da7e637703f9680f1d6023bd1d00d98ec445e6beafc3dd2675d29510e2fa84a7

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Size

712KB
MD5

9f247652f88180758dcc82439e636e30
SHA1

bb3ea2b4cfc873b9e407c2933781de088f54dc7c
SHA256

da7e637703f9680f1d6023bd1d00d98ec445e6beafc3dd2675d29510e2fa84a7
SHA512

1a00367298a62f052f29be663aaf002937da347cac3b8f4582f5f8b00c47c115fa1c242701f94154b0460229bea24844ceca7c4cb10919fd07188a4183880fc0
SSDEEP

12288:xQCB0dchmvqOoixyFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxO:xD0SOny8NDFKYmKOF0zr31JwAlcR3QCx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1776	alg.exe
3208	DiagnosticsHub.StandardCollector.Service.exe
3060	fxssvc.exe
2996	elevation_service.exe
216	elevation_service.exe
4136	maintenanceservice.exe
4072	msdtc.exe
2776	OSE.EXE
3056	PerceptionSimulationService.exe
3076	perfhost.exe
2264	locator.exe
2020	SensorDataService.exe
2184	snmptrap.exe
872	spectrum.exe
4388	ssh-agent.exe
2812	TieringEngineService.exe
2464	AgentService.exe
4972	vds.exe
1628	vssvc.exe
1772	wbengine.exe
2200	WmiApSrv.exe
3460	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66acec221ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b16b7a4aaa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b71898a4aaa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e70c36a7aaa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fed89fa6aaa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d4831a7aaa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004da066a6aaa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000368a91a6aaa2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fed89fa6aaa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeAuditPrivilege	3060	fxssvc.exe
Token: SeRestorePrivilege	2812	TieringEngineService.exe
Token: SeManageVolumePrivilege	2812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2464	AgentService.exe
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe
Token: SeBackupPrivilege	1772	wbengine.exe
Token: SeRestorePrivilege	1772	wbengine.exe
Token: SeSecurityPrivilege	1772	wbengine.exe
Token: 33	3460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3460	SearchIndexer.exe
Token: SeDebugPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1956	9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe
Token: SeDebugPrivilege	1776	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3096	3460	SearchIndexer.exe	112
PID 3460 wrote to memory of 3096	3460	SearchIndexer.exe	112
PID 3460 wrote to memory of 3752	3460	SearchIndexer.exe	113
PID 3460 wrote to memory of 3752	3460	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f247652f88180758dcc82439e636e30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4072

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:872

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ef2676238d5b13048e3e1d08dec46289

SHA1
0680e23a25f0884f18c8ff8d6e20a4d7578cbfa2

SHA256
b75ad6ea1dd95ea5bf16cfb7f31ba770829b07357d873dd1cf673983b876c31a

SHA512
5192ea97deb9201125f6734bc94b0f50cc9b37490b3ec773eabc4b477fe57421e46f1c428d3de6add0bb3cfbca3d6893b5b1df7206bac8e7db6049331facec7f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
86d4f5e009ef74258d2215dc995d6eb1

SHA1
8f70a3e8b90e140fd3a8c43b1e47661632dd9657

SHA256
3d408db9836647b085d7b75e5db6b29efea4ef61a9f6d377910aa583f2bb715e

SHA512
5892421e057eacfea905e15c63b3b409c79c19fc647b9906565a66a559b98ba06cb0f9c8f59ca675c8d5a2a792537afdfab4d796d0d4dac1a71b8fcf7a297bd0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e129debd3fb32ac02e5170f3af1d4b3e

SHA1
1a5238876ecc1b3725c24b67982a8f834b995bd5

SHA256
cebcc3cec0a749e419840b0f4e846387a5b61dada4d1bec97311e0c2e0fdfcd7

SHA512
67db2d57f96929d4e310d8f3326b95597fd2f868a951f81276d533fbbbc580715be9064414ca25ee5cea63881a9be6cf2f124326e79a95dd0be88892f2ecadcb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2e0e4e76e01b345ba439160e55b70dde

SHA1
3c0846a53761af018eb2793f5e2e1eea2222a661

SHA256
cd32bc359cd2ad53cda14060834f841171f4e0c340f79a842ead97fa31ce5285

SHA512
582c873a4dcebb84495a4a2e5c447a60cf8f4156736640a3a1d596ff8c5157840c9504bd5d68efad00b1c710cce6bee3ad203c5774e1531e4ef7b09fc387331d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f9e36495525db6cac90fb7af96f38009

SHA1
c6f39cf41b0a36dd63ea773a879c8d14690cea6c

SHA256
a20d9ce7830a1a6c82cfec43c614898d387c19fcea2d2efce09e066ffd5fe714

SHA512
ac83b63fc7f9ba00e934f854fd5d9dbad044214570b31ec435babac409c5cc97d45b66d19d0cae8122334339c8cc3e0f8540eb347eaffcef57a4e3ec6f114491

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b2bf51c9705a6b23d15127bd1f9f6d0e

SHA1
3f366fc03cc88b6965b4d5a350de7c055a44eedb

SHA256
21e798f5e66bde053407bd0b1e259461afcc797c063fd3225a2bc88e50fabd57

SHA512
0b55de9dc028ee27ba849222034c8f9b42f4fd322621320b40181c9a38fe2c492e7ff2bf82728430de5af3bd1d0712cbcdc3471e841cb544e4ccad4e061049a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2e513dd1030c217c28f2c362bd82623f

SHA1
929c2a2ca0c0043a6d7c3a79566d567b59f6f281

SHA256
dcd6b5f590bea5af5587949ef1a208bc053f440e58a463c2bf332f112d1e453d

SHA512
f5baf4d66486fea160c0cac2c828afb9c618d56673f8646aea4851aa67199c6eba0a0512d47da1448ae4edcac31f83c8f9bab27b1ff5db6fd0036fa04742d7a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b17e0581f36d9c65bca0495ed207fdba

SHA1
de4769cf8189db527cfbb31d3539b4e64c8ae2f7

SHA256
4a45e198846f1e3ea74e7b4f1472b88d64bc4ab4ce4673db7a5af9715ef6e8c6

SHA512
c3e3a34a51691920cce2366643a042fe98af0a4351c8ff8958ee3006d9035d80a21fe9be5113a58563ee3b3386d738229f195c8954b3c99086b62401483fa333

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
69ace9a849823166eec0cd3a431de635

SHA1
7f00be9d80a6a90bee913c902f102de6fccf115e

SHA256
fd743dbac39e354dba1f9a9348c30712d23f0822d997a919d48d7c77364f9af1

SHA512
9e455e0d7224005113eecbdefdc1ca283044ebabc22f6eac5aca59f2dc4a649fc44c5b4c5148bb300d39ddcff73e9d573c5899db82f2854c4435aac66ae6c664

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
861ae17f5e64f5502c65d511622eed8d

SHA1
5472efcf414abde778f3ed582d1f6207b1cdb5f5

SHA256
7088f37e87860b466d898f80abc2f84e975ed1b10bfc1b6186d36d13897576af

SHA512
594366b3d390dd0a4ae40d3caa61914cbd62bd9e9c281138c9397e2d409e79c3443594ec6a091c2e8e922cbefa97c2431e9939d19f6825c9a4fd017673433102

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d0807f5b16a0909b2b3b15d44452db08

SHA1
c1a90a7a81ff64dd0dd77ab9d1e7341eb2605dcb

SHA256
38757c51c81d08831ce53dd7bc93c455b6039aca0ff2910b4265f85f0e061621

SHA512
d1377c0520ea1125a4ee85eaf416e0e035c957d52761ebf1bd10da9f68281cfa65a52bcd9175aa0fa6188cafdd0d9c5bb0c46544798d0bc465d26aa954a88085

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9f6b09f127930edd3d9aedad660e121a

SHA1
1eee3632d3f8f2ff5673aaab10cb739904422b08

SHA256
dc6e3f49d3334e1199a8306ddd353b44fa6acce56cc6a54e00a9610ee5b52499

SHA512
df889c3340d680a2c8073ed8047f911ad9f1732ad17d6e66ab7c7f430fe4cf5626e897804f8fb2991cd0040a0c329a3bdec07f8bb34b5003c5dd1a9ce7ee11b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6e44e465985da9288a36b329b9955cf5

SHA1
55648bfbd6c63fce2e2ebeacb353e99cbbe53da8

SHA256
b7e86b7c45f6d18c2c82cc4fb3b8cc4a1c520fde03e22dbc4048e62db43d6b61

SHA512
84a43f78627d0764f3c8ff1063a142361a30968ddf1449aba52ba1aa05d568e02e8b5cf546529bd3bab0c3f966c922a9f4918155533f2210abe35eba91a3777a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
00e29be35bd60095914f9b1a5cde64f3

SHA1
0f63b13d48638d41232975344d70873ebd7b9276

SHA256
baa8f8c6302959dbd2681db0f454414ee034909d1f9ef40a9bdfd24fb5f41488

SHA512
119a7f9a1a36379cb8b2362f297da2570e98a91b31353cbe0a8042a978d2d24edff38d37fd55fb95f7d6ae5c5fddd41550116a2e9159be6bf131a1bf47917405

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bcfec9c60c8c90cd564bee02a78d44ab

SHA1
f05824b13c0a0b136214eee4e80ddad0d152e97f

SHA256
9858710894ad7e41d11d4211e8afb7f2224b30a06f0dd67db1f8811f6d0cd32d

SHA512
a231c038395b31d262d912ccb6276a0818b9886e340970a1dae7de0bdc81f8561f69dcb0d47f362d5019b73bef62bdf380755598c9bf3ca710e038c119416cc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
38900f70cb6b98f144d4beacd7975e43

SHA1
4140f2d61f38405fdcba43d5fd2fffdcf8885e53

SHA256
e4105564e4a84769d496167d3853a13dd1d24fd6b4df16fd10a6b10a5890d804

SHA512
afd429d83d317edd91fae70a90bee26a26422bd2a66a8024a4f5da537d77df9fb168f54af5f28b303b1409fb73c04a086b7aba8645b65c0d2301ca27228b48d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b04de26d89a3bc74aa3ea2b54689ad2d

SHA1
2d43c1e0e334f0e850b8c8b27f22d7ee9545cde3

SHA256
b894c77acde11e41c43fd5f0675cecd65e46e9721bf86cacd6907a513eb972cb

SHA512
f9f21082e985ec3ac5f2aa93d48b00ef2f8b02798ab37b08263f36ff18a8ad28ee14c520e68d5ba2a2d16db133f7f8e57acf9946136b958168b39e317ba6860c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
faf36d8a0d289a643f19db6af624da16

SHA1
c30289e50a150d2936e4069c12b594abf9160fc6

SHA256
3b5a1fafbc07837368cc45e1132673a051738182c5cfd6e7bb8e323db8c48afe

SHA512
5dcf5c343bcabcfc3059255942cfd7e7a00c0d9f516e2b0c36394a2cd431a9df7226585987e77c49fdb6d89f0783e40e20b8af2c992a854f89f73b64146ecaaa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f1318a1711b08a4774bf1dd0557c3eb9

SHA1
3c0e233c5acdacc9aa6ed51d79cd7ef809150534

SHA256
327f52b2a74342ce886132b65f38fcdfe5f0ce03fc22decbe0cbcf4403d7f96e

SHA512
7a2fc58bc76e2fae1b13dba7d058c95db85ddf107e4054824e443a0dd3395a6b2076e321905e912af1ee38a1f0e6bb295e0172b75037649e3b6fe31347f34107

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8ee2a194e8b4fbda52ba2c783d749f60

SHA1
e1b8e026e13711572b518f289b2113b4f605de6b

SHA256
6350c4a8d26e49b0cdd6062e0d9293b393d8a967271af43594f3dfd206c23656

SHA512
28aca5a4d3521fe4835d5bbb5ab6e8264078c1a8645e842e0ee42cc979e3629cca90136a3f83f50fc46d0e80c819d530f3878a07901f5eee0700a4670c5aca15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c26456dfceac12eec904088cd4e9e58c

SHA1
308185739ec862954e4dbd51ea4b2e1c344f1d5d

SHA256
e2fa00be20f92d2361310dffb0b1ba3b36945a67a7886ed28ca09beeae5fe093

SHA512
155a1f74dc2faf0693bb98b3d1e86373d1f2f75d988d9b9add6607b536faec761d15e6c75a50283f69b7a504ef21fa65d734d845bf8f4792140246f78d63dea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9b5b98af4a3aa32dba96c35c012b91d1

SHA1
581a22689e8d9ea6f4e9251ecfdd6762d55e638c

SHA256
65bad6bcd4cb1ba78f7b008f67b9144b44458a5402a2a14b47ad8767978d2621

SHA512
1198fd24ffdf99744def95e3ed33b1dd2042b0101bb4835a5caf13d79b58736de94b38fa8fce10910403c12fe27cf712f9f676ba8f97fd09fe9169e875227b10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6111166671c803dda5bd361673228c9b

SHA1
126872c94e8547e1689095660e1378b28aa9f950

SHA256
8e03f0694f8d7eda02361806a5a0100ecd109a7e662888d9c1474f479a1d41af

SHA512
366e503925b63a39282a5ec4f89a3629c5613016a6caf0aa58cd4a2e207dc45c970e3da076cb22a4ff5b5034b3f0dd14717b073da27631c8b85a0b464eaa4ff5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
27451813f3b300ef30447cd4f9c2daa7

SHA1
acb8321a298cb7929888eb4dbc4a20cfbdac86cd

SHA256
0d7b45fa3c39e5f79e9ef3f1903b3c35750e5ab014b9d2b27875772b63830c05

SHA512
5f35686e4a60f777dab8264b5fc8b5da845e7f51cdc4a48258daeb3eb0520e3384d64b74d97de54120aa937e54362f6ed91f678b7f9a4e31342b63a73a63bd57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d3428a18df0aacd9b20ccbdd1584807e

SHA1
4ba6d1895e55e5fc6ced25c1f1996145af965578

SHA256
f8003aecf138932856988d93afb8791eba46feab2d20d4dc42898cd0c7dc9e23

SHA512
43d03f6f17843d0a9c62eff3d7f6ee3e85c354a743c9c7efbd31222b7221cd23a512144e13f5d126d6a0d2678fdbc64a9103033e4a2151bccae3b34625ac846b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
60d4cd06c2d3d14fc8041f3ce91da8fd

SHA1
da85dad6d9be464baeeecb2c0fc742533e88e9cb

SHA256
f04ad7f9f68f4ee7290c8df76f77d3af5e6d526e3edfde8a01008a5ebf8d1c37

SHA512
826b9184470987ab8bff4136d8cd9cf29ed67aeae9cc52035bf500d4cff7b771bc2d1bdf2c25cd4972e4dcf3004b4f7e183f6970aacd1af474d4a6dbfea8a327

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
af7d5cc989588d89dd64293a761e72d9

SHA1
a7f4c5663d806690bea52ee249102ad5a9fb1c83

SHA256
332c5655840a073b02943493a9ba6f03b25df063e213b5204636cd4237570a7b

SHA512
cf2a7590aff099b305eed6d5f49846c1113d4c3a86443a00cb819a592fb6f1ed58171a1e604907955ce01f107b7b34cf7f6ec2fe33e187b077666e39ac00dfad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
52f51788edd9aba8deeae803e8dd65e0

SHA1
b58ffcfa82a809a8ca8a8981a6ac3961406a9fc8

SHA256
acdf7ceda4693d970e762cd74769bd264d99c62b18b6892417cbbe75e98db0ab

SHA512
060e0d7f1f6399a65bec77ef6a69e547cb3a5729d4aa0578dd7117e9a7f1cb7705d357e8a575bf67f1512658f8b84b24ba7285170d2e8e5b70e25a05caa6a370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
066964f56f53e054b168b74dea28bb7a

SHA1
ff27bf2748891d8b6258b7564ab87018c6d00e69

SHA256
15b6d87a8e56c11a7af0c3fd5e5da3d2b008e91290c8331763eb6e0cc63ae69e

SHA512
4167d83e07db3f76bd601bf9938a086e68f92c84174fed947550fe64e0e62945d398c5203476db43791e9f0ebda7532bc4ecbf6f4c9cc20d470dd207f317d4e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5a5f6ec3c0efad0559a28355a3fb504d

SHA1
7d7192507ab17a9400a7edf16f59bc0439a0f450

SHA256
9a4f961683587783b09f9f4812971953083ae018734c2004044e581b9ee14a59

SHA512
451c47e8626a88488532d5e6462a640ea0b4bd0f8db0b320a4799db8ba18815bf737019bdd479999afbb462061ae7463405f212a7ab7c81b71b235aa47eb9972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1ec41dcf07ab9dd83873e3129664f902

SHA1
5b2585aacc0a86b20ee1db31f95c21e49bf9e237

SHA256
b132c005d7505298b7cc1d5e23aacbfa2a8eece2988a064811e76c58a5212eb3

SHA512
9663bdc151ae63bb09409acee0ab62c847ad72cd58fb751b08cc7f9059b9fa36ebda70c603d24a2ead60c2aed897216934ef11a2ced1e25465464c2103ef307e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2bc5d41bfeca247dc7ae6d60fa5a1adc

SHA1
db7985def72b9b181771bf8b3d7f03e7c66704d4

SHA256
6285efa08c3c76d35c52209819565f1144326cd8e0359444a269e03bb279bb1a

SHA512
0f4c7f68e2aea778b5d2137c7eac7b0486bce618dd9fc910d1d124d0ec8e804c42fc0558ee19fefadfb5b5e3fb19280807c9d4c59501ef698404f905a1da26c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b59fd25705e688eef2514a32a6833031

SHA1
19cab1f3cbf8e041eef51e909003e4c8fcd9aba3

SHA256
b91ee8260fa4e4410fc0c27f7a438adccc290750e35103d8baa44f7d2df2894c

SHA512
bdff5c2bb481a18da290cb532d595925cbb7bfdbefde408645d6a68f277e87f68c0093158a33246e75c3d23e4b4ca01c479dd32c2b7c53278fe365f30a4b8c9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e71d0505a0baf20eb3eb98f885ce5b22

SHA1
4d47e2046110cf9fd70a7caef64b08cfcaec00ce

SHA256
b2873dadc2e2375030b16d83f65478b52e131342e09db309453b45852fd02434

SHA512
43e790d82eb9bd122fa650afe5f243e76fa2269dc1eedfcd3411457b4b1d5069f199a594eccf260565d797bb5110b93d84cab5fb34bff646e2e61ee2d9a55bb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bb9027bc6c55fb898a279b6dd36c530a

SHA1
3933aac901dab6de9171398344d3b1210afab8be

SHA256
1f2b038e25ce5bcd1dc24b93b8588c0a36f0ef1f278a4f86c79aaf225c4fa92b

SHA512
0b7f2f8af1724e292795d17bd242bae03b5df340f3b7880888adcc8b566ab2ab7d9b3dfa641dfbd9a16bbf91dd8cb07e22b7f440ddc54bc7de0d68350cbb2315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cbb603501062d52b91b6d5065b8640dd

SHA1
fbedeb5c11678d1234902413991c44089e8614a5

SHA256
2633e8afc29e7ae5fcf9f01d94c4004925b3bd2b53416b4c276f29c2106073e9

SHA512
ef96e9ece18504ec27ccdc5c7488ff01399d05329a3db888ef333ecf2f54a6acc054a41352bab8374f0b7398282ed9d1123fc24c3aa2084535c5fd8745bcbfcb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e5f3c5724b12876536666eef24edaa7b

SHA1
20f6e04bc47f06abafd9872feff58488a84b9a22

SHA256
11663be5caa57a118380bb4a3f8d3272404569ff1c55c402efc56e3555d30842

SHA512
e08e0bb7fa56b8ce00043a275fa1e2ac267bf87d45a1606b8220adb39836836e041fde9691c524f56e6b032f086ff5d22a0b02932dcab80ef7b4423f43564252

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d7fa135e676a0652e9233f2b7c4ec766

SHA1
cb6002a45377d2af9da67564499014f26fb54e8b

SHA256
ec28926b2db7df1aa862b520f7ab99b11e581ccfc5cac0e6ad74694024f38c7b

SHA512
46f61653049225365cdb28e0444bc1c0777f8fd66bafba0efdda95cab4c2265204004db435d7ef3d5245570920d87a329e69342365d6f125e74c17ee33de542b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
107eb4909047c1f1ceac81df9f8306b9

SHA1
6cc0ad83a25b3cbedc9c37769a61cb7ccc948921

SHA256
0d18b0d48100e9b818608b1821148b126cd82ed24537e2aa39683860e686e3bb

SHA512
5845cc9ed782c72f43b207cd8edf1f7ef062fa3e5612d8cd4414240d616aac3ded1487320a2eb442458ce6d0594a92d0d31da4ed5a5dbfbebd730386d1eeaabd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
921f1c43168612ac09bdc536f9f575f5

SHA1
bd093f184c457e73f257a46f56f76efc76917384

SHA256
5b02d62ea887e4b5c332b35dbfabc233608b353c312e7e448fdbbca714b3979c

SHA512
8a2ad2696097bb34a41ce604ff5d33b491494b75eb96f32e9f2091b98e84a1d7d73172daa6d989065fe07c87afb60afc392b1e67c81f4ef83ce68f8dc4f50e2e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3b09250e054b171914a2f7d43720b405

SHA1
3a64d129d1561c2855a0bad278954a2497dc8bfa

SHA256
53798e4a64932097c5937f5829ab300ee092f7111029049bc9ad65733b66cea0

SHA512
6464d2aea541e5f6069f422df73fcc72c6cb24897e54e2ce1f4c8cba7f1ddcc64e3bfa2c6cec860ff1a6257100abcc93f483d0aafd0471d97211ac26418fa8ea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
75b6eb9fb4f9fd1a7ccdeb82aabbe1e8

SHA1
662b8b883d2a28b037ed1c4bef361e4c8f518c9f

SHA256
34b7a952b411848bf460a1a6b56ff481a1842492d2c2853f75bc01e68cfe6577

SHA512
f6575633a5c91d9812e66f25fa5bffd04d7c7656e06f184e4862773f09b0e92992eb0f96acdbd972fc1057ebdd10f222c2ef657da7cb7822c85ea82a71a74e23

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ec119ed77910cc2bac79f5751244c2a0

SHA1
880ac9e7387003861edeb94a85022171838c8d7c

SHA256
b64c1b229527f8fb00443c60660aafbf68c24da6a15ef53989f2391750b52d4b

SHA512
cd728ee8561848f43d87a2b0533cdee1016e7fd5d12a8aeb9c892ca996b908eb6ccae48fe7a1c448b487bcf754ea2a7ce921692340463412e96d50c6ac4b9c5b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1c5d11e6a7ffe79ff7c266245dda57af

SHA1
2f11fd9b9c7945967a67ab2ce171653826086df7

SHA256
819fb5d3305c8b11ff9b3e01b61b6c59c644a055ebc73025bc2fd74f666676cf

SHA512
dc61ffea880c2f7c2b27b581530531de44668624e9225675d5c25edc33b96454a2f2e51ee680569e61933ecb33098c43e770e0f7f71377721d00ff9726b519ab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5c3dbb85b96227a81280c925f8614f39

SHA1
41b117682327d9a756cda017aefbe592e1f5504c

SHA256
915c5245f06257cafa703c4f9d7874440ae7d7ec8255151afa48e76f2638d974

SHA512
142155e60df6d62d219496bbeeb6513e727c83f47d069ceb83979efe5ddd8946da1ac57e5bc0bfd157cabce38400b3c4e7de7b4f7c85bc6d3c5ede0b857197a0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06b05691e85213e537e9cbfbb8ab7d1a

SHA1
aa16ea9eef4ddb3a3efde9e95e75ff76a1b7aa74

SHA256
cab68dcd4f0f723368a5dfcd064d1c6afa6b03e6314a26d936efaa2423b5271e

SHA512
5845bdb353c4a20dee4bbc0c442a48e9f3a40409bdd419481ce5703d82f830ea4d6f35847b0c6cba6bea80a60265a30aeaad49bde066ef49451cabcbcfc4450f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
22a415cc1865b1f1c62ef2df35224785

SHA1
d8c44290f334248eda30b9a2a06a7d397ec9b087

SHA256
8a6caa70e4797be2dd76afe78413a568a06f0431fac65d648e3efad66e31739b

SHA512
206a0593009a74f115237046033f24fa3206a1e206c91a47f0cc9a05c619a8594cbd57ab84a53ee32255307b09d59c7bbf59586a8166507a59159dc0450ada15

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
726562688c1eb019a9d9aa4dfd4c26f6

SHA1
1b6a9f5f72f8696a2d0f4ab4ac8cab16ae305d05

SHA256
c5a93f4cb1948b4a3e9803d2397ea64576a1a0c39754b55a37610ca7828d54e8

SHA512
7c1527bc66e6d6015a82a792d9fd0d7a9845f27c9bc17aa0b05e8b3f7a46ebdf28001de427f81b81c5281f10af6315cef7a65db4e822a4a868cbcec5647bcf16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d28e0826514b7ffd7f3577154129a16e

SHA1
5051216c8eeec334d5c0506250af9875740347ee

SHA256
513e2bab3fe2231e3eabaa2c0d58ee8a948d93f86d82ce666b70870f40791c24

SHA512
c32087295525e886e21ce730fa44817399b93469ffceaf3f7629ca6366b0e5986d024205cfca21370316ff76a5cc7c664aa321f03dfd057863746325a68d6bd1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
663a19170642beb974ba0be834b62f92

SHA1
c7fd29bc72b2e757afac1b93b11e17dac529d3fe

SHA256
8b84734617bf90e087bd984006e6ec68261e76055d6eb4bd2d9846dbf118f05b

SHA512
866a31801d80ba6f99ce53e4a6bf197218e9dfda6000d3abe56eeceda834d50223cb1a0d0ebd4161741ec3345191dea898dcdd93bdc8895cd235c1f8318d7d0a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ff4ae90b154af4ec4d5d85e8c9ddfbac

SHA1
92077b49453954b909b8bc300b048da8a32b1693

SHA256
40725db527747a5f57a2a4cab2064805138fffa5e24dff78ca2609a6def5e29a

SHA512
6f6c78c926f1f6a5c0a5e84420ab6dada9604bf58dbf8b19da66108746e0bb81d814cfa691cf38591ece7e36ea0b2e12b57e8fe6093035175562ad78b35862ad

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e967dd47df5da980546d4004cd3cab38

SHA1
ee771a280d01da187af57ec98dd613df704b31e4

SHA256
f3b0dfe316791715607c799434764ea7fbe5a7605a83829719ed5f51cfed6017

SHA512
63405ebd4ea8705c9e819f761bc49fd5cdfdf2fd252e7949faf12972f69eff9917b90ec8772e77fa362fc74212c328e334fa8fb9e78d347af65f05e60f377416

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
942b95fe5f72e89d9f631c5efcffae5f

SHA1
cfd9edf27b436915c3755609474fd45211d069be

SHA256
75a07fe027ce0fca96adfd78e4e524f22e8b72f0f3cd2cf97cf42ad2ce5cc740

SHA512
d3a6ac7493a44bba38d77135c6657936cb91afe9f2e7326ed5d33a4a7737bfa34f1e4e5c7d7317fe8b70997bff834135bd58c69302b94a69d43addecd73f495a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
156799691e507f1d43b47ac78740223c

SHA1
a02d00936b09e9523b3a11491017a9cce9435746

SHA256
9500623d6ffab21cfef3b40960a1d01a21342690f98f5199a57164e3527387ca

SHA512
56057def03e68086b68beae6e2482c63d538764218dc5fad826f22af42c2d21d0981fbc80ab2d856a6e54c38b4a14f7e931d7ab0ee1f62196fc1ffb739de4702

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
20a8c38a3ae42ff8d431df19cb5ec061

SHA1
bc7161bb89c9759b7cd2ae3c0f47df193a099706

SHA256
eb1db9777be11e581a0994bbd080d9dbc7cae13976a6524e117891a771a7ba09

SHA512
b5bd2d5683a432e0ca08a19b86c0ce83f0e2a7f6f76c8c8af798099cb324c1e67b1d32d6c618cedf96d1277d703a1f6df070faf65ef26dfd107a9b5a66a2a096

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3ab1939c894a5b713cb37e4ccc237258

SHA1
006b8cea5daf1af486b4d0ad3abc5da1db7d325e

SHA256
e7990124cf95dc16f13bb532094a65649f0daca977b498bac529c7f52d76f95f

SHA512
65b7e8bf7fb2fa52e5a5b9609d36a1ef871c48d8d63a31af9d9648b19167d6894f3e33275d999b9e0d58c50114963d11a96a3b719add9d16c0715b4f5a44baf1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
862c39bc88566ead402b1f6044dca6b1

SHA1
e021596e3525e91b98345227f8c59a1b289c15a1

SHA256
df5dbfc947da98368b043a16135fb566dad3ea6d6890fb741786b4b3aa68b0d7

SHA512
e7884c890531ddd8554dfb5ad8f80a2d7fea108ec6f330e40f33a864c87e7f9f70c024c38f6d0890f4ec97e3f3bdca1f2d041d0def413205fab52cfabd4f8dba

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a4f7f8752a21ddec70f2b6875cbbef84

SHA1
83880f4d5bd9bf98015671b7283d2dc97903dcdf

SHA256
9fc20d235bc67bd9644dc1fafe12af58e2ff51f3aa97f7a67d3e0d8cba26cdb0

SHA512
971ea68d5f45d07d02167390f75f5aeacf9efa820bc8961e7c79a5fcba9ee8650f36b2b3a9c31328b765dc2ea14ec137f554cd9f811402dc4759744b33881919

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
90a576459286ef03cca1a45434de5117

SHA1
dd292c065f7a499f1007539e0362f3b9a39a24f1

SHA256
8ed7591bb2040c7c7c5d89eda5a4b9b8147c9a455d26ad2c0227d6f846a155b2

SHA512
f5f5fb31a6144136b110c421b241c41d524434a77daed90576b7edba7734e6d0005b60fcb9951a9946f64ef7e3931c3d50f74018d4c1247b01f112649e9c9772

Download Submit
memory/216-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/216-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/216-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/216-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/872-472-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/872-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1628-518-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1628-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1772-521-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1772-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1776-19-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1776-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1776-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1776-14-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1956-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1956-8-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/1956-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1956-531-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1956-1-0x00000000021E0000-0x0000000002247000-memory.dmp

Filesize
412KB

Download
memory/2020-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2184-436-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2184-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2200-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2200-522-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2264-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2264-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2464-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2464-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2776-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2776-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2812-516-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2812-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2996-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2996-56-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2996-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2996-50-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3056-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3056-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3060-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3060-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3060-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3060-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3060-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3076-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3076-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3208-131-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3208-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3208-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3208-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3460-523-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3460-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4072-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4136-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-74-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4136-80-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4136-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4136-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-496-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4388-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4972-517-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4972-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download