e91173ab0910c7d4bd9c7d6f07a6b2c00fd0b99e10fb2cf28e774be8d72a1215

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
Size

1.3MB
MD5

5002d401362894404cd4b0e10197c920
SHA1

682e6a8c3ef319b80c40be4f2798bdc8ceac331c
SHA256

e91173ab0910c7d4bd9c7d6f07a6b2c00fd0b99e10fb2cf28e774be8d72a1215
SHA512

244022613651e87c8b91ad0e033734656a36f438dca2bc514f39774c34d9592fea14dc29b260c681335e8759ceb9bf15ccc86cd9304a5f6342332dddd280292a
SSDEEP

24576:3kuKnonEX7bHsMQ4/O6yMLprOInyT/Swl8Mi9:0uVEXvYMLprznyDSga9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3176	alg.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
5032	fxssvc.exe
4636	elevation_service.exe
1604	elevation_service.exe
2060	maintenanceservice.exe
1844	msdtc.exe
4172	OSE.EXE
3740	PerceptionSimulationService.exe
2836	perfhost.exe
2684	locator.exe
676	SensorDataService.exe
2168	snmptrap.exe
2368	spectrum.exe
4792	ssh-agent.exe
4348	TieringEngineService.exe
4756	AgentService.exe
4976	vds.exe
912	vssvc.exe
3040	wbengine.exe
2744	WmiApSrv.exe
1260	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3bc1d6bd293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000905d223e83a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000960d333e83a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000201f653e83a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000276d733e83a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb58254083a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cd2373e83a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ade54a3e83a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4636	elevation_service.exe
4636	elevation_service.exe
4636	elevation_service.exe
4636	elevation_service.exe
4636	elevation_service.exe
4636	elevation_service.exe
4636	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1420	5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
Token: SeAuditPrivilege	5032	fxssvc.exe
Token: SeRestorePrivilege	4348	TieringEngineService.exe
Token: SeManageVolumePrivilege	4348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeBackupPrivilege	912	vssvc.exe
Token: SeRestorePrivilege	912	vssvc.exe
Token: SeAuditPrivilege	912	vssvc.exe
Token: SeBackupPrivilege	3040	wbengine.exe
Token: SeRestorePrivilege	3040	wbengine.exe
Token: SeSecurityPrivilege	3040	wbengine.exe
Token: 33	1260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1260	SearchIndexer.exe
Token: SeDebugPrivilege	4468	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4636	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 5036	1260	SearchIndexer.exe	114
PID 1260 wrote to memory of 5036	1260	SearchIndexer.exe	114
PID 1260 wrote to memory of 3968	1260	SearchIndexer.exe	115
PID 1260 wrote to memory of 3968	1260	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5002d401362894404cd4b0e10197c920_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1844

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:676

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4620

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e038d4cf1667bc2503937ab830699f0d

SHA1
5d53f2d6c517526454ce8de0e4533159b24fbe39

SHA256
1792bf4cc680480433ca09256cd41f2258f158608694e2fb167e6d25aa034adf

SHA512
4600fe6fb6413b100724b09262151bc75e16caaea5d07294502702f339a2fbf23c4cc6ea6a8e857d916da8a0b521f36a65b2534fb743aa7473e5f496665c4dd8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
18a170e1e5d612560648daeb5e39e83b

SHA1
0d6d2a3050f7275f4c7f07114ed341587b9d6b0b

SHA256
eb81fbf2b427eb1a031e36355df192d1c2f738c60e04535b9f8c2b052e2508d1

SHA512
4dbbb71ad1cb2772531caf4306d92b1676707ee56c8641481a2340ac4cfdd3a2d34e4009791d9afe8aa2a080e5b9b9ef7e53452459576b24ef93db7d4a52c781

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6b7bd6444293dce96be1396e7b142510

SHA1
71a42df40884f6ca8fb9c101ef1fcca5de032681

SHA256
7968f133088663b7e74154ccd10e72e090e96d69ba471aad07232e91958b7a9e

SHA512
add77c1efc3b734993440f26f159cb596ef42dd0ce6992932a1bf6e7a7cc5a05176b2620fc345d784e1983c8b37e525a31e9486472c6dfcdf3eab3c85062269f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6ce488d1488288a8f6a6ed3e36f798aa

SHA1
b20a5e837c35da6e09914828af1d367058d413ea

SHA256
1557c32568fe246e5178ff0c17dbc93650d08275949531d4987645b22c13db93

SHA512
7b27fc2368b05163b41f745214855426660ccc531276b08961f74fb4650975d7ee3458d524e770355cd397433c615ab0fd7cb8a686a8035cc9ca9fdf3cde4d50

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
478ad8c7cf4876b637bebefaf444fbb7

SHA1
378aea11f943f7fffea3e8b61a7ac24db92d15f5

SHA256
414b2059844f8e993fa080ff8e7d081f5707f82e0bfdc443a92f5f620a615776

SHA512
3db250fe5eea6f8fef404c170c8ff477e89fcb0fe801f6f35fc23b1307ec0bf587a0a11e92cd9b6137d2ac08362b2ea7e2616abf49c5eea39750d6aef2b14ae0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4206f7cda8b59c32949279c501545f7c

SHA1
f87302acc3b1df0b579850dcafcc9b5fcd0537d2

SHA256
b154ca5faecb61d92e363102a440394489243282228713e3413a7cc928004b70

SHA512
c2a264a9b92c3578854733e3f2d762a32da4b932d0aeea80373a9566e3602bfa03a17074c2a85a66a81ee7454edbaee960c1c3b946ae756c3d19cf6318d065f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6c8a254d4e0b616c37d39f8eec47c4c3

SHA1
12e3827e2c99500729a9de612c9f2e2b662cdf24

SHA256
cd4b328b43ee431a792aff2df9c677278daccac67dfac0d9300aacfa91bdc6f7

SHA512
346e7d63b885a2d4e03df54c827042169a4696e2f901831bc68616d8221f93c364ad2c4e41e2dbe2d053a1d5fc679f08178edec34588cf4be583f08a3525b0fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6c2cdc21f0d5b26f0b612de07789f582

SHA1
2a1db02299b5799facc66de17eaefcbdd54c6b7d

SHA256
7167802437b91f467bbc882f7f117f4b0b3b97232129bfc3621c63c970917924

SHA512
3aa7e94319cd10ac7b47050646b496e3aa94af42ae54455740e21edab25d3efc7b3f16fcc70deaa4ec10bad2c056a6c224162f35604efcccde572557b7d606de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8181fdd3e5e6cd6e6f0823b9c71052e6

SHA1
6b74cad1883a52ffb800a3427c71b2d72830ee96

SHA256
f385867774be771ee7796bbd575c1dba250435f4331432f4888e308eb6fa3c33

SHA512
ba87c695f70a4b32d4bb16a64559b54fb67815fddb2251c51ec48e8f164de8c0b030f91899c2007035c290dcf5cbe1b994832e7a7155e293b37600390d9a8c12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d9cc084742ad2ba0074bfbf9718765ab

SHA1
6d736b2bb1c2b0107ae38cd286bfd867fb1d2e0b

SHA256
2f835d1a868af733a1091a19e505e4571edc19ff93f3ab6f52837fb1e9ad94e7

SHA512
7d12d5e173a3d8405167d5663a445920885b76dcf2fb0eaa9b46b2e00e744a10ba73aa20904b23e1109360ac789497e210a41a0ca43461d8c02d33dcdb4c76bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4b55b02fbe726b15825a14740e6a039e

SHA1
c10a2ff59d5309c77a5571e044f22390a3554eaf

SHA256
5ac3cc39a57aacefc6f738a3a3eecd88a9afc978bb20b83d4e3df67407d7e0b4

SHA512
07af33799ac5f6f4ec694db9f4d0e1a2b1d6cf51fa1a65074d8f5424372789f5fc01e88c3c52db449397b95b3a8262e2bfa7fb5b482f9b52bb71cf9619400752

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
36ca3c7a777f8af5ea1924ed8005ec3d

SHA1
678084cecc364bcdd1d082203e71286e95705100

SHA256
40b03f8cc9ffdbe7c59da04597bf6cc4baab4260c67a38219a78ec84a29ed6d3

SHA512
d8d8440cfb772d3daf49752e2f280ef06533eef1d2e847c3660ec7eeb61e8bb8a2eb47e67dcf29d97b197011894835f002af9b1aaad59ae531915b7bd71a0de6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a35185f76e526c6618504d1348c119ab

SHA1
0729a77d99c45c6ff445e597c2a824f0f2210b77

SHA256
d43a391ef21a35e37c6dc8f867567c93118dbba45a5595d1d4f43558473de8f0

SHA512
9d5e902c5b27b1239e0164b054383671174314dcac47394c3f21c136c33cb5dcd6966b4187d9006912e7165e1306ce434152b2f4dc4de1a66820798eabc305bb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4a310814eee5d8736c36d34957361351

SHA1
f91847a7f29b6c41378c41496547c5f3b8cfe74c

SHA256
39171c3d0ed6997eb4066b91da8175570d1173ce6a4c0e9be45ad68520264d80

SHA512
48db11d1296f3492443a442dd5a4d8d313099e5bf6cf89bae0f3203c02cdac3a42fc3dc1811aadc28611060241dae5163978430a6a57f8ce081e75414bb6cf53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6a0399bf0acbce43d503219efa7f5875

SHA1
e68f267bcfdd8a1b1256a3da271db6b36280a651

SHA256
303dffe2934f59b3e1bb981b54b6db6d5edcd14472bc7a5d21456f86edefd872

SHA512
6bc8a140b9ebc43f6dd3fe28af9e7d9f52e54810577bd44b269053d13f86a90468eca0ef8394b7ce9d0ce90e0bdf84b0227585a1c55470f3228293825ced31e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
deb8131de24a5825c4b3c8bf9587905e

SHA1
d2b97ee49936b946221c583d92bce6656af169d9

SHA256
5ae6d7dfe19dee45c25808d57b10e5337d5861867eab4df8d1807b7e7697d653

SHA512
7567db37ce072dcaa807e5615a0c8a9c85a7fcc9b60d7782a9b87e520e77a113493a361d6f44844df219a683323b4c2d0019bb35c0daf25dd3da40e723a62567

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e7a2ef2beebe63dc2fde35409914d09a

SHA1
03d341e4bd334aa721d59163a62f4cd94fb6721c

SHA256
613fd529ff1b95986f53dab3c9b9ad55fbaa945a4cd2fc2cfd9beed6fe902ac3

SHA512
437a5b92499dbd3bc94db4784583b6ebc447d4db216755bde348151f37caa98b0d8325b8d11346e7d1ab73a14a870812d7fc422d8f5a5f2d7ea236b9e2804d2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b9e473e9c0815fbbcc3d4a46e5412299

SHA1
d35ac42886caff86dfcbe13b10c23961c6b5c09b

SHA256
486a3459e08daa7c77e209a111a96d9c34bd11ac691d47c07f472f1d95301cef

SHA512
9127869d141b5d6d64d6e2c47afec692f3f5fffefcfed74121578eb5f9e92ed1e1a86d8b2fc9a80e02be38d7e4dcab2b55a8942eb1584388c82a3a8199c5123c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
acc9c93aab56645da7203fd27301cd07

SHA1
54edce8d6bdbe06854ee555f2f9f524574110a3a

SHA256
83e78975d950999824ca1fbab7f539e2b43e2558742ce855f19599062544a21d

SHA512
24d34ba21e6d532b1cb8e1e42610d90e8599d22744c0a644dc18eb353f12559a98bec70e47bb832cb787b089ac2294934d8a267d7488dcaaee1d8ffd65c3cfe1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0f4c72ddc8bc03730fb4cc074e029591

SHA1
c8755b7398a39fe54975784cac59af71f7d7d2ca

SHA256
8364a24bef250049db8d47b05a02b56dea0ddc605f19462a5c24ab02cf46464a

SHA512
98794e044816a2439cf58b025943353aedfe1e9aa3b903b19e30ecd6cf99209945c55fe2002d9a940d1698d7287803742f7007f82b85c11c3a2689fa91527eed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
86d2658b864390c781e592706588ce31

SHA1
2f30b8cfc33f6abf11d562073fa703d17322991e

SHA256
cfa31e11087ef8ea21b3447349134233d55b1899a52cc5ae98ed7fd580902adc

SHA512
edec90eb409ca0525ad3bd81b413954ac3d51086c26ddfdf617ae5471e80df4f4c377b506839384cd34b9f7937bf41b2e7ef2778aa85b2da76073110aedd1962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d060b4727a8fab15c94ffeb64c0c1d02

SHA1
50b5d2d636d5c97ac9033a0a81556dd23747b5c3

SHA256
09b331af4a38fd11c1962d299cde1f748564927c7c9d259ff7bb48cf53354174

SHA512
4c386ade828e48a4d109f5eb2decd2c72bfbe303dc1bd258e7c4e54ab2b063f323250e5e36343b57ac58bc91dcfc42ccd584094ca1b7063445803349f850ddcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c3900a9be4154aa750eda3b5496474a1

SHA1
89335efb99843b4d80a5062def841c07f7307544

SHA256
39afb53da81bfe1a685f205c0c68ab0110077b75f441e4434571213ef73af37f

SHA512
d2b5af88a9ad13b409407ad9c59c16e393b0f4ca350b8d7db90db65e5fa081ec4c22ebb256faae66d9b932d3670d7872212525bf793220f1b21d6ecad8f30d71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3714f4e70e9d1bfbd8ec36dcfe8fa424

SHA1
0feb841d8281ff66d2b192113386c36f0b883e6f

SHA256
df1325488711ec36c7eea3d56607c851b0f8edb7281db2ffb9b6c4b29f80dc97

SHA512
170fd4499fed4a4b7092e21c09a4e7b4d8ef2778b9fa35ae36fc1e6ba488c01c309ebaf7262f9d69db2f26369d6d9e836686c9fcd96d59d115bc0310726b6770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
be1d8a24157bfb16b618b31c8a3d6859

SHA1
011ced84f70b4d6c202308d25e806bc4d6618d69

SHA256
301502359004b1865b36399d2df9a11a2e3393d661d105a39757319825ee6062

SHA512
0fef45c190e887386b42b94546d9a5153d22300c5873c907026e27d3ec554297f94908c89bb56569c2566788ba230d4ff1b43ac50f9d3741b2824c53ed8f486d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a5a52b7910830dd94703220c2de3133c

SHA1
d2096859766bcf0d93c5b3de5cd4c39cac84aea8

SHA256
a5be7cd2eeb80a2a2b1e770dc95acf4d4f6647c510cbe9a9266fda694af01775

SHA512
3cd8d1bb38e085f858190136c7b2203e89664c44719ec7ac8a66f66dca430fe69eacb9cf323fdc6c3b850310a2a654c40fe049156407a06ad3c7dd0fcbf8ec1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
af9b330f04da7c1be61e3d67357aeb77

SHA1
18986ac745802540d22350ff0ddf5ff65d4960e3

SHA256
d5570f3e2f80ad6dd07ba25fb18e451ee4a38bb08524bc56230bb3c3fd5de4ff

SHA512
553e3d441221e68071c5237c7342c30a0a13e93791d0a075e06e15090a69bcafb743603c483aece50fde7f9e31e343efdb296516e2ecd6a464a4be6a8e0d54bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c6c3e443afc4dae50534ad1bb6863aab

SHA1
32e3b06937e26e557c44671c324bfd1ba215deac

SHA256
85a20e940a0590530cd7e6f7fbfebc66da7ee41e64e9647a87e36047a2ecddc0

SHA512
12bd61661d3436a3bac2b2c94086ab3eed9e6fdbac668bcaa201549372e0445bd34b5780845c744682de1de28abe89c7a5d81e49e1ef2253d167547d51a71b7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e30a37bf20a1745c4c7be72901a96086

SHA1
b48494def715314afe39092dd3e3d5afe8fb43ef

SHA256
f450cdd3cb7bbfc45761089eed72a2a2ed43d39475abafa17a42c9d0667b70a6

SHA512
1048a22b18821df89477d4b609ec7f4dec94c068aa6006d6953a5a72af91d766759c4540ca1fb2371b0303c0c7a8345b3ae9bf0cdaff8873a3a69e77d24fd017

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a87f243d4709a338a9dc6402624ce128

SHA1
2ecd6d483898e75634b872c12cecd0eb6ecd1532

SHA256
3895015165ad7169ff907fb4d28fb864173762e506bc931d4c64a58df811cdca

SHA512
f9a93a5942d698dd8f9ead22122338af5dd38ec25b459a68bc748935a56875d84ec31547dc17063ed37577ddcc760872c1384f2a7efcbb46ba68c1b12e294b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9c4311a55da1a6a28f0b83c28e28e813

SHA1
baa18b4f91cc17d18d00ad109e858dedf3db3cea

SHA256
f3bcf68078b2c31a25aed1a61695c77b0f1528bb243333d2b661fffb6e5dd9cd

SHA512
99efb756cdab64b65cb7ed1f680b7b9b44b13d10eaaeec615345fbc8cecdcc0320aa6de866097663c9949513f2e89af7887394edef2d9ef6bab9d423b42e0a82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
edc370a836c6ea0c8d2f40ed8a373ae2

SHA1
a89364fec194ac3a2e71413ab041651289aa6c68

SHA256
dcfc4ec85310bd974afbfa501b84311f7f9439c2b963f28ceb2ece1161de9378

SHA512
adf7a19fd9ef9870d6514a56014499fdc9f532ea2a7c41493cd84172291c1715fcf8371893bc4510d7134e43d8a89b1ff08c8cb744682516e58d3aac45f462c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a4a71892d975010b84e74b5804bd24dc

SHA1
cab71e7c6652fa17a23591d312b8180052155a73

SHA256
6031516cd3ad5073ae9e19f52fcebb0cc18ff03c675ea412b3b054c58091bd01

SHA512
f80229a210554ace374a1ce3651f6c18b3d4829079e356998ebc74615343b8070e023f34cf883edb65110aba01ae13d2644d16d992fb13a761a0392edc983f43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
54c291005585fca53cec4817009da2b9

SHA1
bbfd2cbccdc5b7cc0dd44e0ccc6af82ab36e00f8

SHA256
2acde64e289a8db08f69e8b2ee0276640871b0a87a01f5cce3af460ddfe9f1b1

SHA512
947a4693a358e93602b9deb7250b4b5ba00b9deaa653e829c03a6ea42eb158f368959d5581397b2f7ac6a9307879d55c3d810d6d29a72c95f2a236b2bb35c95d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b0e660cc8cb99b82e890ddadb88a8263

SHA1
5917898064eadb4ebdb7024b5e2ce2a8518d485a

SHA256
bd0519a362f50497721477e8326523595c1467eb63ad42e08a2d86585f87fad6

SHA512
24ba5130dd8811ede0ce2fd4f698665e70904c8c061f8203b9e42f653da89b8a653d1bc1a3f3e59a0220019dca9c7ca7fdd1857bd80472fe67d57f805533b281

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d6c03283d0190b14474269d2fc217375

SHA1
baf0ad03529c8249ed67b088ace3516f73ac5e3a

SHA256
5dd9c293fb0c73262a3622f64317d7a8e8d4aca511bb027ea5c9b04b00256271

SHA512
69896e35bd1762be623c9a70e9b17ba0d470474c621f03eb9615574debaa7eb8e0e4998d7815990f7daf6fb7a5af00449a67f6cf8f4936c9e7444c139a0321f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8d5b0ded5425133a73a139fa8c37ce90

SHA1
8d60719421a153c8d15458a25abd0d24829268aa

SHA256
b82b2dd5d24413369e387d073a34c668e3b01c80f9bb5fa2e3d1b61c5e51b7e8

SHA512
5e048461a454808f851f542f5264e5001f3d4137761fe32858d58a241bcb137da361781e9b71328f1d50b05dd9d3e8f05507fd808d149e4123fb7a11d0c32af8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b8047e0d735bcc50d098cfe97425c80e

SHA1
ee2ca919451775719b550f712f58b3659e08347e

SHA256
c64f641e95a5cd59b34eed52ca9cb565bd93a34d94f0b48538e3fad48f782159

SHA512
f91d6e12191bb7786aa23746b53e5390069e3c7bf2bfe2f1d3c0c1aed5de139cb974d827b5f4b1b260f647b35e8269aa1d5dc8a69cd0167a1dcbda5044a2d3fb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bc6918fe8c2f8d36732195a7197babb7

SHA1
251c6d721875834375357b32edf61c9c4eb017fc

SHA256
ece180bc09d88c7c0783a5e71d0c511d1b5fda7e180cf831b1908a4deda85fc6

SHA512
99fdb6013e56611ff983dac111714ae38915be15c36274e5f8ad692d93b0db930dbd9bf8db0c2d9528c4586785c14c3fadc7beba7ec6df67f83e86a16bf52698

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1e9b2e4a5b7c70c80b8be7be24645ccc

SHA1
70fad6a585e62626a3a6dfb7855c89ee1b496e32

SHA256
e10bf95022b21d7ec940b89121d5bdbe2c380e8a96b1b0853cc3b72bcd9e12ee

SHA512
1a6b08fb685546f7c8f3ac4b897963428381b14b4cd7b2ae2121f9f8ee0ced39bf7e49fa415e6ae7e1f91b72ed7a3129cb10deeb2ff0323fbaf6a75e0f49cae9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
58d8d297acb91557fd6d6f1b2a4f6763

SHA1
28e1c43e6f27eed04982c8771dcfae98c97ab674

SHA256
96253e264c906847083c3d81a9bae30c55947aa950215aa5c2741795eeef4b0b

SHA512
3a0fda3f3a6c658176c835fca7acc00ff2065c38a89e2ea7ec3bb66d1faefc33329afdb69ae1714c1d266de17b7e2dbd1323d0833ad00d6bce1fc2c77fed36d9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2d6f49eb2d16be8d632cd789fcb4691b

SHA1
db155ef33ddee0b75a13d1c5d5ddbde6ac501e97

SHA256
7b0b506afd8c3dddbac36308439af0a3f7c74419d3543c1b20781b71ef52c1da

SHA512
5ae86de9fc4e387585c327659194ddfaae71a50cb31c46447fffb107d4293d6252318191df1807f7744440a9e7c6e51dd5f4eb6b28e9c1a304e5738c7ea32e2e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c9eb6689c03c4169eb028ca0a6b2c3ac

SHA1
f73057367ae32e66264898d794e38d56637f73f7

SHA256
513b9ec765e49390e04442ed5af61dde8aaf39604b8eb14856cc7439c6bfb78e

SHA512
21ebfa2752374375caf6aedfd18cd822d34eb2fe9c98b6559c88c0d7c0b8c7436ff42c5087125536ee897827204f2e8e2d4e54f95f7a2b5755ef32711c6ba3fc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cef8f342b2509dae2bac16f9d77a29c5

SHA1
d6d8209e844faf4c07f8e29d76e150c1e872e91a

SHA256
a1833e73ad1382f5dd070922b9108bbc62465d86c9e05492f4c33b3c0cab010d

SHA512
dcd312a3b2bcffcc67305c844fe8c86069790e8c571c1af1a43e4abdbe48915013bb45c645b405bc1705e5c11b0c09c5ee54a568b4a228348c11612888c9824e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
158f99745d2b3795ae7bd739c9861a91

SHA1
25b2cd93a90e1d58da402ab182e96c76f48f6d29

SHA256
9832ebe7f58cfd2b9fd981ada415dc28978d806844ce155ed185d121ddb61c41

SHA512
75b401f6083cbd01e0f7d915f0b98a6faacf0808382a5cf467de5c3432e809d5f3217388606492db794bbd24f5a2633ff95e4665b2f8940d6bf571e8bbd9648e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c4eb47febabec10fcc8455d9543ac4fe

SHA1
4934d2c7ef2a8cbec313b80f8eb0984ad38a757f

SHA256
f291e39dcfd7c9e7fdf56866e5828c5457417e95d9c263fb51c6d1f92e62d90d

SHA512
0de8246c4468b388f65cefce1362f95d2758b1a72b87d33525940cc4dc5ef1cbd1de6e78704ce1fb92bed31c62398c869fa3251ae2f9c718ef2f3a16e4d70411

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0251628479e2908056bee4acc40cecb

SHA1
1262f8d1960645dbea0b5e76883e7a1be54516d7

SHA256
c206890351848a2265065b100df5370aeed67366c45d2c302e3c01bcdf01bcbb

SHA512
57856c1edbf8f4ac4160d66edade3e71ae712a8ba9073afaf2fd59a8ae4d688a557760d28d3bae2f9525c4d23cc0641c220b9323f394352e41ba08a5232a9698

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7377f5ef125f8c2c541bee152ea79599

SHA1
01b2b56348b84c7f92c8bf7d29585959755e1273

SHA256
99ac245899d325dc9525e2b7c51fe1d672ee358fdb0e28dd885bee2a5b066216

SHA512
c58b46ec3608440981df010e0d94bde5149d507a9b44d12a57202209b1ace0554189da49665f0c64ab52e0699a443f037ad1e7a6849c91062522c827ffd00302

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
391b4c4babce1db14b1cb5f272202f50

SHA1
497adc202ba1b423fa9329c1c829d81dd1f0b664

SHA256
5fa1dc93fd9bebd37d18cc570aee0f153da7ea244ccbf10f398f3307cd9d2dd7

SHA512
d209dae350ce8a8b66ed141afb7315ee654a183e9582bc61bd3fd47809812ca29812099e9dd9d8de381faf050699d9216db0eb635f21191ac16121aee6fdb0e4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
05ccbfb9ab9e270626837c22fec1127b

SHA1
ee8c00ae5e5d0b946fabed8a395fa92221c4776a

SHA256
9d827c56a9e112a9b905ead895373ba072edb67f023d79f62c44b17ac9986da3

SHA512
de2c2e753ad07e5d375bc3bbb2bc77ddab29578abf6aaf9a3e51d75ca9a5fdfcd2d1e45b08c3b0aec377b3d19961275404d071d77bf4371725aee6e49809655b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0a8abd276da3cff9cbfea9c079c4f3ff

SHA1
54280ef3fe1069f439e52d7b7b183fc71bda684a

SHA256
1d4a13bd3af7ea5a183b537383f0a1ceaf80a24fcdb3ee28009de521dec56877

SHA512
64a6447ff9c341b0d6594c055399924e287d7c78a39f065735a9beea2ab94d4f5c2b71f9e51738869babb836a052af0af582a5d794ab315b678f821a2fe47108

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
92b1ca4e0c915506c2f1c22ce2d27edc

SHA1
747e78e7cc38911fa085be5922ea86fb85bfcedb

SHA256
24fa34c77125ee3964390683481d845910f50d794884d6aa311ad77fa1e528c4

SHA512
3c3175a466a9a9e8156d078a5d7832337ce3cd2e46de2b8e2a2e02658267597beb3fd9cfcc8d16370ebe22dad88489915c6d41358a2d468f0c7181971543ccba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3d0c14e05958ac256f76d078aa51c8bf

SHA1
fb67189ff38d44fe3fbfcc651d259b9b3f0781c2

SHA256
842dbb2472dab3db7f0d10b31c787dcca667d31c97737311cdbb208ca22b244a

SHA512
8f5fb3020a6e99c798ab9b5d87e5c1e1bb6eb9227b557905bfa8680706c4f0c653126ae68edd95532f7c8aa3861d1ee4ee10a4f7d37dddc290ec3d27c54bd697

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
efe28840647f788de46b014b9995b2af

SHA1
2e4e386a1123977b5a7158e95f11bdf6be7b1091

SHA256
b1fdb03de36afc6ededb11852956f13d932e162c6cf68775557116db3a323f90

SHA512
0f5aabfa745e0b7ed40cb6c24da237bfa36b6d8fd00c97983afdf6398bc7835584adb2c611e11b0e214b805b7096b1ae893a1a096ac1051cdb71d3433b4e057e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
00710859341e7438315156606c1342a8

SHA1
43a74f10f5908a0a21a0ee78ed5ee86e48ff5894

SHA256
cbcc4febd7bd5ff289a86f2d4e449bc1369af99ee07306768cf59a00c72495e6

SHA512
8124dbd4078f21137b6ed0a7f39d8454c98cc5f823833ab93d508a07d9c532fd4fd422864ac4f1f385ba1e7c63ea420653e3ef469fe6ace4101b85268bb24739

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
54b313cca22bb8811be83ecf8878a2b7

SHA1
768955e6579390aeb724050ee428ebdccddaf2b5

SHA256
3c62bba89d778ecbb379b925125ed98ed90d526ee477e46615224894c6741cfb

SHA512
7b765df4f8620ece7259dcf27adab17d7813690ace55969778f5d00a228db118ae2ddbde0830f6fb01b65574c1807a4e33f615824c384b83f994b5a6f5899b74

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c30b48b856c5d43b80f0396378187727

SHA1
f6cec793bf37978d887c4e17c47e88609ab95183

SHA256
58be458639690b5248023752555c5301885e2792503a87fc7ef602ee33858ead

SHA512
d487b84ba09366ec5255b37640d436b0a51d5e6f4eadcbd99b7f754c41662d11873704664a30013c00300e9ec359fd7052a1077b6fcc4e6f0093c022244da2eb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e29cb76712a3a5c88209a84c20657559

SHA1
75d2ecead7dc50670e882b8d3ae8cc7562a78d58

SHA256
3579e805322aac820efbe654c598b0b17092e089e0c9785add246d4c4f7fceb2

SHA512
b3875fa7da27ce61bdd1d33ac7f3e5ce005a67edf5304919722a0db64993a5f3023ea4eef7c6dd00b96c40e37123564ea8142c24cece096ef47db60c2e1f12dc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3ce1100404bb996e158879472658cd2e

SHA1
b5fcde8b6d7852289038384b739b9ff7f4909487

SHA256
9721dbede0420eb85f71b7d69202ed9ceba321bd3c15ede99f3b8f5108b21c2c

SHA512
78f2007984ecf0fbb515e12726b19a5ed22776259428a69831ec40270a51b52f7aa0f170a6c017734d618b343f465bb6ed3ed32f6540b727670318652d9e2305

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bf72c14749f64e32ef96a0d8d6a16b8d

SHA1
54ee15ab81115c87a56845163311471ec1045072

SHA256
7bf9191d6c1891aa7cc7d6fadb21b9ada91aa959d4f7a19076b25d9029c2ae3b

SHA512
0f1b9d1711038d299ff8bc5b65794bbf81268311c3ec4bc5398fd86df42228ff89447548773beb8d8b65ddbfea018b26610daea1d3bd9f3d710b2488af4eb438

Download Submit
memory/676-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/676-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/676-455-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/912-481-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/912-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1260-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1260-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1420-2-0x0000000002110000-0x0000000002177000-memory.dmp

Filesize
412KB

Download
memory/1420-8-0x0000000002110000-0x0000000002177000-memory.dmp

Filesize
412KB

Download
memory/1420-73-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/1420-0-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/1420-331-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/1604-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1604-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1604-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1604-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1844-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1844-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2060-64-0x0000000002AB0000-0x0000000002B10000-memory.dmp

Filesize
384KB

Download
memory/2060-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2060-61-0x0000000002AB0000-0x0000000002B10000-memory.dmp

Filesize
384KB

Download
memory/2060-56-0x0000000002AB0000-0x0000000002B10000-memory.dmp

Filesize
384KB

Download
memory/2060-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2168-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2168-370-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2368-472-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2684-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2744-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2744-485-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2836-106-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/2836-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2836-163-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2836-101-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/3040-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3040-484-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3176-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3176-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3740-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3740-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3740-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3740-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4172-81-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4172-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4172-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4172-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4348-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4348-479-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4468-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4468-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4468-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4468-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4636-39-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4636-33-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4636-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4636-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4756-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4792-478-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4792-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4976-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4976-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5032-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5032-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download