a4226c26efcde8fe676744ef07605c6617f541aa87cb8d3948b2ee0de23ecc26

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Size

1.2MB
MD5

bd7b006d782abe5af0dbc0f35a57d080
SHA1

1e96665bb060d265c7f1ad393e8702170a130c3a
SHA256

a4226c26efcde8fe676744ef07605c6617f541aa87cb8d3948b2ee0de23ecc26
SHA512

c29744ad98ea2f1d7fc8a84a8c5083171d977c1e100cf2d32d37dc21643759f07e74d4d7b0d7ddde414cd572fa2a4d5bb16c243a92dad4fea92f96541d5cd4fa
SSDEEP

12288:Kux6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:Kux6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4448	alg.exe
5036	DiagnosticsHub.StandardCollector.Service.exe
3724	fxssvc.exe
3992	elevation_service.exe
3564	elevation_service.exe
3828	maintenanceservice.exe
1036	msdtc.exe
532	OSE.EXE
4724	PerceptionSimulationService.exe
2348	perfhost.exe
1744	locator.exe
4656	SensorDataService.exe
5000	snmptrap.exe
4824	spectrum.exe
3652	ssh-agent.exe
2032	TieringEngineService.exe
2016	AgentService.exe
1288	vds.exe
4292	vssvc.exe
2096	wbengine.exe
4848	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bb2f5471c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004019bea74aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ec3c3a64aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b7f63a74aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097f6ffa84aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad70f3a64aa5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2faa2a84aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011ac0da74aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428225a74aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeAuditPrivilege	3724	fxssvc.exe
Token: SeRestorePrivilege	2032	TieringEngineService.exe
Token: SeManageVolumePrivilege	2032	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2016	AgentService.exe
Token: SeBackupPrivilege	4292	vssvc.exe
Token: SeRestorePrivilege	4292	vssvc.exe
Token: SeAuditPrivilege	4292	vssvc.exe
Token: SeBackupPrivilege	2096	wbengine.exe
Token: SeRestorePrivilege	2096	wbengine.exe
Token: SeSecurityPrivilege	2096	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeDebugPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeDebugPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeDebugPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeDebugPrivilege	2224	bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4448	alg.exe
Token: SeDebugPrivilege	4448	alg.exe
Token: SeDebugPrivilege	4448	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2756	4936	SearchIndexer.exe	119
PID 4936 wrote to memory of 2756	4936	SearchIndexer.exe	119
PID 4936 wrote to memory of 3376	4936	SearchIndexer.exe	120
PID 4936 wrote to memory of 3376	4936	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bd7b006d782abe5af0dbc0f35a57d080_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4824

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1000 /prefetch:8
1⤵
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
342740cce63569444ec8ed7e5b589244

SHA1
e0c01d7512700da280dedbe288c4ba4667a2875e

SHA256
10a16306c77a1b6486fc563a2b25fe453cb4d77604873e1814866462f7195e32

SHA512
5d9b037212295dd0f90a657ba0579397fab47da8be9ba8e76a4e881e4b1dfdb79d7fa2bbb73b65555151047a3a9e1725a85dece5b41bfead5647068dd0f2528f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
54006c4ebff9d4510a42749bc6ae96ae

SHA1
8a25d71d6d420abc5afefb6b47e6f80cef85eb94

SHA256
e941492919183c6cb5155bb3e1a78af849290d1777199dd545ecc8b0bf8c40e1

SHA512
d06b6435fdebfdc37aa051822b4ae473bf0f974f8d7c9414a616bfb0861306cda3df8225c2cbce52838f0f45e01ba67cc1d7d0f14ef8c5095b67853b75cd6289

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1ae0951820071fc6d637570601fc6b11

SHA1
ce28793277f3b5b80eff39e36cc949d7da833d89

SHA256
bf5dd01fe3ea39a90c38410d56e1f21f7e09a20ca452527238cfaef4639c988b

SHA512
f1732b9a536f7421c41a622dabec40d908eaa3c71c656fa6c0ef06eec48566a4fe0f6d6a1dce9bcd8e5ab5de19acaaa3c38188b75332efae540c4367df377d22

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
75ac83eb986311ee80c326f035678e1d

SHA1
e55219a652ca66babc720cabfd14d5cbbb118e64

SHA256
ce26f67e40d55a6e725b70642da9c0a5aaad6c1877b15756deb91dcade24287a

SHA512
09f95091ce8b6ed7b226ad3789abfc5616835683b8ae310214b02aa8747456821c8fc35e8040058da8bd32a2092fa8bc9b1a85359a805bec3759e0b1381238a2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cf2056cfd79e124b782c864eff320081

SHA1
d64bca99a34e1c9c9e314eb3bec4bea2a9d351da

SHA256
12ac1d9559330254f854e2cdb2cb4bf1336280f743ab114da93f11e1d317369a

SHA512
040c47374d8af9f0c59d5dfe63d66868654036f2ecbdd6b79196abc30b6eb474c5e08945a92122b0de2163035a5868297ef1f2e0c0e941d3dc82086738db7762

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
97eb49366811c830a32c84a563587ed4

SHA1
72fbbb7a30cfd690f7a500936bc4446c7075c39d

SHA256
688458f708f15929122d7d0c1afba2e55dc6c5665ec287559a7904780c9d1541

SHA512
9b99a363fb5622120546f536754932e15bf522b798f4a573c2378fd3668dd904aeb08acac26260b1471da0675e65a6cefae0472b2296f97eab974d516b9b95c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
52f8de35268058eca826b7ed2acccd7a

SHA1
99dff19301ee659f0c1eacf3eeada80ce1ad8534

SHA256
85d99ffbf6edf66f3a0f772424d6d221b9fd34845245d3145d8c0a04634236a7

SHA512
ddf25fee56e5383ff7e1ff61ef587240d0af4c86a228d44234987d7bb1f57b722c03f0981a25563ae9b83f65f30cbcd8c58fdf9ace226bb2b471fd32a89edbed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d98ffaa7383192c5313c82264c3da63c

SHA1
04faa2c5ffeeb3a213b5ed7a01572865f08db193

SHA256
379f9589e47e11204e415922981a8de6c1abc812bb35bbaf67826a8d3550c154

SHA512
c57ddf0430f163e43ab85658ac9ced759c68026034b931d60ed51965fafe4491ff81fa9d07aa66afee1dad9b9ec71bd2b69db709f4085098a47b1d202fb0ed9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
67053f9a62c32b313a0c380b9bc06f7e

SHA1
ec71e89f0f6b8556ff0336086a331bb4a14ae304

SHA256
5e9c4c55165ec24d152e13e9688bea58019cb4ff7e6afe8105f2f6d6c1e8e00c

SHA512
7c9c741cfd73f61bec7b5e1234dcbeef6b4883266901aa672c264dfddaf7d0baed449c4498d983eff176e385f54cce7574bb9f7872ac0eae9458bd260643e861

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cf8c899a7448e15041ce2465a79cf131

SHA1
393c7e1b9571ef4efbe73da3c94ca172cbf751b1

SHA256
2e37608c745a5945324d3346516a5ca8d9e1dd8d840b6a353b6930f385910f7a

SHA512
3b95873f2a227ae718d0007ef9cd8dbce41f57becd71b95ed49c08d51669cf157998c2345d2a248fc6011a040c0e2832f4868c18a71138e50332b176e9f72fcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7958ba615abdbbc38e70d8494baaa1a3

SHA1
635a00c8590c385c6ddf31e91d5dd393cc988a19

SHA256
ce775707e960edf2a7d924a2d37285904cd05a69aa527de3f44d26742d22bf20

SHA512
cf955560dfe046b7e62227603acff74275b731f4801efc3423904cd18293772ad88db3e58c4df14261aea58cfc82ef9bf6b13fb5f1fbcfadd91f13174f963d90

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9627ffa24bd3790739abb07a0658c0f0

SHA1
a586b93293cc6792c0d500c909af0e0956b9a27f

SHA256
9b03c85c04d6a7b752b342145c357009765964ab15a04ed192210d2d7ba7ad05

SHA512
05a03db73777c946b03b2f5bd2b684877b6cf01aba2e890a4fb425a44d3cf5a8b25f29fa40e57db303d419442cb0452a8fab93482101caba3b7e1032892df6f5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
86a7c4147d5f850d9125ac6d30dea200

SHA1
22909cad6c3a7a22ef822e75075863ea3bb08e79

SHA256
63829112d0584012b4a960da156cb00e73dd806342f235d4f0e4ceb2c47dbb18

SHA512
a5186702db48eab7bda1bbd9d448ec16c4fd505b2c177fb7acea024066faae445524b4c052d3de1f68ab288064d5195b067f8166f9c67069ba5c84a6063dd661

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0dfa81e62b7ec4f4a8828698c0ca7f77

SHA1
1904370040d704229ebbe47bb355a06d4d65c6b9

SHA256
a58594f231fab72d4e46067f3adf4896001f42b6eb0e0cd10d10cbfcf787bdd7

SHA512
f651aab9e6b813e6279052cfc90c5e9758e723adf15aecc3916b0f0fa22a478181cb5853fe601c5d15497d545c58fac2661ec134fdafba8973860db34a1c4460

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ad8427ce0958dd9565331490e50a70d7

SHA1
a18ccfe4e48dfc9320e94d0865248960f30fe7f2

SHA256
6cfda20139840f1756a7038a0b0bab9b943c08f2c01a1285c8b0b1189ceea595

SHA512
3a390967db9d027df0848462ae1af6f7f19c8a8c217a883d163f67cb5084f95f4752b452f67ffa9559e1a9a90dc59c12da9e3a5cc69109cbfc2cd58413cbb8cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6e645422087479a59c510cfd3b1d914d

SHA1
b00ed5612d4f2c82dfae1fb0787b25c3824e6d9c

SHA256
9bc20cbfb357fb1386056aafe0f8dc8ae2b301a3d897df78ac12d5aec2ae7c38

SHA512
eb6ebc89949cfcb69694302cb62ccf4c6b4f5bb1d8857c05a254be3e6e557b6bf7496342118619a6712afd20f00c1d559164b275d93d620049b5c03131ab02d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
068c62de8a7d68e842e1229cba05d334

SHA1
d37327d99e15676b72ec3411e22c7ec5257b63f3

SHA256
608464c198c194f9d4afcc75c8dede829fedca1ca30040ace91c6e4743e32939

SHA512
721c2bad9070aefc945f92d3c89cac3abcc8cd41b5c4c694efe05cdb3d101b44daf9f663337cb59d365890d49d6d292410e1ffb14de1a03d25394948cd23a29f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6721c701dcf5b9ab2306c2e01fbe13cb

SHA1
9b6d795e0aad1fc9aa9ccda3677f56abadbfa6e9

SHA256
e24afd73d8611af281c3363eb874a62996a62584b59841184c5fcbcc4f2707b3

SHA512
204275404e526e0c704ee18761c5277a5a34b2e1a56cf2fd6d0c5693d9754ed9693ebda9fec8b4015db0fd85e19119eb1e5713073b1e370f3b6a9f4192fc88a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6f7949b6de18cf6ca2a8574f08b99fe1

SHA1
2cfd9fe5a0c1119030e1479613faf97e36e454c2

SHA256
25ec23c7c94357b130a4bb77413c00782a70f87d5cb9430f51acb3ca0fa6af6e

SHA512
87fe1de8e5882b40781f527e1068f595f17511ac07adbc1b21e669f25f70329d16147bb52b7318b98dcb894f5fa84b4448628ecfe78f5309f925c2420e03c165

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ed38596d2ca00c42023fa44d0b4ecb0a

SHA1
382a7c6718a956a4db309efa44b5f5b66ff650ac

SHA256
9299e157940682aa315099375f3a95a563bedae65930f2c2e33aceadc26fc651

SHA512
2cb071f9602e7953148087a5e25dc061bb2dadb3d13ef0853307a27887b439ffa82fcb784ec8654c64f0be5b17c8b3ca76c46b9a726cf27fe6158c002390c2d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b318b4a4dc34332b5644cc38ce711f00

SHA1
e087710f342afef915c199a598f4620328406abd

SHA256
ccec6c20899d24b21b6a9a158a28dd0a66c961c1e7ab2e441e704ac6dcbabcfa

SHA512
ea7d5e2dce3c07454ccd4a81c455dd89d1b2b368e374c97450d057b2c584d8150091b6890a5ff7f18200827b57259a12dc315802030502b41cac1c08d13969b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0ca4f0afdc88c2ac6d649bb50e9f5def

SHA1
5553fe8b21e0de5217341b1a208e4e554ec06b5e

SHA256
356620e52aac7eb09744e4a57bdeaa54ce2a1b9ad7d69f115166d41be09cd9f0

SHA512
2ca8062cb8164e3d9203fcaeef3f8ea1d8cb43fb37a67851f0e715ac9adae1f91d844b467efaee22df723b6a3b34653490f5420df3edfdc89155d2985e743c90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
249fa9632e69bdee308d438d5ec66a9c

SHA1
718eb05ddf5151275367bb0d7f4ea9c0f66686c9

SHA256
e8d4dbb5a8c0e354a17c1621282ca55b156098905a4a00cb066098c079800d35

SHA512
8601ee265675ad1fc71aa40f08f3923862654e26605d98a993903928b1578a8c40910326425810b74d26f0a43a013a2d427368d67eeedcf280874f3f5b8120ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
69ec63b70eb5553605a1f79787a032b2

SHA1
16155e24733937bf514f65ad2a84b7dbfc19387a

SHA256
23ae1e528f5335e1632ea54ea900195d1324b8c950d64e07dad4cdcd6f26c826

SHA512
e3312abf2f7db8c191fa805a3cc5c6e4d409567e263f372a961bc6aa5ae7d1c7e849c0e2e66716d4f0760cd8de4717e59e53d13a599102854fb4844f17e520c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
daac7d80aafdc69d022e509b7b889302

SHA1
a8a2562f35bf0ff84536709387a7c253e98cb363

SHA256
2a2479a89ff70a69077b7ae4f25302a49e7020c2cda045de7a3d7af7bbb7610f

SHA512
be32c270dfbd05ba64746a8c71d75b21f9db1a67a0eb2a2c6ac39ff0e3137c4aff66b7dc0ff0eb69315f679d7b4d0e63724ede3b3db50b543b8e8626faf138cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fcdc8b725f7df15323dae5525fefe813

SHA1
969af30436d3da56ba309510f860d9168df36e55

SHA256
b3e30c3615235e0fec11cb8492d95c67739a412291654dff4259ddb82a6e6e9d

SHA512
f793efe0d3dbb92bad49c5135a3e903b90de14d3d8edc7b1381c6c3fa974f9ba7af13478bd20172d975de718259969ccceb01f50c2b406af6b8bbecba8e6f7ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
dcc219b2fd377ce6ff4fd5bd39782a49

SHA1
00ec66557882a4d2dd27a90bbc1266914da8216c

SHA256
f6361fbc88e4a44c2e298299e3bdee845189f1d60788e544ea3e3a7e36f0d5f6

SHA512
38800ab0f4afdba38eb98713446d8f31fc24a326a709c24eb27cdcb4b77dbe82bcc14e746ffd4ed2ba4bdd38c770014584b1e85e908b092a8ba454090b354b7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c3b4537931a6e5911c3d654adf2960a4

SHA1
3f692bd3251d28a8f1b5adc9e0b8f315a23312fe

SHA256
a9111106b276c77c76ddf97f5500dc0f79f3b15cff1c89c069e9c027983a412d

SHA512
db2ed6658187fce1eb688cc8cb2a8c1132ed88b36e92c0baeaa19773fc8fce6e780e59085ee098eb8d1ea16677686e09323b122a19cccb6b242975546c3eccc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f13402c6c650ffe5851a559429f03908

SHA1
b693bc827cafd5d549efdce92f237ea31fc34491

SHA256
89c6f20f6dc8b674a72e5ede4726327dbefafa5a27538c572d892796d34a168e

SHA512
7770f359001d2fd83621d10629338d87b774e19da1d85763083cb2d8d43612482cb84f4f76f5f0dc40b6fd55975e9966ddf1f722918e7732a899498eee6ae1ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
07f3aeaeedb5d80a3a4bfb9ed86702d0

SHA1
9e49e5d57c633a76d5c7db433d25719c85708e45

SHA256
a8f712c3d5328b61e4fc7176ac06591d7c085b7291d1bfc9b8f4dde4be16d297

SHA512
8fd8b892dc7353ef2b32a613ed923c0bc4b284e0d5a8d0f1d933a531f5fccb4116d0725b2184bcac3a060515a6b38cc5a1c7d06ae53dfd347f672c6df8fc28e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a0dd0e6d2015fcdbfef48c1f3c7ad467

SHA1
9323cc1437c0034e0773033e0ad6300f89b4e4aa

SHA256
c45d3cc7f281cc29db67a4a5a0f43909590a70fd7eb1f1fddab5290de8594368

SHA512
c9ef18a3dbf4afb5a1b25f47659cae6930b542d12497e5b05df6a4904d786364525911eb2c5d4c145b79cca71ed44294e4235de25d22025880727ba124fc9e1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
14aaa4400c0d5510b5d4dc77fc6aebfa

SHA1
1c75e2df6303415661d091237d1b107c67ea2792

SHA256
3439212bc1b0e9f0ae8de34415d9616f9e2c73b36ad71f983974687fec85b4ad

SHA512
4c9fe86a5e9f675c5217a866b66fe0e981518ef8f1a156096778086c4e9c89f24f770d0173758b23d483fb519a546f4d77bb10873db3539fcc6ab2e3db708545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
89ca4eb47737214383b797dcc258a137

SHA1
b58aa544a600a86acd6f0046d3ab99e33d6422f5

SHA256
93c92061b9d608348c11208dfa3d93921df69052ef70a2e1c9b1fc35c676d61d

SHA512
aa306186c3827e6635509956cd798fe216db91f14b354c65a25af8ec32ce647d83014e59db64fe14244802f368b1f571440dbdce671a73f46a81141f560152c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d02b25d692599b9493c2916404c0b1a8

SHA1
b15eb251e5d4074fff65fddd881fefac135cb8e8

SHA256
78a1781496c6e9696274be8e02e64cad8f142f3df1acbccec4bab96c9d4b89c6

SHA512
b7ac8d2749d1ca0f0133242a411cc1c176bca78b72ced7b6137632685bfbe7c4cd6a8b5de5223a36e11413f535e4df6c3ff721298e37e85ff61ac05b37ac42ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
1850f6f22d7de26a637185063d92366d

SHA1
7ae5bdbb2b56f060590b972198ece1567f00f184

SHA256
3c9d133df0ea440855597323486f7a6415816e6ae02810761fb000deebe76d6d

SHA512
24f3948b0c2e5c68ecd48cc963fc9d9383ba725b17e20dc7cd9e35ecbd013cc2ac58be43b81823e91221ad59e43d8e049010aac6090ca0a45b40c18f73db4ddd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
620f22a778d74980bc7f49d27eb9913f

SHA1
53e69c231bfd56e239e3d6ff72098eab1b2818d6

SHA256
5f671568b8bef4e9d3e2ccff8f1ccbac1ace4328eab1400ab12d81df286002e3

SHA512
27268477f89cd8c87df0080d32d10cef61bd0731ae993100024a7a2d6f068d16c9094a3d640d1335c7b5e867719d62ce7a617a2443871e36c3c5fdd174fd8fc6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6ae1ac92d3f04fa9209213bf64aef31f

SHA1
1d8536e83043ff2dfeacffa144dcbc58f82ba899

SHA256
fc10e5cca21ab010d85985034faf18b46b35fdf1316fe97fca69361683ea0d3d

SHA512
330b06726fb8c1f627ecd1ab8100832a053586c686e13cb901761208ecfd78779107fb658417999973eaf65f5c8ab202af8db6b9b4861bbc4d181f5e94fc4176

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
615f082c93ad892343b59233beb0e693

SHA1
98f100e4c996400fdfffaf204e32a0809b5a1e30

SHA256
041d7582ae39b37857228f0bb23c26ddd02fd98fc6824ca04531eecb523bd79a

SHA512
a6a52239a9c666cec8ebc56156f583a752d9c61007d8112ddca912868909e68bb6991f39ceff9719418a6afa4a0c5f7d1cc4e82468b6c62f9a6d710238046c14

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c0c8f017810f7ffd71a5feae7e720953

SHA1
abfcd0f203cddce04c1ecbf009187865917dee57

SHA256
b0433f14e946564322768c2083884921e590b7aa6b49b37161dd2ef683badb6a

SHA512
5a1ece33b1bf4b7fe87e0de1c7a37281a577e207e1650e9fa31d87debc60a1df8e4a3ec5676e476a84459102e3d9d1fee4daf477cb8b1ab3143ee715ee34fb36

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
96220a1a0b14f82d26dbe02bd77f77fd

SHA1
fddcbeed3c82fff28485e0bbb7ed9ff76c5e9c22

SHA256
071671af148497d342ee83bf1c5ca580de9690f8a6ee3da725cde5f9e5e555dd

SHA512
2f988e2c174d159df2e5d6ed161a437de6b11f62191b4e0b13fb4768dac51e575ec14ca2466d5bf345c916dcd3c41baedb977a0a9ed14df5eea69b49fc23649c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fe1bab036df8551ea42365fe859617e7

SHA1
c4b292706161dca78359fa8009c71cf3b8d329ca

SHA256
ec4856ae4998fcd700a02460c288c87ae4a2f652a8ace09a6a05e2b82f7d0b6f

SHA512
c57ea8d069bd6ec379b7a990c6773f691e586952e7e6c4805b6f8fba42dda86675299f2483f38d5397d9e8116df4ccb588708aa9e87853ba6f432e9969bb3e1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d11ecbc5cc1227b3ff61e5e12be1c2a6

SHA1
2f445ef11cffec41dbb84c479b6012055acb72c0

SHA256
e4f31ba1661e0c5c42e83f015ee03923a39e8c11730128e9d34f2566ae34aa91

SHA512
146ee7a8fbe11718f28ba903c29aaf19a7d9da4b1c8c13c973be475303e90267944cc7f44b90c41a577888ee6c564041beb39f479eb7f6b612992fc065336b07

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ed697f5180af9263046dbeadfc68aa9f

SHA1
b0ef4a9e281b7d72519d38d094128a8a87a914f5

SHA256
b648e55510062386a86d575173d29cf7975dc32bbaf32e59d985ab0066eda62f

SHA512
d8189892666681f1aca067c84f145a8eb12b8046ad588a775b8147f65e4d0b838f2fb14e1aa2a6b1a12d3b038fa9dbb3ae063bd0bb4c3b23fe3cda3c765f0883

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f48fcca3482c4cc17b6e58b135636333

SHA1
bef37cb99cee1be76e64aadcfa812fd144e66061

SHA256
6a2b38ce212a3da363b74c95fb722f995acb8bcc763d47d5c05ca6015b7af0ad

SHA512
ca0890ae6559f327078f5eed1433b69c9ef1727a5df54aadaeb3f3935c70050289a1ea317790306041ba4daeec32aae5efe506b7c83d12ec384c61794ac18c58

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4e232d8a35e5aa0d846f0048e0a3d75b

SHA1
72592fcdded06fd239c16df10463f11102fa90dd

SHA256
854055043120bb554213a15ad84bacd7bdb14f61600704cee83fb42a53967566

SHA512
144f129a882f43755a04ff1f3a67e9eb3d4cb25420eff0d86017caac7cbf3ffc80555e2f0c989ee7bc0ed5628be3bcf1a5c1e4a539eb4c942211b8ac4ade0e71

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
85c61720951807ed21fc76a8e577eeef

SHA1
b9d5cd60d01c0184bfde1fe31b22f9580cd1c75d

SHA256
02c03a3d9951d37e289c95932fbe83655244f0761bd85b16c5ab4f34951583e5

SHA512
1ef836cd219cdbe9899c4371cdb5d67f06ed44b37fc7a2f7e8618a036d38a56acf16d30ed022c7cd83fcd2ad44b546d9afc0b00399d243bf4295952ca34e37ac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57a1a319e02f0a0cc10f98631a6f4aa1

SHA1
d15b93f7fc1034492efa2689dde1a248c0499762

SHA256
b42af889f307ad112809f614cc4ec293074147a582a68d92f3a704fde42e2f04

SHA512
97c38b86873ebec828e42cdd8d7f3cae662e347af308536cb0d401344b74f95bb42d11cfd04d8447c9eb8a3a6e116f76afda6031443e727c00ff712c59bfec4e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ca20dfd3b1b2db735f6a72ff928a24a8

SHA1
cb96978acb86f9e5f35be9887f61972bddddc277

SHA256
82653235696d20a780d87c957f395dbb7422c78a3dc328cb5f5f5ab5fae7aab2

SHA512
0ee57323c245f3c6acb987f5f3126e48d8d110bfd7861a50f4ff758e2e38f3627073d65ca2f53a3c13245355c86869ea355556a78210f26871fb583ee2c47e1d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
444c2cbe67e09f29cea47ca26a5b86c1

SHA1
e9fc212dbb83cc85a43ebe88ba6091e39080bba1

SHA256
d0a1ae99ca75963ac17a4210e06ee3c0b9f4ef3037f23db01cb45c9bf4f77c18

SHA512
40437835b29364156c9a68accdc3c3e2d537774ef89fa5781a533c74f4696859bb241ad8ec6b9bf260f76c9ecf3bdb44e05d764f427e488358bba038df7b4669

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9f8644bfb63b01a426f0511e66bb87ba

SHA1
7fdd44b5cba07f34a08fcdfa12793d081482a3d2

SHA256
4e619a4290739c97eea268e3e1dde0862a01eae51a0c4fe0dcfdaccf83cf31f0

SHA512
d8dafceab171007568ceb5fe6ecbe0fcf518cb590d16e1507d95d95db9a2bbbc1231632a0541fd88e4980e31146cecea541e0b9c7e1870eb3a4684db88cb8c3c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
eb64ca91e37a00f5855afc6699e64a96

SHA1
60891fdf74e910bd0a4610522f85c33625d9ed95

SHA256
f8643f5a6eb810132fb9851b6fd6ff514a217012d424a2d37d4e932a054979bd

SHA512
2c9c31459f7104334aece58f8ac66609df76653e6acd458cd2975bf7a8612cf87f773dee2d041f6f1af3177390f321aaa9b06991b51972dc1a8174e0e73dbca1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b628fabf22959f6bf2c168b04c971bd8

SHA1
f68204b7a0d9c7d404cc34d73c2135c9375e0103

SHA256
d31063d868bb0ecc8002656d721feb7c57039ec0022b3db40acd6955f004940e

SHA512
9d354edb5a066fb8e66d41ed17bfa85e929153f2143b62cf84796064064a6ed0a0366fb993f468ad817979273be99624e80f8dc50810052388622f9dbd2cdc86

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
790b93801d7286165b76d82dba1a2501

SHA1
27c5eca8db2f50f671d799993e115c75dfe81f58

SHA256
93acd9c34f2768e1c5dde133975b36d49c0192c1d3c71e6f6066c8d7082ac625

SHA512
f0498f9c4c24a6f6aec8252b181b63959ee327d70ddf972f88139d2ade047bafe36c3c598e0099c1467a11260171bac5b820b6cf053cc376919adde2911b9689

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f4828cefe5ae3810e503fda4d6a3883a

SHA1
3f54713fb96847304fd5c730fce693c4d8e1044f

SHA256
7dbffc1f61c476ce48d672038ca52c472965f37f7b59d3fb545c4f6ced3c01d2

SHA512
694338e5651c29390105f147fa49e76364a9901489a6bb5d67e76c1bcd586f50b549b3706d9dff073b871ca5a852b1e90ed23c6df80f452445581a69b1664d63

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
692ce9066c933946ba0f7d462a5f7291

SHA1
14fffc0659cbd5a38b5b06fdccfb92fa1fcfc8dc

SHA256
ac8afdc8783bba055e6c72166fcfec6a9f218b9153fcc0056d33fda85b26c821

SHA512
57c49417d00ac80ef2a697e3f5d537ac2273afc7e05b7f1d9863486ed9a493782e80169c9823995ca6974c3d93bcb5fb485a964decf5ec7d87156b7db29f6ebc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c142158893bea85ce7369142df99227a

SHA1
385b37790462c216f53d2b648ca2c1deb4791902

SHA256
ce4ec00d805ab408da04039de6f9ee468291027f5c09b9203572ab888009bdaa

SHA512
05a80fe54343c031ba2ba5b605cbe64a6fceb55e4ed475c7da1f93c48a92efc401c3c165430fc1df99a2d8c6980147a8272fbb298a3e06e43c7b587d2b26c2d1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
985ee29f1f4cb1086153ffe1a58f3cfe

SHA1
0324b739b8a0e0b3f52ce7d0c88913d9eb3cb3b0

SHA256
411c948a718968f8b2b36d5ad84a571e87563d065cf8a13bbc3226466fc2282f

SHA512
86987dce23aa4c6e62937df2cb9bec33bf37ef2880e6860f9987e0dacf33d049025700ed85a7c55b2e78464d487933aefcbc7ae2534ac32aea1232edb67e6ff5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
affcbd403b39c8b56d27847a129fd06c

SHA1
259eb9891ca616caefe67fae02e699deec169cb6

SHA256
637c28cefa170ad95f08aec16bc8acd9341a0335a25e2aa7f9c28dd3904a0d01

SHA512
ddacd9a322185c10d99a1dd720b1ad8bd577c06c0daa3c76a424e8b18826043b1f54b6802fb8f339a5826d6bb17774f59e1136925af33030eb483e7a57a0494f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
eb0cb83d3ff15c63c79e316f84afa997

SHA1
f3c8aa52449e8539e26bd7eadc573b5931f7c7b4

SHA256
7b851ad07f99c51ed038c0ff731b6bf990d9ab32e1530741ae8deb94af4d7e85

SHA512
8d658721781f936d9ca67ab66e6751f4e8375820c10d0116ed23873eb124f28f8d1812a77e0ce8a6dd11d484b0b346f90f084fe19a92c444eb793740915a153d

Download Submit
memory/532-223-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/532-109-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1036-97-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1288-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1288-604-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1744-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2016-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2016-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2032-603-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2032-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2096-606-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2096-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2224-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2224-73-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/2224-6-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/2224-2-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/2348-127-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2348-239-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3564-178-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3564-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3564-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3564-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3652-564-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3652-184-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3724-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3724-47-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3724-44-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3724-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3724-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3828-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3828-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3828-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3828-85-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3828-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3992-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3992-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3992-58-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3992-51-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4292-605-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4292-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4448-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4448-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4448-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4448-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4656-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4724-227-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4724-121-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4824-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4824-447-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-259-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4848-609-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4936-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-374-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5000-154-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5036-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5036-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5036-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5036-138-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download