58479064833064df1d99072920568d4310cc9e1480411542bcb4e965021598e4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
Size

625KB
MD5

b47f389ab1431f3182d2b0a7b6e58270
SHA1

bd70fede0cdcfc7258db0cb34ccecde6670e350f
SHA256

58479064833064df1d99072920568d4310cc9e1480411542bcb4e965021598e4
SHA512

65fde7f90288c5af268f56bc6e9bc1d04a7593d5426d2ee77149e30d98b7e76d83a78c7fe2cbd9829bf5bb28a348917fdf032235a2bd5698ba92afc4ff58a17c
SSDEEP

12288:K2NFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:HN8NDFKYmKOF0zr31JwAlcR3QC0OXxcm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
980	alg.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
1728	fxssvc.exe
2100	elevation_service.exe
2432	elevation_service.exe
3636	maintenanceservice.exe
3952	msdtc.exe
752	OSE.EXE
5068	PerceptionSimulationService.exe
3836	perfhost.exe
2952	locator.exe
1096	SensorDataService.exe
5072	snmptrap.exe
3744	spectrum.exe
968	ssh-agent.exe
5060	TieringEngineService.exe
2044	AgentService.exe
4580	vds.exe
2204	vssvc.exe
4384	wbengine.exe
5116	WmiApSrv.exe
2320	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c1ae4674a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478dc23cbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff6293cbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c620f33bbba2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014c0d13bbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcbc0f3cbba2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdcee73dbba2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009afbcc3bbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e5dee3bbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac30443cbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3aafc3bbba2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316ec63dbba2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe
4492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4312	b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
Token: SeAuditPrivilege	1728	fxssvc.exe
Token: SeRestorePrivilege	5060	TieringEngineService.exe
Token: SeManageVolumePrivilege	5060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2044	AgentService.exe
Token: SeBackupPrivilege	2204	vssvc.exe
Token: SeRestorePrivilege	2204	vssvc.exe
Token: SeAuditPrivilege	2204	vssvc.exe
Token: SeBackupPrivilege	4384	wbengine.exe
Token: SeRestorePrivilege	4384	wbengine.exe
Token: SeSecurityPrivilege	4384	wbengine.exe
Token: 33	2320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeDebugPrivilege	980	alg.exe
Token: SeDebugPrivilege	980	alg.exe
Token: SeDebugPrivilege	980	alg.exe
Token: SeDebugPrivilege	4492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1684	2320	SearchIndexer.exe	115
PID 2320 wrote to memory of 1684	2320	SearchIndexer.exe	115
PID 2320 wrote to memory of 2224	2320	SearchIndexer.exe	116
PID 2320 wrote to memory of 2224	2320	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b47f389ab1431f3182d2b0a7b6e58270_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3952

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1096

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3744

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9a50a0e07177543948eeabf5ce7b211f

SHA1
b1fc4301bcd0bdf28a69a05813df084240a8bf83

SHA256
62cd27d8acdbe9fe14686f7e9710c0b7c1740169fe6a61bcc6c541597e9c8535

SHA512
66639496cb9923493ae09b723e3a4385ad1961ab749e335ae1d1470c9dfd6c6989ba10c9d285bc8fbeb6bb158956e702ee6543b33d89ab836c00f4b9e15ae967

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4fddf5abc54a12c97de46efad3ebe28c

SHA1
7aab332e2729059f74de1dd3e83cc6cc1e49ad3f

SHA256
a2a9589d6d082ca814aeadfd0d203fb18c17c90ebcf637d2dd5a4e1b0cdfae1a

SHA512
861bd35e0ac2d2696116ca4dae3aa72efaed759fb22b06d08c5a4c00668d36c5a5c25b3ee9bdf7135223a4fd3d3e0a4f825e1e6360a60fbf06754b5a690c0863

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
aaec21358d5ee1fc852aa55ea2686345

SHA1
145350a1ef5ae8bb12b5a0691d1dc9f0bf9cc7cb

SHA256
6b74a30baaca976addeabf8e82d4a04978e0db934c3ce01597737837d7fed558

SHA512
df6e71b318ddffcebf7b71479b14773c4d74b1451dc14b706b842ab1b2042f67c091ac3e3f9a28a303cc42dc2bf821a44d07d82262f0a775fdad2a30a25f03fd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8d85ded0ed83106a759ca53ba95e6f20

SHA1
0d45b51cc97f60f311fa1aea406ffb9acc4fbadc

SHA256
6a298f39a69af9ebc278c2f36961a03b9b49fc91b3f41e9ac8aa1d1372ff5a12

SHA512
bbc4fa74497ceadcbd63eeeb07cd9119370a0051c6fde6bc227590e9f81ee902a68ce7b08fdd659daf6e66f8ed2a8c460188b9ed72ab69b9bf9c1bdcd89f6e29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e1d927d0d110b7d65a3b749250f65146

SHA1
a54518ca7d91cda2b2d11aa2c852614f905568f7

SHA256
62c95aad8f9303a91089eb3fad499f88299bd06daf50057a01b07ba61ded499d

SHA512
364f95172066ef5efd52c1d214f71d8e303fd0aa587175a0dd84015d10dbda51185d54a3839d976330db7de95111e50c65dd4c85a27ede6c3725fb8c1802896e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
66fbf6c8198c0e36f6c4cde8521373ea

SHA1
e430c4cb52937da3674fd696673ebfc7d5ebd2da

SHA256
98eaa0a0c1d16b9d3798b9d67731106d49c673f39b6edf08df8ed62f462567eb

SHA512
210a77ea558a65d6eb824b1e0d343c6c391671aedb4c06a21eb9644798d1115279b9aaffc8e7f90c439adf74e531d18a171adf12fbdc5ae67c993df55f2b8792

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
723ec64358e2a0c690f25da4657d9216

SHA1
63e72934bde5782077c8e266d5092727e615fec9

SHA256
559ce989d17b8443def35b247e366175290836be34be800a0c022296ff534933

SHA512
16d6cc689c5d605ae7c0434724aba09b8fade8213ceaaa7dfaa4256cc8d7dfed4ed1cf494773ae6452b8a5a85ba1ee51e9a682dad8a72aaab95a3f4ca4b99642

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
64b5c4dd1269319c8d2ab5cdf552f677

SHA1
fb378508e5675460e9477ef06a70f034f26281b3

SHA256
d53813800871026f36c8df1a217af96fdff955a6636c1ac2722593631f8d757e

SHA512
a395188ba94778cf25fcb9e10a40c46718028f012beae72364a7f3fec3380c1e19231a07322616d4b7ffe50c312e4d8e96fd271bfcdd5a26e115d1d862e67aa4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6ce5615207bc8b4a4796ad6ad76729fa

SHA1
67e81c359b31dd0372cc1c6a55afd4e800c5e657

SHA256
a395d9189d5bc0177abc16ea11453cf27b6573241e0fb207cb09dfbcd793c8de

SHA512
595e258952d7eac13c2bc01a91864e5bc5b693424f5a7ae94c77a78571103bb1fffbcb5427d3b5665f3cfb944ac4f04678aadb9cb0931ceea063c3538c41bdea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c4c417db95a535d8af0baddc32d6f450

SHA1
75110d67101e3db4d15ed4844bc27e1416ea95f5

SHA256
42363704639407d8989fd31ed874ecd219828cfc9000fb75933d780745ea4fc5

SHA512
9a0bb55c8f952ce88e3d9ca8d7a51932ac4e2097ec2d4e65e6cbeb9362f195c22e426a8736bd19f3d93ea3e53b7966bd7fd3d62ddb66dda5783de73a765863d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
059ed2c884084d08653ab36284c1a3fb

SHA1
3bb63a7d8b75b2246d12002f130925cec899adc1

SHA256
9bfb8f81e30870f7591fcd0c45fe2916b0160ea9c46a056ea801dfffe78c52ab

SHA512
f7109b9ec4969ddb9a24ba32e75c92fca8e75f8a6b6ca6b7b791b3d5ebb5c2da9db63fee5492de29c22a08411bc114797976b652e7b1ca399a2aa4f5081d9562

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
811d5eb1f4d92af57c247f32d94624fc

SHA1
62ce6fc637111b9d0549f07b7627bb9722171bee

SHA256
666c4a6a23339751e240b14d7eba33a5d4f47fe41369ca23f4f1d5fb1eff5ce2

SHA512
8082e81242feb2409fc59e2e3cf1bcef7173837d61b1eb48058ef7f57e9fc2888073fc3fdfb003ad6a3e3bb9119f9af4124bcc8d374c84e3d4a48b65e0eb9acc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
67650c5e7efe12473e8bfe15c9749fa1

SHA1
3d4d0734217d0c858d11e6ddf65f6af8b8643aa9

SHA256
d63a9dfd5671bcab8e174b8b0ea9655a60111e4986b58ea5e943d8b22f293229

SHA512
fbf8cd347591b8a10debd470ee875ad7618fa49c4c693cf940d1be70588128db8023ffec7688608af24910c84c2fcfb0f27f51938f26c4758cadbf3209f0c787

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d702e6c71a7e772c8636644079c2467b

SHA1
424da764fd9d6d0253ca8bf8ed50bce884b5cd6f

SHA256
b63f05f1918f3b41e3d345ecd964322370b8e5a17c5ea6056c8bd02de8161600

SHA512
882fc9f87052cca4ef592d40ac007c6d0413b54ecb3d45948fa7bcbfc3369e69ccf37f95663cb7bbb2ac289fd23bd810492469bd17a4aa721d231d6da7948bde

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2415ff369a66db35d50c9bf67f63fac7

SHA1
a58b4cac7c3ba75e1d02fa9052b04cfbd35e632b

SHA256
c4a36f1d01b1e4236a46e1ddea7762e61ff10f310faa163c4cba73180fc1ea3b

SHA512
0923ea921016085714da4b20711988b6eed587ab6aa7e9c3ccb27158ed51f1b33a6dfd806870fb88961577824732f9279b9af718820891348e0be79fe43d7122

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
aea5f93e6df070a2a0a55021f503f572

SHA1
e2b21c14650bcfac7b0522059c103a4b1b28cb46

SHA256
9c2491d99ea7b5f77ca1d914c5623fa4df10594acf3f374565741e921c5656e6

SHA512
cb8d6712c8732a97be47666dae7b13478dff3ff1154c65add4f4ebfc4f52a0abc3132b19499a18273424f12aa761f490b3cee21afb91162a0a5f3d466ba191b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f46c6c0619762e3978ddc9699ea7e731

SHA1
0390a1b7dd36eb2cd901402464afd8cc51580fe0

SHA256
8c73769fae5e04470fb41ea8d2108c9868328c9dfcd1d43a93dc085ee293421a

SHA512
6cfed73d459e9130af4f832110b5a3125235e99a51dc96d8e83af8d212c2f7a68292387bbc7e62e065346de981a0ecd021809d03aafcaf372e71716b954a87ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6f7277045738c7263b9e856e2cefa6f2

SHA1
404e94f9346e5d14b0d6a5029ae70e6abe578f71

SHA256
c044ffd68ed52056edeefc2071c0e71dd1309d46a3fcf8025c5a29cfb2646304

SHA512
f41dd9cb22da33d5d4b901fb9829e12a85741fa505ff6a58b544286a8be885df39ac563464472fcad413cf35546eb3cc0eeec8d03494a76e218ecf30aa511dd1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9b1fa200f9d8ec9d8d9cc1554ebee8c5

SHA1
4c1419a9b6d4464739022c2c58051e797768d7bc

SHA256
723d24fd7f03fae36f67f2d5367de2b1f46ff1f604599238304e84cfc2de16f4

SHA512
e5aff749f7c54def6aacd1ca9eeb451d54ecb9d1fbe2c9be6f98aa6a6f58c0aadad2c3670e36eae07c2c5a3cf1fddef9caa34abe29e435ad8704ba4ba9af59ef

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
219fedf87f427c21077240c5d79d21b5

SHA1
a878cd5b22a5f411b56ddc3e0ca1cc63497fbd02

SHA256
4271da66049856c88ae084a2e3567bca272163441969d65fbd3e99ca661a746c

SHA512
62e3fbb00d79081078c1a5c5de47b560ef24072a07fe32b92d005b21517ecba148e1ff3f1683b1fa2093310d224bfba06f8bba57bd4abde59f5dff48cb802fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
943346fd22602aeba8dec424dc7fd465

SHA1
917836798e3ef79cc4a50ccba2f92698bf91e87b

SHA256
9566234c3d428bd7c6018ba6769f10335862e8db830943b32baff45b44465070

SHA512
cf3274bf4a495c6b713cca61b638584ba432d506853834cab11dc4a8fc22269af7a39831d06221d206a1a6b1086677196e9d01ed87c77738849f92dcd52e2c62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0fbc7d3d6e01816db4c50f4768572554

SHA1
d4c5879343c9f39ad7e787b5ccaf34beabaf5d53

SHA256
8c741e22e658ec6fbe86631b68cdb7da82a5767ce4a0b91c6ffceb8b1408bee1

SHA512
2bba28ea218ac87a26189ccd8fa09c99a5568b8e8fac19887ccb4e778eeaf281d94246f3e3bbad2ae498d081c16156f1da90af600b81823331ea21a63eb8e0df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6a7f09e67653971852f2e07769d4f9ab

SHA1
cd4f192ab9b1147fa0132dc48345dd60569f0912

SHA256
16b161aff244bdd5c2f7417440698298f15e83bedc7b926fa1004b976149365b

SHA512
684b8abf89d5edc762e8c918a426cf54cf8c85c39804c47667c594c2fb13a484e2ad69999ebd93a12369a4c60e64542b04c6d0b2cf68a26bcaf781155ece17e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
790cb3d65ea6955ca8702010f1751e3e

SHA1
269eb65bf63ad95470c75e80f48a4e1e919ebd36

SHA256
e04e5d1bf48e1d2f05bb20004a0dac23adcd71276156057038064aeebc0d35be

SHA512
a6f5e92e5e8c1845473a0468f6ee3b32344e8def22b2c5379da0b03114497c8a3aee54f5ff820d5aa9f2375602079b1f34299f0a8815be5d2525f2cefe6b58c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
09a062f118e2ad89b688f154c0c83f8c

SHA1
2320ba9211230b281f2c4f471d2a0a9965f7db6a

SHA256
58140352c06615ac73210177a6852714f5e04d2d4bfc71034637d6b945ca3154

SHA512
36982d6cad0178cb88e21d9f10cfac6072b8db80cfec1ef63ef223342a52c8c845e0353fb21164c26df233190c8b8469df46841da17728401996c5865a1b80c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c68bfa77d844a74cf588aaf613d55f8e

SHA1
6c6c45c94c001c2d726aa59813585b6f4c49fd22

SHA256
93bbae39e2d61e6b1ca7e3ff953bf3db0845e9bae95eecde443b845072a23fe7

SHA512
cff5849da637bcbab660cb5d090174c8a0fd848f50f82c48461b8ba46787978d7a8c39509d6a55fce3888720273fa6a76dba4dddc73289f8210fbe305613ddb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fafd3f66dc83bbd749c0e0b39bc8b258

SHA1
d8644acf91ac60bb53fdc58073a1f8a9bc3ff339

SHA256
35386a1511acabd1e596dc50ed9e6a734b345cf4c8d7929b23ca08aa0e0c95e0

SHA512
baad4f8c4f2d63ec084e2acd4ab43ca975a51f6f3c1b137f64996a08377fd68cc1750ced1f2ec3e69ae28a697f7786ff910ff8133c3ed5948190f93ab90e2d9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a55472b9ad881b6a6fc7b8b182494be6

SHA1
5c872fc15215036231328ba11462e2e1ad063174

SHA256
0aa1537197277be0338fcdda116aa04294ab92723c9794d976129a0c79a1d6ae

SHA512
13e5db49d711ec8824ffd3f1fa64d7b4e2d60f6e2d7162867b3c7aede7db21b6b6864f4da8dd3f3d523259a3fceb7394d34a8f0d51cf69bb4484fa0be20caecc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0187b24dc83c7934ce1dd53248301e6e

SHA1
547cf6f0373f29dffd058ed891951f7c5a7d78a6

SHA256
6098eee273033a6c784d218de51073e4809c1e371d471197a997418704f93f85

SHA512
c1d3852591835c93a27264e5346cbb13fe59aa9e4444f8ba6190cb8979cd5e8eb3a0d2f3af7af1076d513cfa6716ff3fd122ed75ffc17702830fd0461a08f679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ddfb8a140d99dbcc56636abebd2569b3

SHA1
0f0cce917bfca8bb10111ef4b76a65308093fa0b

SHA256
c3640561c6ee4ffec1fcce0bd1c94688177527a910e0e090eeb1efc38d0e3713

SHA512
3bee5945a1f079b4076d15cd6546be605bdf872865767857dfe37d89b5ea9a90a425025e203cf76db92907ef8e6d7f09cc4bf3c80ecdb9b76da036c8f992dac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
58600b246ddfb2328ae0da6aac575582

SHA1
9423f03877f2843a4942a377b572ca35e1b11f99

SHA256
9102c0fd1ca7cd495cf7fa84646ed211092051d526512e03e84b2b34bd2e3e31

SHA512
480d64fd115aa78dcd996747f32f419543db871edbcfe8dcb7ccb7ed31f957d763f0ffe38de4fbefd5c7c3d147c2bfea0170860a2f1f651531c26d8ff8f883b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2c27a5a93f1ef696885882b129e21c69

SHA1
ae729a95154e86058e0a41e83599f98928701cd4

SHA256
1e065980696fd495f2524dc33338fe175bf60f8e7006cc4625e97acafd830c53

SHA512
d0434bcdd907a71577cb0036c505c47f5106e97f9e50028a9962edcbb7ebf29f0b1549677815678b62e3b0385395fcb1d99c4f98fd8c4a39b51883b8c5231f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
da5d8380c21fb16280e505a37286fcd7

SHA1
969fc94571ed911adbbc11f708c1b804f473b6a5

SHA256
5f8dc4b2cfb072a2c53f51a277b746752031f98b0e614af9bc4d8586bb2a82fa

SHA512
05ccada3d3c5296c470cafc56b71356d63520339f8dbc289da84dfcf95bbe4a5cc21fc74512c69b80060ee3afdf460e6a6ab0203a17fa7a11a92102048c59608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
054fde4ef8741b0ab5a4dd37135a7006

SHA1
481be91cf41e5ba332607e74a701ef3382a81700

SHA256
15b72a7ef7bc3e54b44e9d20a6f8af87b2dbf4c75bafd718dc5900003506927e

SHA512
fae30cf8b5740e7fcd331461e06bed81a320d0bd065e391bbf65e08e0ce6abb5755ec19dac271fb09765a69cfd3440ecb4fc9f53168df4c8c43fb6d1b97005b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3fbdf249f02f99a8dcb1d145b507cdb0

SHA1
3cf026289c1f8266ecf9fc288afac0c26a28dc22

SHA256
486157fd6ae81c2a937603fb56466b02db59a9d43456cf819849d8e062724066

SHA512
8436ecb36a59ab00c71fa570fcdbb9b3a16cd58cee35d26f9d4cc4681398195356ae59f878a3d427fd241d49ed0e84b9ea4285c2f4a6d3e9cf13cb287fd63352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
fb461c658f6f9c5153890c47cb05d9cb

SHA1
a77dd55be420ba7ab1fb69d76fa6fc377216d3e8

SHA256
35877ca075674ab3700ce45ff60df4cac63fa66dd001cfd7735a2964b6319d8b

SHA512
47f573f8bb845e2ab2ebbcefc340f65072b9efd1c561f6af39d4606db28ef3ad9c95a2c5c703e70e00f1961968edff5186e51ebcab10566250e37031bfc757d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9086d1b10a7093862ba1efae72d22482

SHA1
afbfab8be9ae6a5123caaf22b9b3fb31567fa1dc

SHA256
4911a32edd33cdad271ed5f1bc5f8203519bf30adc49b31eb738899bc57f803e

SHA512
e50ec4b102c407e76b3d220b168314cfd3d7c8af8f8c010b226770d744a264dc1a02429f2bb8a971a6e14c5a042f68e6f249b75fa913706ab2ffdd6c88788baa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7cd0dab4b3df328029fbe0a47b21e66

SHA1
64828787e29036f197c0aba93fceaa790a10929d

SHA256
ad6d76c4dfa78a06020d15bb8c4424c41493d667128bffdde15eabf0b95730cd

SHA512
7c76759533f0570cc9175405685666ef204d8839cccc12de7eb0fb762637f9476184606b2bc435305adb1f2c365e6ad215ddda0eeab4ef81dae3dfcc99872521

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b869adfdb87e727109413f044708a08e

SHA1
8cf0c1b406909cb89440fef0e1bc069893501465

SHA256
46f396555e024f5fcfec3930fa1b60363096512428083a800f1a009bdab0d932

SHA512
891d247892dc641ae88404ccb165d11fe11ebdb968c3183f9458ea823d9f18da0ac69ba1e04c4d6bedd5b3d6d67c22f57340fb2bb4d467119ea44cd0c6ecc464

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2cbb8b774053de153194425391005671

SHA1
2ed742a420c1d168cb6f4b41fd162e5b929e4c0d

SHA256
5241c26672dc94fd44b1eeeff21a0d59468cc0ff702bc6e0667985af71636b84

SHA512
c0addad7f7cf1e26790a8f365dec10e81d2e8034514fa040cc27bc2494336f15dd9d7524feeaa19f679b85c874afa3e26a99a796d21c78737d7011bf7100450e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b0d3ab1d3cf4b7e06666e227357794af

SHA1
abda0110f596428fd8d10abd5e5bd7d932746d36

SHA256
9f72b7d3201679c5ca2d1c5e3d68c3404b4839f185ac2f1e8930b732f41e0ccc

SHA512
e3c21a07db880c80ec6e77562a6966ef7ac8ab1e032c19aa07ac3940d04a19a11432b06d3f76cfb855a4057003151306efd14f3410504d54e0d73c2876333b5c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
324173ca1b84c9fef87332ce88222794

SHA1
e76d06f72ffa409fa002387e5be42422413ba964

SHA256
a9cc42d4b356c4dbaa0c3a407ce3d07917ba47cb039d56a846e98865e76cb38f

SHA512
dab577d04be0e81fc8fa05c95f2b69bb281f382628a547d4c7d724db7bcc2d572064885c53463dd05edf8926ad5b30725843678beda5676a5661cb949c29cb8e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8e33cad341c6a432e9bc9b87e0cdb444

SHA1
0b942c22d50a98dac9978c8a47e232ceee380ec8

SHA256
e3332572e394087e444838895a5231443c90752d988ed17022608551070e3d1f

SHA512
3aa9a8231cb8bceec148f76457d459aaa3e3e90a2f09273893af8bd869c64fdcbcfb49d515baf5f0430e2071136614d7eb385919996c899ffdde415cfc4765e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6c50ca6db03262812a8ad23d5a70480c

SHA1
65c7e70a544733cb276a33ed064ffea13eec456f

SHA256
0a454cddf141eb65bf4ecc8fa14e96d5ab17e5774c3e79e442fcedac6583931b

SHA512
49970c914fb59a7ff52b5f80c2501097df120dd9392040c263557af59ef57acbbe7d6e6160bf0f6656cde072f3b890637102694821b0a6acb53db4c66cbb0ec7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f54b18a698d0f0d38b442b0223973028

SHA1
d1c0bacb1e22bdfd2662e22cdced40c6283f6465

SHA256
b7254716053c9442fe29a22a0c94bc8417c00a6f7671843cfa211cffe10e53e1

SHA512
ee67188689c70a6ef33288a576eb631e4c225bcb7601976d0255cf522864fd89760385a640bb50560af6e649a80595845817ec300ce53511fd36ffac7b1305a8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3f5d45c266cee52e80d321654b3147ec

SHA1
4ee35a429cd310923ae395aec695f9ee251627a7

SHA256
0028bd153e030ffcaea1060dd3f3b47859b5bbcffaf2fbd383da196691488c07

SHA512
6ee0ab2b86b43575c2091bdd73cde66c30c6e5456dc6b7a617b51718933b3d0cd3cf4dcf356397e626742b6b68cbe6c313cae00f43d26882ffe029b6c5d986a8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9d1108a61bd988f96d015a09b314d863

SHA1
1bd302b734b2a41f64dbc6c668ef5b63217d183c

SHA256
6da5f6438b338478cecb690e68b0756ecfe9a2d52ff92b176a361a7e7370208a

SHA512
d7265fa092a7a842519d5d8de075bac25153827dfa02fe69bb9714784d6f5ffad448d4e369a10dee3e46a501d4217d20c2ce8bc00036f639716938fde63d7a5e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b1b176de8f995047d064c01a1af51556

SHA1
08b667990b6b9eb22aa21233cf4e96a374fbe732

SHA256
b49873498763d048e59abe124fb997a3ef1e4818b3119ad69d0110aad2aee336

SHA512
dc617cd732d8d00f6729c614962bd5c9a1f282e82987aa8337a791bd2393990e9047e8947d72307e317759304cd5f6a9ab9311cf849ad03534e5f3dac12ddbd5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
511aaf9adea14fe70924c1ae072b97f8

SHA1
08e7c992b3f50fa5d5ce2112781bbc257c314b37

SHA256
379aea4d1820ba147237a2e3daab41333e7847b1ccc041e96ad6c437d2188ec0

SHA512
06c43f460b25b99d1b56e983515f79213d4db2c3e3ca2849a04d11885f1e0d274671f92aec4bd439e40c8eb8e2b1367eb576d2b8f0d9292c776bf7e36a243a6c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b26e0c69e54202c623497e41c0459cd1

SHA1
627fe65a954c19c712bdab0a910c4b44307bac10

SHA256
801dee70a42326e4daf80799ca56d746345032dba285b8bcb309d9a9c8969b65

SHA512
c4d70609fb0d9718d5cc4e1bd82e7622a45fd2281fb8ca7bd994bdae882d5de7142fcc0eda6a80c10ba30bf3d81917762b742917da4f55fe631c1ff8ee05870a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
23829863e62576d773d6fdeed6d2e91f

SHA1
9d78e936867d3c969fa9ee446ca5dec1ee6979f7

SHA256
0ee571bfac7e679e5fd7ed8739dfe0055cd342321ce8321c843b68a09a8d148d

SHA512
a2e643e00e908fe6eb10bb020764f34423d07ca64a2063eb88554e2a6dc75cc711cfcdb5d5834e556963fecd1702dce646cf89bfacb527ad57469767965f2db5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2d957acca82094068b0d501a838d79ec

SHA1
664273dadaee7fcd1082a2d42c07997e034faabb

SHA256
ee0ede4aefd791f8551501874bae2c514e74b2fcc03df408440553b142cb532f

SHA512
9dd6adb92f31bc946f728decc2523ef676b65bf9cc67863708857ce477f756943654757e9bc5a46feff4cea64fdde3318d1f04b745c64a3bd701ef0240bb006e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
12bad1a540adcb41fa28f650eb1b23d9

SHA1
09d4e2994b166aaf33241eb3d42dfce4714f79bd

SHA256
d2e0615314ca04728fa9a98175009a12bfbb4b3ebc0d9302a572fbf357aee08a

SHA512
08cdcd56277f0f6fc9fd110571592334e08f113406f1719dbee143c47c4c2a6310df315f831d9d4a539a3e3ff7cbf2bfbd4cc58d40f25a6e7bf8500e4f4fd1f8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ba58d9959a8c61fa58b4c4a06a2947d3

SHA1
63a8e96ea630401588249a01b452cecbf971bfa8

SHA256
6a8085276c77baefa6b86a118983335bcb2b29a064367d4a7966b98b6ee29c75

SHA512
ede26a1901afc18f33daafb66459b27bd9db47a1c01dbd81124eb78d1e5b67e5434571e8e0a0fd7271d6494d881d3282f4a1fe0580c3f4f5930431c5df443f39

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
de3c63530d68f9ce3f68805536a4e9b3

SHA1
06606ef24d4ef9e5c9dbfc0b755cf70d83028d40

SHA256
61a08b3a9e5e60a0e2c0ecfce0e42c76cd2e417a2c79c79afebd434c74250743

SHA512
7a5f7275b3607b70037e274216419c51c9c524b6ad1022e140735cd1531f456fef83561b5b594b30eefbd3b14fedbedb7305f4e6a51b991b9b6c57166b44981f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b2231131b441a4884b8172f55534adfb

SHA1
87ab2b5ae8656ca869cdb78607a5eab8b6d786d2

SHA256
f3223d79e922d3b939c158ab51d373b21debde8575a108473f6088fe08fb4d1b

SHA512
223f5c3c250707964e89f862b597f43d68bd119fdfba5afbe9576ce8010dd5131b6bc6848b118bd0eb8b35e419d4b30660514d85fdf2bf60b9789ff55d858ca7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
317db7abb46b2a0390a138672bd03cff

SHA1
78b1ab6c22c05824568ab96bcf1126cb605f972d

SHA256
8ad5f6da5be4ef499730a1f288f1981bb55d230dcd00d5ccce073af2c8e55e79

SHA512
77730fa6745248f7dc121362f00fc0e45e83bc0572ff83693bd03c7106dc133d1ff83f3c87f781b95887255bf6c21e9c4560b7ea51fb24702f1237cc39e0e4ce

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a951c7994fe63f125be19941b2a8530a

SHA1
8b550ee1d370c0f1df35c5fd861460284397d860

SHA256
204d0caf719668e072119c765148d1801b73471730248ce34b5bc2dadf17c79b

SHA512
7cac66ef0bc7d8c113910a2392d252e8a37d351fa51dfbb783ca7be2c165a2ca5fd0c39a207ae72e23121646f2a5a059d0145bc6b0f39b99b52bdf27eae9e1d3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
216fd0134dc21e63c95c672d04d7c691

SHA1
a88f34fb12721a3eaee6e5160f33043cbcb027c4

SHA256
8462c2bae993680ce49937bdf3c30f06ca7455de34ac52e97344f8c80191965c

SHA512
84e5d6c3a5c97f8da840ca471ac6bb1f290069d1a23426be36cad99a79f128c5b08bc42bb6d96a13d82ea506a8a8f2198ba5baebe5c2ab99a00c6be06789c08a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
023c3ed1cc5be51e2991e05cc7c4f6f1

SHA1
f0c13029fc9931f2516677c546a63526b939760a

SHA256
faa4c5700003ccc6ecdea2bbc9cce91bf317bf5e63249b92d4e201da00e2f632

SHA512
3c1aa3639f8d2604fa8632fb17a46801629943237750a44b5d7cbe7eb14cd7c2998759795b354e5f885ea60744e27cc53ff3ac9d4b2be17ce66c3addb6e8cf97

Download Submit
memory/752-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/752-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/968-636-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/968-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/980-11-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/980-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/980-19-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/980-18-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/980-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1096-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1096-635-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1096-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1728-37-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1728-43-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1728-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1728-45-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1728-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2044-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2044-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2100-50-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2100-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2100-56-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2204-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2204-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2320-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2320-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2432-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2432-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2432-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2432-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2952-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2952-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3636-74-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3636-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-81-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3636-83-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/3744-613-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3744-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3836-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3836-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3952-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3952-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3952-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4312-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4312-72-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4312-1-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/4312-455-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4312-6-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/4384-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4384-643-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4492-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4492-32-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4492-133-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4580-639-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4580-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5060-637-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5060-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5068-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5068-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5072-435-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5072-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5116-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5116-645-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download