ecb3c33e62f26b8ff4b66aafaba72e641316605c32a5d8dc159ce4bfe6d3bac9

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
Size

648KB
MD5

2269a57787885ccb98eb5c84dfb4f5c0
SHA1

d9925fd2186c30ca62491c386a09642af5ffc8ee
SHA256

ecb3c33e62f26b8ff4b66aafaba72e641316605c32a5d8dc159ce4bfe6d3bac9
SHA512

545130f6f0c889b25a547061e82c9e19fc0e8934bf5bf29950f54ae3336b7e6a88f4c1ea8ccb4fb5a3be144e9985cc798ca28b6f123d3b3904363c4a85e28091
SSDEEP

12288:Zqz2DWUCLD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:kz2DW9X7bHsMQ4/O6yMLprOInyT/Swlo

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4856	alg.exe
448	DiagnosticsHub.StandardCollector.Service.exe
4040	fxssvc.exe
4836	elevation_service.exe
4260	elevation_service.exe
2672	maintenanceservice.exe
1248	msdtc.exe
1764	OSE.EXE
3284	PerceptionSimulationService.exe
1356	perfhost.exe
1048	locator.exe
1064	SensorDataService.exe
4428	snmptrap.exe
872	spectrum.exe
4072	ssh-agent.exe
1280	TieringEngineService.exe
3364	AgentService.exe
3288	vds.exe
1052	vssvc.exe
1488	wbengine.exe
4480	WmiApSrv.exe
2500	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d2e6b8fec3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7a7125cc9a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc02ad52c9a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e71d285cc9a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cded255c9a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8eeb852c9a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bc85754c9a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000422a5a54c9a3da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
448	DiagnosticsHub.StandardCollector.Service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4352	2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4040	fxssvc.exe
Token: SeRestorePrivilege	1280	TieringEngineService.exe
Token: SeManageVolumePrivilege	1280	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3364	AgentService.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeBackupPrivilege	1488	wbengine.exe
Token: SeRestorePrivilege	1488	wbengine.exe
Token: SeSecurityPrivilege	1488	wbengine.exe
Token: 33	2500	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2500	SearchIndexer.exe
Token: SeDebugPrivilege	448	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4836	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 5032	2500	SearchIndexer.exe	118
PID 2500 wrote to memory of 5032	2500	SearchIndexer.exe	118
PID 2500 wrote to memory of 2624	2500	SearchIndexer.exe	119
PID 2500 wrote to memory of 2624	2500	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2269a57787885ccb98eb5c84dfb4f5c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:872

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
2c776d0f956f80d7471c54e71bdefca4

SHA1
2d2df7aaa7441a0279c9524b40267cccbe0d6a62

SHA256
f766a6144ee83266e970a4d4081162fffd04e29998d8e2429acb85b8a38ca49a

SHA512
964aa12682e2ace42d7f368712abeffe584291dbbdb152ad4ca50e5031e5e1c861581a4c8dce9b9bb2a96cf845425a0575b70bbdf5c219bc62b397bf404e49d4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c963a2458c230022d00838568aa2640d

SHA1
983cc8d2cd2fc48842117f5f14adbf2bda0ef62f

SHA256
10792eed80c9d8be401f2b59d3dc54d16c7d67b2be5a4e50efda75095575c9db

SHA512
5542d226564cac8a0eddbaf8e9712e574f136001061f5506fa872977da0222e7eff19481803d959127723f2a5112c01c6929eab091a445fc0815914207126ed5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d0d265b87e804f97d12c0ad0ed956895

SHA1
710724b22b62b1c018b9efd609bd600f27b0ebbd

SHA256
845fcd9e4265a61c507cf8d02f68333436458b4b74ff94674b9fc6b3eeca42f7

SHA512
2795ec62d31bea6ef4d62f77a5db72a1b9cdc2cfa07035d244270ffcc8d0a436c1662d850add5865fdc0b21a8e8efdd4cb72d26e4a6425017e2c7d462e12e1ba

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bd955989f41a276f6e7a8e219a829b36

SHA1
65f5f5ab8a2c57e911ee2c76fa31ba1acf0979f2

SHA256
44c92c11934028e272fefed4cf21f19ef5ba0b28bd9d4d89ad1321168dae11cf

SHA512
ffbc36cc37a3807969aa6ddb90dd1b96c58f60f4cfd096ea27b4ff3e9d149c4add28844d52556167b39f111cf76fa560852ab90c4f1d4d39d0f6d1bd2a4edad1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7552b950db84a8f6e4f1eca3bece5569

SHA1
d6d32a46bec0bb871a958f5a07907817410e779c

SHA256
7723f5175cd08ad82a2d6203c76678501ec702a61ef44166fb3c246e652003b8

SHA512
66be794a327318b4d45908db386afb101909f51b94ec85b18d279e5a36a20856a23c5bbb93a127637df0a9a82b3971e025707b18c3faa8481f3bc5bc36735026

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7bb4d5642b573f5e3be58ba2d9c02522

SHA1
39554fec63103e00dbe1bbf77ba8bc5da0622184

SHA256
660a50b3d88b384ef9532798689f0699d4a819ccb9db641c4da9cb81c49a4069

SHA512
c599b9681ebc697fc8b090789c3480139ab46ccdc0305d07d193c062d4e33b54fdd8ffe9a3a9245e68dfc54b083c5e0053be69488f189ad675afb3fb42e2a2ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
68d6cadc25dd36c3598247c2cb6b330a

SHA1
2f231752529ae20840e72dac2430b0f52843dc14

SHA256
20991c9f56d127462aff3af57d5adc22bafceb41f192e298f133decd6cd3317b

SHA512
9893603d4560b70a440f9b11382f12e8273ff50c9abee8fc97f573019a00914ae7f2a0555e7640b75de30b1953861aad9f7bf0b9af2336108e99d99b7951bd65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ae82db49c22034c399ae8d8b7b30636c

SHA1
2b848cd08a1d2fb236583280cd1023e4b54cf69d

SHA256
dae8f58ea653376e13ea11ecd3eefc60e12121ee02ce22c93c768edd713f60f5

SHA512
a58e21492dc30edb93bdae2763ea9b014a1b997dd30c99412895e337a123aab4b892ba614f11fd07ca212255b673b14198a212ba5bfd6a63fe054582b6a7b113

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dc632a6c185bde28607f0c8c628d567d

SHA1
3f3211664565ea25ab1cddd3f44362363236d472

SHA256
f5a4006c52ec1867fe199fc74fd2f65bd1f7d158039d11a4868fa1a3f374da7b

SHA512
6c56696e8cb2ac97cd78ef6b505081576b9f5b1d85b8495b0ca8f4ee22de37ad6b8822b4ba237e5bb0efbe0286cc7c3521c2df8ff9e122a2740a3aeec0723eb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
72164a2d52682d8f94992abe2902af0a

SHA1
3c3eadf53fa86cb9dcb30234ba19c4f94a0e2640

SHA256
d28ab048d520b266f1d67924923cfca9ef7abd3cf5871fa02fd0684b5db18534

SHA512
b082bd771f35c5466512543bf94b27127257b988ee2eca00f03c5d09710c87001211f301b2dd14185763029e14a929ab3166c38bcb7796d07afdbdca86df94f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
443b8cbbeebcfb23deef8cfe25dd3cbe

SHA1
2618c59584a6afd109fefb66854c92e9bf852366

SHA256
825d4364a0c45cb096c5c9ca4086abfe1d395856f342475111d202fb96856436

SHA512
b79bd537834db8a455a6b2f06795efca74338fb468b652eba7e794ddd3275c25165535dbff5eb7f405cc3d04f9d05017db5445b7ddbb3808438fe9b18ce08edb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
71e64031ecc560d144487f8255ab0018

SHA1
f4f378377c064503209880c3419a02ebc7f66cb9

SHA256
c1e382d54ccfe3d92fa0f9ddffa9fc2ba9a7c2a39febf5f02a6ad8367905fdcd

SHA512
add9f7afb4fc38eb6804b65b48c4de4dd9744415d306ce457f979aa190a6079bf574a866cc7b775d2ccc441f9a892877ae8602438c5fa9728a572c70f639444b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3396c850539d239aa1a5c4823b6fff53

SHA1
037fd378c48e4852155e15857d618ef7cce4960a

SHA256
b13cb5778bf1fd9bbf6ce2e541a26a6ee2b3024a9fc9ee61f4452595828f54b4

SHA512
14041ab6e7892aa850c9a6d3b7e137e9f4a9841fe58aff1062d559de13d51915bd88e5483ad947bcc615b6ec4d25cf81cdeada66f9a15005facaf38f44dda567

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b2913b323804edcee967b52d93486f05

SHA1
9949603e8c8e60cd82bb04876439ff229d6a923e

SHA256
4a9dd9d98c55c14bed14bcfb0c9233095559ff61f4a13ab2832211df7d10fad9

SHA512
c7a3c5f5af8853d2175c336446d97862455ccdd1031e83b886f9ffa69097fbac9d8f8350019f71adbb699cd0456c9544f0997fca4a7befe33294b83119367733

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b2d83a77712d94d866118ad2b363013c

SHA1
6eabf9717dc9b57d1a0fc3d3b5c20a1a3c2baf20

SHA256
0a00ca006ee5195af021b39989f024e3026b47d408fe8102df8ecfafa729879b

SHA512
a18d029745c821b19bf73af1cfdb3f4f725c9d3abe923bd889945c02ac84fa2ae66ef479b06edece2f1cefe59b7f86224c15d3fd64703cf644b97e28e85a107c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7b55bec25e9747f69715064514f5ca4d

SHA1
26701c96f274cecaa88d12f53e54762117df73b1

SHA256
e14ddc682ea6d23d4344a34f9c6368f762fa103c13194b6772c9531fe03515d9

SHA512
04d7cedf19c15342e37d1f397b06c0994b2c7e6214f04dfc15232407b4c1fa8ba43250b432f68aee1f92cf5eb52147d7984c01d19a7242c8241fe9dbe1630ad0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e0b3617dc9fa52a0a143081cc911a880

SHA1
0ff6c9ef6a9918d9cb33f19951622f9a58f1927d

SHA256
460fe02f2b947aea3aa93b75d07483c937a25d2c14b7cfaf6da5932a3c409df8

SHA512
c5e1262e1aa6134c9e713d79b8398345866f0e501ffcfcd6dc16c781d0e462085b3ba101dbe3fff6c692fa679de71fd36a1debcaebfbd568795e70806077ba10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f8ae97250f455de8e6a03d54c6af7716

SHA1
35922859d4abb09b6b4588a634181f0f224f7d5b

SHA256
fc72693a9c6b3bcf2ddcb0382e7080108e572a6d5b99aa73ba04358f8055d8e4

SHA512
885e141cebb379c03e5043f23c9b18ccae2e1e2e183f379062b70394082f18b27e02377c9871c68e15d15af313da3f20ba9c3c842243976a74f2aaf9a9c47704

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
37dd074cc949b4f4c2ebe12de61bd46b

SHA1
414b6034f7411f5a07368cccf526aeb9d419fee8

SHA256
c736023ef96c5c363f88d3c42017b771b36fbc1f858f0e111a8fd39d636f90c1

SHA512
a7510b5bfe169f1d388998fd55ee194745fe876acad586fa4db88ca487a1760732c795f8363dd11aa3f1e30f02289ae3a4a5efc6b26b85ecf6b75ee34b2a87f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fca7a01dcb8459a0935977d4c6fa8d31

SHA1
02e96cfad1c0a721db4eaef8858e827990dbc5c3

SHA256
6ebe800548eb0fc3b772ada7977ac15f9ed2bb52f8afba27f7527312a6762afd

SHA512
88501bd8207137a7695334ed36ce25b4ad9e5ef2f01e72614a33da4cbf215e6aa870349092f1895badeea79bcf5194fd8642759d5cf110b0a6625afb37341259

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
77aa615227cb2d3751bfa4677a36f0b3

SHA1
01321cac0756c0cb88d996d8e4ebc9dd5a62d2ea

SHA256
6bb16127b5ebf635491c7ff71ac9b376a293baa1d5a30ae15d4bd0ae7ecaec4e

SHA512
e4af9a1e69fc2d8324cc6e86fcc67e2ce2e0c26340909ff759958e514e37c5c6a5468424ba65e4995eaae884cab3a4ee236fcd987499145bd37bbe756c0fd9d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0863f10e6f4159504ede64a41ecbbbc0

SHA1
c436005f6b52a99f34b3cb5cadf891cf85538f2b

SHA256
1460c493bf9b146be420ab48b96c6bcf444238391254ea129f5f8d4ba180b10c

SHA512
d3260aaf4f31eb9bf24d0e343bdb04a22f19d1d7f2eeec102ebbbecde19c2894d03149c0d7e114b2caf80f1f3eedfb1c55d4cb50d607efce03142407857f0e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1c5341a342e7e5507f77144e6e3c9b87

SHA1
188141d6f1ae9963100c256d2644f6f47dea353e

SHA256
fa80144dd0eb25b630e5012948873efd5d3c6a88b1923f3a5e10688f38ff0263

SHA512
afb4c3e7c320ec22b4c170316039746369f810422d68f0c335092b558df3458f1e5763480b530265207a83190a0408e54e6f51ff8e38f200843a081f5b5ed03a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
27aafb99d88eb14da38e6d66f2489193

SHA1
c874b695c177ac05ac20377f9ed619a6a52a4bb7

SHA256
7ae636296fa7c11e841a513487c6481958060236c35c562afd804e442882070f

SHA512
199c517ff92f389e9e4abfddcfde64d0ad61ad12e82193f5344b211f7e69e526ab04c42eee24607dd16728679ce5ecf75b8623ca072ae57a0700aea15b4fce87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3a3d4e430f6bf03fb2044aef51a688e4

SHA1
f441ccbac37293105b5305c2f4cf6d2ec149cb6d

SHA256
3d35e9374de6d06f33d3aeac3635add8f7a0ce64b1340d2a2db6518a30f684b7

SHA512
d1f0d11e616c2f3a2b0ed6d6856ed806130a9c814d686917705b9b87137dbf7510490dec75a15454d7e8bfd12139078f0dae3c53626e6a21e8f9f05cedef94ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
89156a99ad20eaec661fc36158938428

SHA1
1220d5724993a85dfba4bdf25d64155b1756a8ca

SHA256
c50bf87e30e18681bda5b2ee79dba3d0889917705b54f84606a550269d74d197

SHA512
1520b98475a143846b71cd5c84661ec87fcd8b908ae160d75efb30933b1f522a05f371ffa0e0af08fe4fe0fa58dcee25f3e691baac0cd478ad5fbc7b14126d51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bcf019fb74de2e440cd764c1c471735a

SHA1
b46756e24b89182e0a98df7edeba31215d286045

SHA256
4fa82f60860670123c55cbaa5f5a51ba0122975c510416071858b346cbb38693

SHA512
37f14cc3a7b9b5fca93c47f01030abdefb04a0e48d9c7b0baee6dc3a92e2a251cba462d276bed4d714195dcfc45dfee3efc3efd19f89e55347584a74f2e58ca7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
647f99a9e6d455be354ebb91d695d886

SHA1
93fbd77eded118d082bfc297fdd6946eab7b41dd

SHA256
57d6c8ebb62daf491f621f93cfba25d97f71ffcfa60b94f5aa65de65c26f7e81

SHA512
6fb7a331dbd3607ce15fe59b73a98c6176cd4dc1bca46aca33a3841d96f634fa8542b20e24219f5b332d8d898ac6f5e493955349d373637c85e7cadcc2683257

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
356890928a88453232b03fce4bbf5370

SHA1
f181cdb52c1afdd9ea571642c3c86bcd54faf220

SHA256
47f65e026d3897a633bfd7bffc0351370e1b9c8503765872e13c13b847fc872f

SHA512
7a2b9e44a1bc642e7d5672e84fd5e21d7ebf591d13f7f87a678cc22f94d135f3c80589b8cf1328bb0b128088dd9aadb7f9a8e96a0d700bb729efee8c3f62bb3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b0b6bfc5112b6acb16bae59769ab5da1

SHA1
93095928c6c29b4d07b7fa1e72e712ba6ffb3e87

SHA256
990d75683bf434cb214fbe6660350595b7db72fe937a6a4c2b01e964087bfe3e

SHA512
bda45bb4bf035c40b7c97aa02fbcf907a439ce9c303aa8e0994719b04cfafea97a835398012e451fe1d37a7248ccd10427fed2b4e0227e9837924bb32d0fa7c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
074c88b20c941012d2ec8d1a4525ece9

SHA1
add23dae595910992a8f975d1a4db1693b74a69b

SHA256
272e9d6ae94e55c566d73cd88ed495fd725b3d952b554f08ecec883d73acb2ba

SHA512
2599aed398f9544a97800ee40d980cdcde0b9894176ecf769d2591a097a84d6cc40ce87c6140e71853f06e89b8b0851c575bd5dee77e2c8ec6580594905663a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9cc02c2a3609b979bd5b3b4da21c7200

SHA1
760697fc052a6a4949279cc7f84748caf47252ba

SHA256
94739e9c84e31d4f7b146dc30187e02c905048fff880265af5e7359684f7a0f9

SHA512
5859f38a8650c4e56efaa45940e23f273f52fdad842f1721333047f696aefb310544d79275fbb6f07ba4bcd1452f7356073eacc5262f8b66690de51317ae8229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
34eddf61a38a4b72be12e6aa010f5e00

SHA1
6a5e267b02fe74d85a24bdb907650a1528afa924

SHA256
8991252737dd3bcc79e07c4f1416cf5b33443e69566aa2ce2ddd89c15ed32640

SHA512
8b2afdec9517e60b6218a1f5518882ed650ab3493e81414dc13acc3fd8c05b6d4fe8ad6be789e50c812e0e973e3e42cc5a4d70e1b4d980d369045a50cf0e9848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
61690029aa9b3dc32eaa0121cae892fe

SHA1
3b324a5ed6265670505d7ee5fb80b1d2e545cc66

SHA256
30b4ec10d85a97c6b629065bbf2a4c7b4c3f52886d210314ef41edc0ed40b823

SHA512
019f7302c5e0a0872b5f5dab08694de06267aadbaf19b54aaff51730cef5244c159101d72be8f7634def5383ef4f5cbf480d5c899675cc80d3f66136efa161b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7159c6cb6f36859eb1e5e6112e7036f1

SHA1
5152ff95b3b2b09a219dded8568ee9b7108adbce

SHA256
81112147fa26fc4dbfda871ea9893138a277259b66dcf99c1e8132b004884f8d

SHA512
dd1b3b67a18d559fac0c65dd84ba3e18a31087c5e2acb932eb3e453ae531257f339b6e6dc75686ffb3eb0b5a761c4ac64296b22ceb2c39e8f049fa1868649061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0b85d8759c2bd2470f0be5756335a052

SHA1
9ae3004177b0a1aaa963906e0d3a5927e82007bf

SHA256
4677b1b55414ddb93881d6f698359e0cb9ffdb5cd6729dc949456d4af4d5d9bc

SHA512
4a6f85795a8989735253b5b2657760d11a21999606937f19c0e88d54c1cd8f2e408bc770a928f5669b4506b23abd8aa9be0259973748fb52e179b34cfa08ab12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9b56731d0050fa8cc3f195dbe5a6c780

SHA1
979e38bf5fc4631da0db5f09dc7bc42cef82cfc1

SHA256
705ccbf67d7f4d82b6aa1aae0c14cb455269b89769e0a18b3191962c70ec0437

SHA512
7a9b0fefa8e5e660057b84bf56f7e14d6767386f1501cca3049bc5ac1e77dd452386ed2862b3541383aa78599fec6ad0e1a43aef0f9d8ebb6751e70c6a8ef8c8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e9133ba0f05e5ae4a6ce5873781f4ae8

SHA1
63b69769d6b8b3e7e40932609f874055e5417e85

SHA256
53c899636124128a1c1c1e988052fdcbe6dde380f8a405aad9ebdfde092f1075

SHA512
1e7516df12a75af63b17010f667d5a3c536060d4c5d80d15e129e2844e75a156a0524383fd5efb21d493b4eb51725287d923ea71c3aa573877ad6bca80c6e1a8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d67022c3fd3ab1607a11e9b6d37679ca

SHA1
daaa813a5a442ef2dc779eabb455ad2f4b8c47b1

SHA256
debe55ef6a7820c6481cd8ed9924d2aab51357597aa2ff372703871f5d6aa62f

SHA512
a4d5cd84b9413b546c5f871f3561124c701f914f0cea0fb5ed6dcaf6106031edfd90a57f0c1bbd94b99e9a2c7617dbb0e9c95baaceedae22e106913b49e67220

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6e3ca9b76ca116c43c24d4c9a8cfbf91

SHA1
cdfcba2835e5e6568a8aa938605edd69fcc3058e

SHA256
4d226ce9806b42adabf016389f3de04cb51caa412c77a5431523d910f16b4b82

SHA512
3cd129e9dd0777380ece5e8cbf0104895f9794d81ee60aa17c19ba21029773da6bfaa71043c591de6da046e7420f6bdfa4159b9cc3c647dce239f3f19149ee59

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0fc4ae0782302887ebed12346ffafac4

SHA1
e58d6e59c1f4b90feaacc959c4965c69a480f08a

SHA256
ce8909f18fdef0f1e592e9669e65077810985dbae7ceddd89af0328719909cae

SHA512
ff19ac6e91f91ef2ec339d13550f11770d2b17f9d5b403740effe00b9993a3cba705199116d7cefad7732403b35a4e3a935c3a881d7fecdc3d565914fdbaedc6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a3c6a0f6d117ee02ab001a9ffa437ab3

SHA1
c71131200c2b86cec96cf308afc8b21077160890

SHA256
32bb6b695530d4c4b5149854e82cf22527c27b7616190a4d1b5ab7207680dc3a

SHA512
ebdb48c4d3ba19ce0a6a037f43cf7cbf489ecd0d3dbe2a473558e1208f9c8db97fed93d5b7424386fd17c3f96615115a628f449d3e99b727beddfed4faa7f8f6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
76fbfaa117c33b34d409ce9e2bbed6c6

SHA1
a744e6a24f0e956953eab704cf8123a26391595c

SHA256
59d0d17165bc672dd1cff7f18518cdcca41ff400e498fe7d9fd36190ce082744

SHA512
a105c94340c0e46a7aa5c9a4266f4cc56d3a56a4e37b8ab001a51fc669a02a732f3778589ca4b49ea769225ca4e818d31443ca8d9f3f2c87f7946a771fbf04b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b1d8deb7ed431a6b4d5d021d866f4f94

SHA1
54a74e49d251d5e6607e4da9f94a1aa5e9001da4

SHA256
38552fda4efabb56c0663d7b6f02a8c575883cae7a96d57ff6734d3335dbaf56

SHA512
9efa7370a545c95ef85f8ee39773cf9292c7fc24487b09f52b1148fee9e65b2749b682fd4c56bec7689784d76c689bafa30854ba3458a03c4b374cce456289df

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
60c09de4f9f8c363ea709abe95334a52

SHA1
897998e75bde89b58bfd2e0b7ab163e39bc41c37

SHA256
32139a7b9c380bcf1bbe22dbe8d75973d27c2ad40fcedb1058da5ffe276b3739

SHA512
80aba8def4eebe7c7f10a22df49726b07d246923a70d59f4652c78ceb42473284e6f49749a4a097a87d23b05a8dd8884d8493472b88156ce49fc7753ae8f1232

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d3696d93ae388240c3e1bc9644e9e555

SHA1
8535de356d7ebc798737c9180361f88ad251957f

SHA256
fff3627e50da87cd71cc8231862ef56a0f0bfc14994c8d0cf3a9c1ff758193e8

SHA512
ad75e24dfc8a0d16a335bbfdd207995798fc4367c50797520c7f52319e17dfe8103ad6f720fce0c4cd0a7a30750d1a731f5b44632c52c6d4853ba0de80a2d029

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7217c1664d7991385c9a617f7ca5da0f

SHA1
b0ffae5e991b7b23f74c02cc8923fcfebb1d794e

SHA256
191c36e283bf4592dc9354a0b90ebc32b980b7697cf1e83a9765649386116a16

SHA512
c487a1c09850f99abd5badc25fc5352f354dd95199ecdb4f74d9bc59cffbcedc3095faed25a71d222f200da7665e436602eb789f1cf842c5e7cc2b7081c94816

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
df11caf2b93dadf95499b64e66ca0e72

SHA1
f7dc51d215cb341b63d871f937a7719e27d540a5

SHA256
61f2edf9f08aea9e64d3095f047c72645d4fc631537f173b4adc627c57003c60

SHA512
6b441dbc1296f251d110f2044799f8e80e2b4922dfc0be3578a8deb635c507fd4be283d6fad27d356ae6c65fd856898f0b42626a61b148b574b50617f093ee7f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f9672a3d9e6309fbaa51fa145e8660e5

SHA1
7b54ccf7a4325de804003f807add6dc7cc6ac0d5

SHA256
33061f2fb297096a8cecab181d75258735169c3aa32e705df1b6938b958db36f

SHA512
d3f5d5289be71ed8a31dcb2309e0236fa018c18796bbfe19220fc6837c4e684a7d0a281e1cccf0dbee166089f606b7f2529dc5ccd42cdfd7a622db1369db89ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bc894e92b0e8d45a42b980a64569a886

SHA1
f5ba0b38467497e2429bbd2bf0a5d21f4ac9d621

SHA256
29136d78c673419f2900077761e8abb1b90780b4aaf95da4ed9146a843aa0e0d

SHA512
0857397cc8af567b35fdf99f3853974e68b8402a30dc2e21104190e27bc0da727c2090499b43bf29967e2ca8ca7f5b2f869db68e97326c268eb4ede0172476bd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d591b34da62d59cccdbfe5ee55696a1c

SHA1
58790a635cd4c4e269fa4a733fefcc226c886b8f

SHA256
1eb84164d57c542f9bf7127b41e3924171edf48729dede3137310dc4a426b5ac

SHA512
93c6882180f28040f2f174ea6c39a2d9c92692afd963896a4d54ffd4d33271725ee70455f171e26ad94448c60b5eaea87d387e5c439b66d76cf1a7ebc4601b06

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e64fc019cfbc51ecf705af4c1e15bf81

SHA1
2b81e78ec8fce7c4ac09212bdfc09d4c0d86e33e

SHA256
5eac7192d3f0e7b7e2a91f7080f75e57e6a9a93497ebe8eccc29598d3728a9be

SHA512
e4b90d616bf214c2fd6a673a12abee5511cad6028723bd093825db2ff44d781c2185969a1b26a58475da43635e12bad821490e0c7128123e93541fbd6f9166e7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cc75ce0da3ae28ec96d8f3f42549eca3

SHA1
417740ed100151a49bed02472878b9452f929959

SHA256
37198344999e24578bc7cc0217005d00b385444b9977b4c62f9cc7e7dbef688e

SHA512
d0e7fd8cc632a6867f5a1471c07e730ecdf30c28bef033b411b3c7297deeee061b56b4b3d4f0cb316d3d15c0fcc8c6ce455128dd25b8319eb0e19a439f59d140

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fb285cafe82c74ea698b8672389a4ec3

SHA1
5e27baa830b659eaacb22f3330a67c5223db5525

SHA256
4aa517466defa62dfddbf5659eac7f2d337ce13bca365206294de562d27e9b47

SHA512
84b121b7396d2191065c7b79b6262edf5645b22246dadc94e507d778f5a82a12fab40fce85cfffec92ac44245e2b4c580005867e4318bc06a8e111c3cd0871a6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b335d717c03ec64e32ae9b97520af6d5

SHA1
5632afcc3829d9af9d0eb46472fe86032afb250f

SHA256
0de08a7898fb5d2114cb875695a08c5242f1e03eb9abd8c92a9ed4df83efa7f1

SHA512
a8d3d966e68c72647cfdc56730e47f85d450498555501fc0a735428a5c35ac89332be46dd13463ceb72a59de27f1e638e880a7dcf7618162ed231cb121f9e4b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d6b33d1401ca9ce52a097580d87d4a9b

SHA1
2f65c001cb3c47f7b45eaf867f3d09711ffc5927

SHA256
d6b5fbdcef59ec2101df0bca1c7b9c44878dda47f5b459a701bf3aa7181b638f

SHA512
0ac3920fec47d08000c39e93468ee77b2be44d5c376eba300d9ae91e52aa5a2a672a76ddd6d2d94ed10dc09cb850352b6922be3d9f523f493d02f261c3950765

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c40ac4772e1d4b8909cbf8f6f252d8a4

SHA1
4924f061053492c74883bc958cd21555e62cf7d8

SHA256
739fe919754005bd4d3cf28f8baae5fbb544831ae12656c539d05e6f7a738f72

SHA512
bfcffe3ac6a35e7479f9e87c0381fa631c4aa35201a472b307a5c5f5263b2a191c8a78d10907c83daa01f4b689c82e75065045b0320e8af5c90f230dc4dd0368

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5dbe089c98c78a23bf150ead03a80470

SHA1
05384f0fd9f22b1adec9495b86df3fee8d5b2b90

SHA256
29be00bf78712dfe64b5fe800aa6e948bc842b5dd6563d15f2f36b1aaba8edd3

SHA512
f4d024bb1260623d7ab94ef01bd41c25f7b4e56c4f78a755880b58c8282023ccb26d2779e4cb62ecaf7f9604ee9bf2a3f596038583fe455ac1b803ee35200874

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f1290535a63520eb74b55cc5331592e

SHA1
79f515b501c785ba86c22072d36b0e96c7d87323

SHA256
cae53b487b55ec0421519ec25fc7a07f766853ba433faa331da192a619f5bcb1

SHA512
ab06e5d923a9eb78de6dd2be647274e48b58947843eec3768cde3db2a85446b8f09cfa2b95e8b55e909206dadb5416247e612b91b46e28d17a42fbdd445cbce1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6a2187e7f7ec21df2fdc99d78f6ac0e8

SHA1
e2a902c3003eb5524be8e178d4c4283fe0021d5b

SHA256
1c21931bdc46e174027c797aa51e0bd55aebf1b3680e5c5c93da6d8fd298c52e

SHA512
dbab9dd0c506bf0a7705788112744e9cd629662599be0ade9313b8b80b3e796b96706f72e6d06e3f0bb54ec5239bbe2b1feb024d6b43651e1456ac2ec4be9ec5

Download Submit
memory/448-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/448-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/448-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/872-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/872-507-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1048-126-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1052-509-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1052-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1064-450-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1064-127-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1248-73-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1280-148-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1356-101-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1356-106-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1356-125-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1488-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1764-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1764-471-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1764-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1764-82-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2500-511-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2500-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2672-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2672-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2672-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2672-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2672-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3284-97-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3284-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3284-91-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3284-504-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3288-172-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3364-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3364-508-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4040-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4072-147-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4260-54-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4260-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4260-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4260-470-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4352-9-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4352-1-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4352-7-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4352-363-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4352-362-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4352-89-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4352-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4428-128-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4480-170-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4480-510-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4836-453-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4836-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4836-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4836-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4856-146-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4856-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download