of 3172	5116	SearchIndexer.exe	112
PID 5116 wrote to memory of 3172	5116	SearchIndexer.exe	112
PID 5116 wrote to memory of 3180	5116	SearchIndexer.exe	113
PID 5116 wrote to memory of 3180	5116	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35de4859dfe7b39378dafd1b8f2c5950_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- \??\c:\b5002b50f3f331fc6c8898157fd2\Setup.exe
  c:\b5002b50f3f331fc6c8898157fd2\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1568

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8b5e2a1303a13239bb2f008b7c9ac982

SHA1
c1c72d346f1847eb9a6cbb9b1945d5bda94d96fe

SHA256
13a39f9777eca267913e4ee2866f70e73204c2ed2afd35d552a6f4a9874b8799

SHA512
deb76ed754c492d6b2853b73a4909de198c75a3144083579d22510b6e04a29d924c1020c8a470d5ffc1d57bbd64f91bd50445af62968dfb8eb92e5aea898ecdf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c40b07771a4088d2bb24338c903204f6

SHA1
a7d414aa8e4b1ce57a9616c94ea89538de62032a

SHA256
34cf53e357ea7aff6734cef3c2542e188879e1dd928a2d79272a615ab2118cfc

SHA512
bde56afdb79eb038efdc13602fd6c30802e5814a418ac883bc599ed0f7ac957a1ac246d7d33c4cfa24f5a16c54617004aefa3a6ed5b2aba0b737792554d390cb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a4a4a4083965cf547897df47b1829602

SHA1
e2f6284bc33077876d35bcc60fc2f39a4731d8a3

SHA256
4b65b4cdf7d494b544f4442fd3819cc666ffd8258b1edd9cfdba9f3390a779d9

SHA512
52bbeeb44e318da55adbb096421f54c731b12b2f1fee56185d9f6f7189fb89f30161febe634b17915208942c078feaaebf82b69792975ce9cd30dd015efa62a5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
825580cd217185299b4d887e31fa935d

SHA1
536394769d2012d3709927848222feb5ddb7e1d6

SHA256
78a48e137a93d30d2f2bd7cbe65f7c3f52d52e7c8af254be2f1f3c44a5116a7d

SHA512
af8271aa390450d76e110bb0d1a4d0b01ca87426dee01de0aa13789443a05572a230646b36b4c4b08e5840be136a29cb21e4515eae0785a0265b0bacbf4fb015

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d767b58708aeb540f84f80ec07eb0abf

SHA1
5aa1805d637400b975f9e4cd23112b0c48bd196e

SHA256
3fd772d7728253fcdc8995ab077519884bf797d6ff71e86a01e1bd3b90283a43

SHA512
7b0d430d3599a01c7254c5b217386dc9eb6b72930f84b57e912f7aa6f9f6e147358ee4c75992d19649bf43bbc54c09a7e3fd87dc369fe918845a5c009ce0cca1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fd020a86322476ac3b5a36762efe11b3

SHA1
842d6923190cff4cdcc7101154144611aa7fb57f

SHA256
c1b1cf2849dda814dbd0691103c7b427ee07de197f33ad8610793789742a8c41

SHA512
d4f2b1be5573ed591576dfbf3efbd6c8ae3af6b11ce046b17a13dd433ead6fd82a5b58585ee0847bd64320f75823cc3ee1e8e1942c4b886e2d320c12260a0cc7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f7461b8b97685185627702e0da9a0590

SHA1
d8597bc1554f51dedfd209484d20de94b162f8c7

SHA256
23dc6c2c8336f37e746fdf5bd0882f827a8b9b2421c6a14e4c7005cca6961d65

SHA512
c66eaa10bbdf663d5b3df19df6215534bb842ccc3e31797b0d5e8ce17858dc428b7805b6dd140d6214fc3a3d031659c2e54b8515f937e774e55fec996370d747

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
66fbf2464f2cfa23ffc66101051df1cc

SHA1
f6b21f1886566e1234d13f0a4cb937dfdc3c7bdb

SHA256
2f231612b214ce3f06d64d0c289f24dbd458c4f816b135cc71ebfe4029817dad

SHA512
67016a0a6d27c011964942308ab57d39d16948388a4b4e1edb0dc8fd70c2cd1c393b3013af2a42240ef7619a89b9cea59ae8194ac2b646944f41d624defaa99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI3AF7.tmp.html

Filesize
24KB

MD5
7cb62768759c44040275881a84ab39e3

SHA1
336d2eca2bd07bb7d8ff5d2a928049cde8fce222

SHA256
d74378eb98cc4a9deb0a461da85f48e84316501acc154794682ecc49ea847190

SHA512
e2bc59dc127de43a5ea9bb2835d84f8eb1b0bce51be6fbbf36b52a3049e02c0fa1ebc6e5370858b90fc5b7e8df304000ba96fc0931377787b49d8f20e05e2ac1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
56d66c61027d4bc55f529f4c99bbd8b6

SHA1
8dc8868356e880f3838f75368bd05df32bbb98d3

SHA256
327be276418efd27201a5400778a6f0b2d1f634d1e2032ab1f5cbf51c3fddf8d

SHA512
5006e995d8fffca859001bda8dc8eb1f4d6a6c16a9259b31239a45556b11fd7215d9e3e10efd81e9e950e3738e8560b6d0dcaa7ef3122e613a7544567156eefb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5b92bcabaf1ad3027bafad813e235f3b

SHA1
278de520958264670ca6f2dcaf92f9a9890d4a03

SHA256
c2b6d0c83a33f9470d1e5e571734e6463c91e04d11284a6da690813e8741c2a4

SHA512
e3800f6d4f8186f00433fb56439416303b11a2506db7749fbf249f9129d19d4fa099af8760c828ee1707398406bb8da53b2f0e7db5af86fb2b982d0a58210730

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
98ecd12bf8aa960bba9eb0afb11f07dd

SHA1
6907fe4f88d7d031c76df8cc92fc44f704c7588f

SHA256
9848cb54f4eca6680e870fbd9914378d84381f73adf04f1a2d38851187a6c1af

SHA512
846532e4de57a3ab1801c6b56888aadb7e57f0ca19c5eb5af00464a075039d4c1656f3399d5e522bd15731bad2779f054b2cb4f47bb788b6a6569f1f83d3a5f7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c3b3fac4ab577b9d12ace555c67b5b8f

SHA1
29efc9d50017fd21f6772dd633d264a9838cdec8

SHA256
edbfb3be5d502cc2f822d230d207487aa83243e111bf15ad256b6ef2a05bf62f

SHA512
2f35d5285f9808acaac6408e5428c10808a5ae571340302d20ffa17e5cf8f158afd4927930f5cc17c5dfbbc50a4e1c4dce217d99e36b92c7a3d5cfe67aebd61f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cfd7b4ecafaafb5f55b78927bcb70a85

SHA1
ac4be953cb414f1a9361f4b3462c4a7524fc6367

SHA256
3de9ad3188af66b72d846f0b136cf894195123a33931fea14932ad89ee4a033d

SHA512
829e7583bd20a2af4380dc7ace263e1a3536183feb53c6960c571fdba2441adbce8ce0deb7b8e2e59d88b75e6092af210e3283c0abeda2247ac90964d32ec40d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bbcac76efb3a9b0c2587b4a8b136ee49

SHA1
4ba2bcd7853ae7d82df04bd94bb2537cd38c1238

SHA256
892afa10ad9c487de30c69102b7f9cdfdf9438792ffd15accbe8444940913bfb

SHA512
34ab4b749e9b0d57ad570101ef132a544c605e6c9a0d95465cc369934104460da52a28c313a495748aa33070e1e0cb13f6d90981322886710052a37f9347f56c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
abac079d242e8e742b18acb63448128a

SHA1
3ed4ceff661329edaa83f7b870a39d741dbfdfa3

SHA256
d9418254cf7304225e0af305a6cdd20b90d9f1a209146af59718012b4494c7b8

SHA512
5648b89af7ec24f53c396bbbf83fd957af70c7ea281f3d8ebd4fb7cb99591ecd4bd7e2d9817ae8241216a7de20e74a5560d2c2b9ef215591f154404e631d2293

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bf6e8bb15f4dd82ce6a517430e3f6d63

SHA1
ff8f2d2b950acc0f15de150c3f406f1a4bb313f5

SHA256
77acd116f0ab55148babc497fbb917cfbf6292f676951659efc306e875e7ce51

SHA512
99efc47679dd93ac89ad3e99964e079e38d119a6dbc8fdddc67ece703c588602b82bfdc89edcdefeb0fd92eb9f8a30480a035dbb807c1efce6c3459d278e97a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c8165f472160ff1af5050487b7317abb

SHA1
0d81ac1d864ff61ac2b9ec6a134efd00d83421f7

SHA256
d67f2a8e6118efee31905c41fb79223c8eead16d0125447090582787fc7be0d6

SHA512
304512eb56675e97a367bd27da938d0f74324a22a4cc2790d464b40c0e23fb1713e26a1c389f83e2aa51a1b564250371e18187f7a5e767032c711a9289228f4c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6737d83e3c2d4fa0437f6295dbbb5533

SHA1
192b07e56c4239a50fab16411f81c0f0ed474eab

SHA256
efdc374587920a5457085e8b697478b945617dfe3be02ac8873c33d6908502cf

SHA512
3f66969a1313597208ab0e4d8ceeab978d7035515c0cd81e93920b1ec86a8a73cf05382d994b6ff811e7256c5a7cc384c2253c2f9e93b3ee32c69382ef4639b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
597069c03622a27b5aa8e4c461abc299

SHA1
fa4cee2ad3af6f6177a18ca7b63f8e1d9c94cde8

SHA256
672d1472d93ff23f2226f534160f9ac79ef2acbb3e1d91619ab815250f317b57

SHA512
4b57a3794274c5a89cbc348bc34e32273c6768e5ab93a0f6d20517746e71516d1f1b64f98a4aa3fa6f2520cb1e25cfd416f6f94a958daed76ef23d97c91d5f3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0100707baee17e1922a8f597f22dbd06

SHA1
06dec035baa91266ea321046d6880d8548cbd9c1

SHA256
c2ad0d79b03d8ac0c1da791d0a5c44b50c86291a0732f14e47a255763b921542

SHA512
b639c820d421f443d8f7547d979a9c168f41a35f52f2c055439b12df2b549609709b1c02990db579bf58693250709e49442a7ccd944535ce02586bcb3973626c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
eea28b1c3342876c4b7e898bca24ca5a

SHA1
107e33bb947846bb5d8e0e1bfa548b9d01cd780f

SHA256
134a706eb384274d15a3e96c3f100587842fc9b43d3844307df97b99647036cb

SHA512
954311191aeaad4640822ab4a6fed848585a642e4948aadea202b08b914fe083dc055a2fb993af8bdced80eae67dbbda7d48308688fbef0db6354ae19d573ba9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ac7c201385d02b6bcde36ae319bcc54b

SHA1
b5d831674cb6aaaf150b3dd49191b42f9e6046e7

SHA256
33b8e0cfb5c9c99c609e52962aeb9bbb6c0c722b8a431a9ad7e8ecf704f63740

SHA512
7040c67fc5e8c16aec45708ff6bc50c09caa7c2088fdb6a1c5ae767e703429f753f8e084bc502ad236d9ee76e8081d8460b3244d00e9a399779428a2ff5f6b03

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5fab90f541def163cf1d46ee3607f51d

SHA1
8ccb0a549760a7a75cf8549ff84e69ba08a89aa9

SHA256
4adbbdd648857c914d990e77cdbca45860757b436af22ce964726292fa6228b8

SHA512
aa65ed06c7a89ebf5f6788bf8837f49415d4f48ccfb00b2db267741d89f5d9924ec5ccb531f1945a5685ba245b94d0cc3a0aec1a63efdcf4abfd2ba8c3587574

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f17f7c873597de0c045e6060b93f522d

SHA1
129111710b58b146b6d28855e37a4963a8b781f9

SHA256
2640375585a6560ee285b705fea61f419b36f46fbf1fdb5ff23dacecf2cf3ffd

SHA512
60c24631c162528e94cb04f9b3027e6a9f0084c8ae08da6c47936e9bd05287a2b6af011dda890675adde705b7ed601999019ba1c16dc1db787f41e8115d67272

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
09c3084211f77ca60bf249ba6635e395

SHA1
3330d3615f64c0bd6235c6d118405d55970f9a5d

SHA256
aa1133b3c38a89135ecb90e7116b4b4957963cab82614a8cf23714a42eddd7cf

SHA512
799bfb2086c7da52d0d032fc0a48c5040426a5665dcc0f2a6cbbe6f9500fec4d32fabdd69348a1d62c26527b4cbfdccb444453096df5df5d11762dd7bfd601c3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8a8e65a0a369bf7e3d5e2809bc44de47

SHA1
53f977abfafeb4d3f3373f0a1d33ac19443301f3

SHA256
ac6457158a387d5f37079fe8dd7a1eca70311382c2cb1e3633cc18567ef6c1fc

SHA512
ffa3375b435027db9593c2030a8b082c454fda5d935fda9bf7aac7d5ab78125ef6600bbbc551c186177b7657d6bfbd4b2541dabf25e3bc59496de8c6e6f22f64

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b170f714bb5046ddc7493909b5699426

SHA1
e770b7ac3a5798422ffa632bafe7f74b81dfd891

SHA256
66486fa305b913fde7228f03ca37d64275efb2f8dc71501e1431b12aa47f87c4

SHA512
201cbf8bc69ff07b73eb5e08938912d4514187cb54ed6a31e4aaf0f621b69630810b4e9879fdf8e6e07a08456c445ca15e5329f28739c3e51955a1208549044d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9b04a3690a6c844f6d45bdf54d8aa61e

SHA1
d46a30aa5fa4b0dcd25b2c0d7364370c61c31e65

SHA256
29369c57e78c87ae2d898d2c829ce5d80e3ac27c5c5eff2e6d59111dc4acc4ab

SHA512
eecf7558ac380e8ab8db34a5fa386559c3aae674a7c7479d2141aeb364dfcf754f85c1f630178c45084ba0d7b90aa65db2ceb2d72f3ae3579a44db9916353850

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9f6759e186c3cc941885a4d90697b372

SHA1
5b4ed3fd0b8cfcc6d8a0f3e3f3104fdde54a997c

SHA256
74f11e4c5db5c0d22090428d4628e1de6dab4bbb26528fc3a390115291806e0d

SHA512
2c7abc282d0437b7a212dcfd3cd40256baa30fb0f114f2dc3bffe7eeb3edc158b962ecefbf735c71b59169077d1cbac641b7a3e0808c7c4467056b2ae25a7f94

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1028\LocalizedData.xml

Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1031\LocalizedData.xml

Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1033\LocalizedData.xml

Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1036\LocalizedData.xml

Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1040\LocalizedData.xml

Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1041\LocalizedData.xml

Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1042\LocalizedData.xml

Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\1049\LocalizedData.xml

Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\2052\LocalizedData.xml

Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\3082\LocalizedData.xml

Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\ParameterInfo.xml

Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
\??\c:\b5002b50f3f331fc6c8898157fd2\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
memory/996-785-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/996-317-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1568-302-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1568-178-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1568-179-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1608-2-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/1608-8-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/1608-0-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/1608-176-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/1952-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1952-225-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1952-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1952-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2272-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2272-786-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2368-358-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2368-790-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2804-230-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2944-328-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2944-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2964-584-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-276-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3140-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3140-274-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3140-121-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3140-115-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3332-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3332-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3332-114-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3332-83-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3332-75-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3396-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3628-784-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3628-299-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3956-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-372-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-783-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4068-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4068-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4068-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4076-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4076-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4076-275-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4076-150-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4104-280-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4104-780-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4616-157-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4616-151-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4616-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4616-162-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4668-789-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4668-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4720-263-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4720-571-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4756-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-303-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4768-232-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4768-351-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5116-791-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5116-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download