49e23f21d0f8019d9c83eabbe9582f31994a3e876ee32c547b00e35f8365ef3b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Size

622KB
MD5

3b598f075cfd5367ac0338c1edc6b200
SHA1

e9485b0921420839f3f880016cdc261a95a8ea14
SHA256

49e23f21d0f8019d9c83eabbe9582f31994a3e876ee32c547b00e35f8365ef3b
SHA512

743749f883cdc11addb8388d738eb54c7009dcc73d45e87a2177414e4450ba8e512bcbd249b485e9972ed2e86da976448a2ba197771ad4989e22ff310808b641
SSDEEP

12288:ouqKGVlM41NTnXENcMduaD3aawgPwCnQ3MHv8CI4OJ1bbPHHcFb+KKqCGNpcyop/:ouqRVldlnXfH9gPwCn7vOb7HHcp/CGXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3968	alg.exe
3188	DiagnosticsHub.StandardCollector.Service.exe
2624	fxssvc.exe
1616	elevation_service.exe
984	elevation_service.exe
2796	maintenanceservice.exe
656	msdtc.exe
3292	OSE.EXE
3800	PerceptionSimulationService.exe
2868	perfhost.exe
4860	locator.exe
3508	SensorDataService.exe
4768	snmptrap.exe
2196	spectrum.exe
4804	ssh-agent.exe
4328	TieringEngineService.exe
1372	AgentService.exe
4752	vds.exe
536	vssvc.exe
4216	wbengine.exe
3976	WmiApSrv.exe
5092	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f8cc0347c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000372fb7b250a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049cdb4b250a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e1e3b050a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000428a54b350a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000607ce4b250a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b26cbb150a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006008b0b250a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeAuditPrivilege	2624	fxssvc.exe
Token: SeRestorePrivilege	4328	TieringEngineService.exe
Token: SeManageVolumePrivilege	4328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1372	AgentService.exe
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe
Token: SeBackupPrivilege	4216	wbengine.exe
Token: SeRestorePrivilege	4216	wbengine.exe
Token: SeSecurityPrivilege	4216	wbengine.exe
Token: 33	5092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeDebugPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeDebugPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeDebugPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeDebugPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeDebugPrivilege	872	3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 5476	5092	SearchIndexer.exe	118
PID 5092 wrote to memory of 5476	5092	SearchIndexer.exe	118
PID 5092 wrote to memory of 5516	5092	SearchIndexer.exe	119
PID 5092 wrote to memory of 5516	5092	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b598f075cfd5367ac0338c1edc6b200_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2196

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:8
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
d6e284034c79d4d7caa893524bc73bed

SHA1
7af20b1bd67cbe9413eb7e13bbec2ee93e221a80

SHA256
0167507d48968caa27c7975e68f1c2abc0403ba0ea7281e687da9943ba7fd2b3

SHA512
19909ec7409af78a40d4a2f26bd9d118ba1d8e6c7ddf6ac6d555c24345d279374be236dae09351691537a30a8d8d21fe6596baae44b14fdbf48c15c294da4c0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bca9025036868908999ce1c322476664

SHA1
b442067bc503181d4d43f99414a022485ed47370

SHA256
eb39abda83bf1282326c1bcbc34671983f747dbab03acc2ae20d889c6c80149a

SHA512
72e6dabdfdcc5d9c57be7664444272d91bf8e7debd98e8ab28107a154031ca76354eb7ea7b760f68aa5c5ce84a7377e8f788d4889cb70df66cc5c97ba9cdabfb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
26484366d2f03fd3be7095dc0c0b56b8

SHA1
eadfe1587b57c0108ea1753c36020f182566ed1b

SHA256
030c2e7ecfb0843dc74d2f19facedef0be1e360ca7cd137f03e65d791d582d89

SHA512
4cdca1e841a01dbea2218b50fa0774e15ea3a571b23f5cd67c79cd6b1ffa47720be584c29199d608eb8341975142a785b0872eef9d2a8f6b36dc1b7ae8294f2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ccb5a17c0d8b81907032d25a00dbc268

SHA1
f56534e684e7ede5308b310edc79d29e837f99e5

SHA256
bebadfa0fe2aa69c829aee8485cc9cf773b70ee8b4ea00691d1541ef0109f4bd

SHA512
218f4f03d4b1f6f1e62d244210deb262c05240352726bff7f5001d7c49d4cde6f2d76da513e1163cc617926f33dcd2a810551cb9c15a36ca002f814338055e83

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87c523c7036f1ac86e7adc1a6be401cb

SHA1
54c20e8e34be18fd9b3242486fa324eff7ddfa7d

SHA256
10c821890a4d3c41708fc0e86a9f715c9e74b698208f463593cb9e2b6441f048

SHA512
f67c115c38925a7867916fca868e29aaf90149915fd341ddeefeb87f0b88d5ccd1304144d5014a27344beaec26d4dbcfc5d28c73ac2d1102776f75738f6be355

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fd05f2f34c3f03ab3cc6b3b730fa8b05

SHA1
d8e2464f8fa0beee9be1f655bdfb6592b2d710dc

SHA256
cfbb518f0f4d73b1b997fbe20ae832bec5bab69587633de027f10c4c52a4932d

SHA512
4207335c8f4c74c03736f16edda655a8725e0d0acc440d81d14d3ef493258bf7b23f5bdd2602ccab33e6b0fa7a78b2438dd2d2de88733509f5a76e4d147b5011

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
97be3009b4096e01d9a706574cc589f1

SHA1
daf97027431070d9e75127dcd40f25593b7d71d6

SHA256
690ed141dc4ca6568e64db94d7918d11d0f65035e82682d71f6cd1b09f5b21c8

SHA512
3b160d05bcc24d10052c02f560e43347158a2f3aeca6b9881ef931f6790815d7251e1cb51c8d1631c19361379e9239a93fa4d99ba1a53268b666dee8c5f7d504

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0b061af0417d0517766828b848ac7b54

SHA1
0c0d236f95ca0b892fe184b3aa0ae54feebb0e7e

SHA256
2aacd05db73ff8aa05d0ecc9e14ecdf147c46fa868850a97a736932203571023

SHA512
eb2b7727e091ae2497bb2831d6b7ec04bf286dd0b917f2c1ea917deb0f8e180da4565c92414c4a83b69f4ceab0f32e0e2281cc67715fd077b5796b593695124e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0a6795058b9c5e17d278fbff79349d48

SHA1
cf8a9b76328f5eca1161c41b7657ebbd28bec8cb

SHA256
8621c04aa06e063e94ce9f789f3878fb9496a14ed4dcd568def85b84b44398ad

SHA512
796abd1ac0c0aedf440ab73022f56e8099af16af0f33e521d9c58a0a3f0bef502f3802befe37fe329c13f53b4f9b61d71866059e98306be3028a86d072689127

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8ad147de6085a1ce1d9d7b0f70ec3ce1

SHA1
144d427eea8cf4a9aa49f9dafd6d5a6d6852bd79

SHA256
710835f52d4bfa2f337faea84ba8362b7a424e65ef336641567754dbfeb64fff

SHA512
a574ac7e7957cecd5407365fc0144b01ae87be3feb03cb55874043673365208d88743c4e20b0b6897960f62e4ea4b8def9f3b152ea8938470a7541bb467396bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9b3dba046002709019744d231144837f

SHA1
7bcebcb76a38d0a3db75af8ce39b6e2b2f1df362

SHA256
3049bdb25cbc61c320c4967a0525c5cf8bb65e86806d665339540f0ce6fb6819

SHA512
679df5a33ab12d3a07f55fcd63fa4fd631fe037d5fdebafc9e77d644ce2c32703e056fd19aeae42bccd9c5a2b6b3adfd6675a750cd38735606d543866e654d60

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
271645f399bd6a0ce35191e9c45da4d8

SHA1
e8ce4edf1aee7a73f1b30fe4f68ab0f7ade1742c

SHA256
ae9edaa06627347912b2acda28f8480f14ce1283bb92725adb02380bf7e70d16

SHA512
36fd3dedadf235a9d1ce6d5f62ae50275fcabc223dfb73009173cea9696b572066d86cb2f11249519c2233260dc573b5b60e11cf66515c6cd4f878fda68271fd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
737082cecd47ac5bf35bf0ad560c6f10

SHA1
2339e17c99a3aa3edf1b4f447c12beb009e283b0

SHA256
cdfb9f10a7a3c6c1f80c20e66617fb67298afb55fc944323367ba5531a25d821

SHA512
5f9a46489af15e3ecbc563b1337665d9833998f8c8e560b452ba50039060a2a7bdda52874145f03d519a7d5a2e0400d0e3525c0a1577764ff3c3e068d00a764d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
01ffc634b0e7caba005dc4bef18916e0

SHA1
28e13362f3e32b77a2e563f519739304c429a0f4

SHA256
0ef7fe35a60fc59b80b4f50373f197e4b7edcfd049a27221156ae0797fac2f46

SHA512
0bb00ec629c3a801094d55e0b3818a3d5f26cdd477a6d8ed6f85774ecdf37a5509ca5d931a1c53e9df2c6c0d442d025c36051730c1a1b5ca0e258d4f677845b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2821a5894b6fdfe7764d8d6f5031800a

SHA1
3d7e63445466420fedfe19c2f32e4e8340258102

SHA256
4e824aba3768d97afb96c4710e5affe901c99ef8741d91a1248d628efdd6b054

SHA512
f09f6c19d02243bce12326a65dd0cec5bbd9171d1751aea24b9a4b4d012e681937d7244c26e1b74f6f643754e9c21cec23e5d0b95e7249065d2ffaf3bf9617cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cad76e3ef05ef7e720d14efae9a01b95

SHA1
f2ced185a12372c64ac06015627e4d3f77078b68

SHA256
8e72bf31a221ff1a09cc942e3fd1f9e94a1306a7174de26f35b7002d0ae96d7b

SHA512
0dc058c0f2948c0bc9b7fc6dea6d799fbeca74c257c88267645772e07f6b76e675668741dc544faa9f8c51f6f66764ddf4acde5c197d791d36ff208d76c0a13c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
794722c64e1587bf31c40f206d944fe0

SHA1
ad4c77c8866e14c682fe1202ff934f04bdfedfea

SHA256
81897e9dc0a4fb18a2bf83f99da76a42b352a4f66ac7d9dd51220f0fc066d62e

SHA512
430ae7cde7ea8f1d13cc1f1043fc184327e082991f6af95f6fece35e671ba3072ea9382b1e50c211586dc3bc8d2114aff3dc44d1fc20311848bd53e9018fa8a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cb8070878a3a9f1f5a8cf3000ed8c607

SHA1
14204c31b26850e78aada7722dc1d5f304fa76eb

SHA256
08c0195d89a71300a155debb73b8fe6e64125221a58f1f32e01b8d5a4915101b

SHA512
d93a78c7b3cbdf29a1cfacf6dcba85c82474d24e71b9594e28c1520b55e937d7ebe8a86dd68251862089a221927679b1f2160c6a639c79e9843a2f29764310d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3bf0474aa991c4c472d8275332cb33f9

SHA1
a47e46e3d0c6c8a7f50752153c4ea101e7ba6c2d

SHA256
167001f9fbb3c10ae0d0ad3a4d403ec3218fc121246eec56ed56d1adce26325f

SHA512
effc4469b1fa039de55b31717f5d27964b392ade707fe46d10525d35c981a4a689ade9a7e845938ddb35eb918c87c449776ac233f2ef523a21e356d1cba18836

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
973f70d7305d762e64d3317c373a6463

SHA1
fa19d2fbf33d8919804088d2c73234f343e0ea3e

SHA256
c202d6fd94189a8052f3ea6b735725dd3b2daf34e6ec3fd297a41dd4c4286db5

SHA512
ffa2a627b39aade82c871a746698bdabe13609b1db14a764523d2e325614ea85892ef4a077ee8b26416eb9202517d48798666962c1df8dbacc47bb81adb8eb04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
47a413c6f199f99b247610b756a4db51

SHA1
4c2d2bca248d784e0b2784392a620a1456cacaff

SHA256
4779ab6fc6e53c1097b7c82ca805b7a33044070df43f027d897ff98b242b04da

SHA512
059bcbd554fc53512c9006fd69e2ccf685c824913d030a3933441169bdfd5aef3ebdfd31b76cc55ab0236a98e5da7d26912b83442b7cc8448eea8df4a6dae7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9d220f542d4b7e07d543e9030460cf25

SHA1
ec0e97ed9e3b653039217842f520adaa3cab8c49

SHA256
480cff0c183b948a582fc4291dd78da5fad78dd1301ca3a1ecbe99e67dd3c965

SHA512
fefbcadabb491d5eb70683d2839f0b3483c72653282cd87f26e7e95161431597db73508546cc19ee3c9c4183410bcd83fa183aa2439e812cc3e5dc7e7a724889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7d3e89653cecd3fc95fbb4913e741768

SHA1
44587cc5645e5845b0baf5aff22f4065cab5414f

SHA256
b3f4835a3402f6e1e56a6f0f03609de313d34e2414b355569f833934928d14c6

SHA512
006c629881c8dc826a873f064f6c26039971b9237571cd26a0ab49d692707c38b319b3dd800087212c9f9f8f9bbb07bdfd857dbc35cd8703411aeb278744d43d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
04b0d1c5affe3a3b3d5921cda156a94b

SHA1
9fb8606842090bab797818839621c6875e800489

SHA256
7888aecb3eeccf26a4311a3d6a49727b2ee88b2d367e888cd419a3c267035970

SHA512
27a2f181b1ac5f45cabe0d572f614df0d2ccc106985f39d89d50532b9358d48c2b0174edaed5832456109972d655a6f9c35098ef1ab989d001dc258ec66fa970

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
aeb08967a589772a434eadf43d1d425f

SHA1
ff41c31a1a3d6369c1a6d9e3695c426460b16c76

SHA256
cab9cff850030bef1fdf5f35a716144228ba4ab046292058f060d02338c986b8

SHA512
6f9b115dcfda3edd49b5c156b6da0ec2e41ce7f4ac4d1367abe243eb4a3850a5ffa2ebffd62ac0cb23c9bda25e2915de0aadcc040fd5e9b19e745abf07374656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2154e4b1c289dc530f26150276286ca0

SHA1
70778346bc1ace375b68c24fe417935f32c83d0a

SHA256
1dc1f031b7568fd4ee4da556ba5fcbdae25d9cd557e3c894afb4a680d6e4f841

SHA512
1bd6ea001ee817b28625999b99eadbe032bd95442210ed469d87289505bd8a5bcd834a9728f1dd77b490538d4fef03d3132319dce98d53952622753fd46a153a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1248e4194e7db53c15183c2f328fe606

SHA1
628243cb11ee66466af2a59e887723e5869162b5

SHA256
3de089ef5e6a1b566377e3ee69562e514e5998d6d7f0bd9697a810d052c30e85

SHA512
523f2128236f2224d51b36189a87e2f551d8bf5163ea5c109ff062947110ebee037429f720c79208970d114d7d53d6674e0761ac63ec0598456edbd6303acaf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
021ef6f6e054fe842ea067b4ff390d8d

SHA1
53b5dcd90525a77f671f4da22a43905720010c97

SHA256
9d61e166e075e9ce4d39ef7d99cb5b4a8e3f242916543dfb3c15bcbe0647f4e2

SHA512
dbc892c425d6030cf3cf48412ad4e78ab73e63b9317233ee58288d079794378ae0aa7bb139b4ab3488ac6a354c967ab13b496a40c76ccfaa577c1aa19de0a81c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dcbd3c0ed8db56e6b008320080dfb254

SHA1
a035608f409e27c3c12896056c8aa335f0d4494a

SHA256
6a51a53c2793601ef94ba5ffaf1a6a1881e179708cb3375a7c2f14a15be0a072

SHA512
6d506d15cc0904473441203585fa33f6028c1e1297b195e4fb02055e6272137a71eb6a2f7c554e61c6268f5b1e05f2734913faf33545f9b1aafe0c7221e967f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9e05ff7f326f7de191aa907a74eae46d

SHA1
71f6c999d8f7735ef34078ae478c0721c11fda2e

SHA256
77f3fd3d3e92d659d9d32ae305c5680db8f8fa4d48da76ea3a92f78fd4a36608

SHA512
877e26633ff3935c77aa298eb6e17c97fe8599efd643c4428a6e8fff120a0f7b489d01aa3e8e7493e3e39b1b2416aaf2d65eab3cc18da373ac1d086b70fe017a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
612f1850b6ab9717ff7f8cd83ae4bfbc

SHA1
3573902f2c0ad8c90e22438e9234ca0550428b61

SHA256
428dd8ad6c81655a90f8c5e85bbbdd591bc2df6a97f52cbf72e7a9cd9faa3321

SHA512
cf58114f0d667d74d11d0d447501c897e7ecf155cbb0213b5a45f509c434af91121aa4032721cb9dd0345d9369ae2ec14afee460d07467300d3ab8bcc09c2888

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7135b986601afa4ee71459d8371bd6a8

SHA1
bfdce254f492fa3847a93fd9d1284d4aaef50701

SHA256
999c65987268503beb68b65916f72719b61d2a5dd19e4bc3297b888e3f185c74

SHA512
bb6982e3af11ad9657774e6ff1f6d781168d86196cf882ee0690b65545744c3fe671128b48ffa163dfd67838846edbf1dbd499f754c31aaaf725901424c0e6f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
88bd5d5ca89099f37c0f63f8cd97b421

SHA1
e14e8946f0680fc511e03b7a8c26623619b45b71

SHA256
afcd09f9b7c9ba89db3dc885d04e5044e518e1bf56842329cf6139e3353eb31b

SHA512
255d0667fed0228c79b5ba2d8234ab0d0c3d36cc57e4fee8a7303be340199b2e258565e495e23691eccf9c6eebe6cbacb02ffc5afaf41fd0681dc741a5d1b7be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
91358783952736c671a4f5f3f8896012

SHA1
195fd334294e5b87fab97fd902ffe33b7c15e373

SHA256
210f6c29fd31cd9ba758375d4bfff2e4f42ce0ff9e34b10ef432e16f266723bc

SHA512
651f66b1fa02eb90016399880301df10b679c314e280ac1f3030fbbc941e1323ada0aaf372330ef3a3ff126d6b08bb0e443d7642785b6369f2ddf92e5cb1237f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6edd43d838fac2ffa1323c981d473e9b

SHA1
4c22ad17341fd1d7fd5577e117beb7d8c946cbdd

SHA256
4adc8afe460cf03977ac23a4ca7350af785dd28be603c3257c123285ba16ee8f

SHA512
a795b270f7c0e34a34b6dcb0cdaad0138f4977ebda6b5f99e2033f0bc547441687eee92f0749ddaa2833c7dcf0dcc4fb8dc864ec4506c7a34696c0dde1beea88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d10e3a7cf89a9b63cb5313d34c77fe7f

SHA1
9d94dfdad70b506982642d90ba14c5ab4be4b5ee

SHA256
a52e120a5e189bc89359ab94a4e92cc7cef7e80e11cabf171c53f19d092317cd

SHA512
b5e67919782647cc52263db369da8ee0be7790e3035356cdeb00e1f56e6c54602f03b80be1977ec247708f4d90e64f750ce0644deb3c318bd597ffd80b4d85fe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
72e582b0a4df547d8cfceb16c0ab02f5

SHA1
d1bdb988540fe44475907ee21db7514a623aa89f

SHA256
2ade5116c7be926dfaa9d375f6fd4249bd392bdcbbcc0af6612e0e365ee1c095

SHA512
f9d7b2b6f2da256ae0a4dd11f1c93e6365d11295554586e85a79bc4ba5c6cd70298a3701c50c54dd075ac0af621899fba5bb647f50a6d55fc6d998ae0f911609

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f39f2702b2e523460657cd01476549a7

SHA1
034d25423fd4187fcaf97a6dc94c2c8659a90122

SHA256
515784b609664fd7282e30ae6ac301529f874f96e8f48c31a64da2c0fd344f36

SHA512
6e7e32c58c5d38b069889fb0c024c6bc646e971081ea4d2a6d1831016990daebd8e21761ed0efb479abe525ac4105d160a9f81b5a5113c80545bc4fbf5ecc121

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4aee34c58b9e202461cd358d8bff7956

SHA1
3d03468b5cbea9f1e8e4d74b82c390a48f28e99d

SHA256
27cfb9c4eb974d290de2ef6fc2c682aabf882c5106a5f50945c1ab25f6030657

SHA512
c3abab6caafa8dad40cb71c55be4c2b0affdc11473a2d80634f3b765eed16ed7b5eb7b6e9e4adde502b2ec0b46a7ef5acbb7ea606e7f6f241d08f4a04a91fcc6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bbc633f2d3bfc947973bb775b0911478

SHA1
cdc6a4b33dcc01c88b50351fe6d7f6d1ed074272

SHA256
1a2e53f70fd633b01b72fa92306586dac16ba1afc1e2d12d48eaf2a544d59489

SHA512
1ba9b1231913df959a11b93e5d2c5454bcddde6f80ab21c4efd386d710a3737fbe12b64ab950b8649c885fd0960af7b5acb8ce49d5ee5403f4b87eec3b7ade83

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5a646d02f4e7de75de6e20e838185929

SHA1
6cf60b8c6829ad2a2137fb2cf6fc493ed89cfad5

SHA256
9e5a05e8000e41716774067a1808d30b3776e06d7f37ff874244b76ca7d53d13

SHA512
89a3c4a4b9819fd70e3f130ebfaee25fc5cf75fc59cb6752098c829d67603c865af975b91b777a97e983cc0aab8f9549ad1cc4173ca0bf2f221093dc355dacef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
95bb7f1ab3ec0b5ffab4ac5b741abc57

SHA1
0e51c8eeab714bdd7b8921bff666fdaf4ac63a2a

SHA256
7da23ce565e99f52d0ada8219bae2494856b64f4abff4591906a9448b1880e16

SHA512
e431cf0cd467c4c3ab1dbfe8ee743c60e95ea43431832ad2a262bd465de0d2d39faf73575b51dcd82e6e567c444651f5192c92caedb8a0b953bcc2b893c76968

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
955f628dc03daa0901bd3f9304c30bf8

SHA1
cbec1768cc7ee68a4537f93a6aa659f62123f007

SHA256
bf1e6dc7de2bc1d13f700c46ba152458856106e011d64a2d7d9a42ce613bf779

SHA512
8f3e4bc6fbb9a3689c9f9b9325fa388f6920c89b39b7a03b0642307e37cdcbb90222960dde6fcc62f9cb442026874707b1f38a26ec5426f1008dce75ca57ba6a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
95f4394b8b70a3996027bb077668ffbb

SHA1
eeb6e74fd1494cee0e7cdad53f3176c04ebb70b9

SHA256
fa7468d63c89d9a9af7086a94be8a5e0eaafad693fe4bc67eeebc21c793d786e

SHA512
99c834ea918ccefbbd05c59d42dd82cd88bcbff005c129df944c04d60beaf91ffa72709219fcdad0eae34352853a727fa12fd2431d5541b20da9e6f28d79d1eb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0c4312d690d0d09f5c8ab56b9603da42

SHA1
f72dd13df222e727487f033dd9a912457acf7833

SHA256
8544182bfe0bd79c4429661cbcb19e658e6ba14f419ea84d6e6827ad2eaba991

SHA512
013e1d772a54e83406f6a7924e17f94c0a500f6f7c0dbe13180c79a145658139bd9ebe3250d3889a90de129ddb5a1142cfdb460aed63eac4373eb326381484db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b0224357a4ccabe69c5669cfc0325009

SHA1
7952a37b8e691bfcce0a19b63afcac3c9a78389a

SHA256
7ace8dd9a5cf01d1412bbff78ae0bff52221d599c925a3b5a0d27f482445d430

SHA512
2d3380754c76ec2b00bfaa108409f124f649301a96c11d86b7912e3292dea3f37ad331b0c529c5e31496cf431f12b34e589934839743eae2b6d14218f9481718

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c229c5019a7281299cc28c890a2ae893

SHA1
f81a1495a1915f5cbf2566d8ae9c10d3be902975

SHA256
d31e0a16b8a1384caf559c2ef6a1e0435d21f20ed23c57e858931cbde397e213

SHA512
38a425da9b648534fd15cac8a5d184976155f3d273c3861319aab0976e113057821e44e3ed7da9d9c1efef4436babeab61443f8058d105c1c984d6619ecd53a8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
438ae6bd1800cb40c16fb659dd2c3c4b

SHA1
300d1cb69770cc99244756a20616493ed7c591ee

SHA256
cea9ec8c64922cbe6455a2e8a5e12079e7e927ff811cbf5a0d20078aa2203144

SHA512
8fbd31c53984d3534323db818592de8962c39a3db6986f57c9a29d565a6ea8fa0627e1f64642728031537f853a51c3b4fcc336b3af55c2443551203ce57e0bd5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
047a2fd981135fb3b22a9730170936d4

SHA1
3886c9b0e4607a965e97f22eebb1230e0dad1c34

SHA256
294c02cfe6a381f54467a897d7fe0e00c5d3c32812dc274f20b622a911b430c2

SHA512
34afdb82060cc3f5368121b753fd1e36d14ee6dd4e5bf789dd3e1b0efc0165450c620484b54142730a4e3ef62eb6dae7d88b057beb7b38f40106b1139bd80b28

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
63b750014375bc215dd5e07f86dbec05

SHA1
2aba466401cb6e0c41dca938f96ed5b99d26b000

SHA256
9b3a5a193c7edd0cd785434ac7825254b1ebb32d6d3e1555b2964d2bff3a35df

SHA512
d2bf46b65252670222ccf216aee58ddbd63b6a3809a6d30a09c3109a43b22a4cc1b51f7b178212790368004005a57077d0ee68d6e951ba853d8ec074ed6365a7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8ecb98187429186861f895e67c9e6a18

SHA1
50d1e6d966893b0310c0d37fd60ab8aaf05cfc14

SHA256
3bb5289f83e038cfcd8ba8eba61956875e6c4cc9e5d19fb56d53bd672976a0b2

SHA512
65f69d494250a7803c7df2a9a0d953b009eab5ca5aea913f698435cec683051fe8b5a3e9d7c46aef9d90d4cf31adac3a170ba4ce4f32dee67e198e4511f08f38

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
be4de5ae9a0428dd0a2754bda77928d6

SHA1
1a0c9b5c2c99c5ed7c0104a17fe1d0726a169744

SHA256
19af0b91bb38bb947d78150ffc528e0861e5b697720dfff213e1aa2f1b823a91

SHA512
02b10a8e71af1ed2fe079ee89b3fe7e4e59ced58c94af8b1b4a6ab3760794c3769d539b8fdba85b1663b828e54c861b51a42feede0cfb8c749dc4074894455c3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b114d13185e6d00166a101ab0292971d

SHA1
3cd37ca7065a2cb2c6555ecb2e8db104c90d9fe5

SHA256
ddf0c0799abfbc5847bad2fcefef54fe674f059f5b501431fdb0ad29fa9426bc

SHA512
4dcc2a29caed9a974cc6275d1bbe248accd397dd2988514c76e7e7f3d3f320fa37b52600feffc4362f1d392aebc5c2653dcebbc82c263022379996d931763624

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
07b5cf5bb4bc2f57f8110108abe5f6c2

SHA1
472eaacd5fdc99ef2bf65211235733a742ef297a

SHA256
115c63cf59fcec3c859dce54dc7393b98114b8312f916cffb6132ce09ca2f184

SHA512
5f9ef0e194e4f2ee4949ef6467acf031d66a87a5b48010894f96e5d614b9962c9269a72993316e49f5df0a6f3a924a9fe4bdb2a769a9ecb090f64014a39277f5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
13a131d6211664573084a8a5baa2ecba

SHA1
ba25470ccd006ed05e29a251c43b6e88d0bbb401

SHA256
00e21e63cfd15de7b44da355fbed498fabf830208e5eeab17aeb4f8132fdf64d

SHA512
bbb1b8ee81a846b7381fc0a0f256f4b2fca3109fd32c75770c0343cff489e10539b7b52770146d962ba3a36831a18db856d67140dfc2e3a0a80167c9c2663ecd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
319665b370abfbb2335724c39f1bb024

SHA1
8518243f4ed0fb360476f80cddb4683f021e6a42

SHA256
5b274d635c3f57c2425b27891c97446d4a3dd12069c22b1367670694944c04fc

SHA512
0b71ad600227fa1b777bc583ece790c29ca4699c0db558336ffd2073be845437f5ca8b97ad631810af367b17da2b8f031f4e75be1d69448d5ff258b2b18cc382

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
95e3ef41f58c4e659d760c45a9fe573e

SHA1
ad2d0b20ca306d0ae5303966556c22e30be009c5

SHA256
367215f439c2e6100904c94ba79d0b75ca796d57b910e3e1f7098976ba32a992

SHA512
3cf02b7f57d560abd494103ad966ab54ce05d699e56fe3e3885c226d0da7bc1d7aaff6add2aac5ffa40bbbf5797d5e3b4c65fe77222d96a33d7af12ae85192ed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7c74229e4842f5717fcd864387e9af17

SHA1
659e8a8a7382df028fc9dd28ecbae08c9be74cf7

SHA256
f8b282f95f5ee23e9d32dfa972472b40f14ee4993190634a21337ccbcc32a085

SHA512
6506850f8beb1b710b8bd984d620c576cc36713ecef2dcbe155b51e21c83e5e526efa3f3bfd097885d7c4945c15dae44d1fe4f3b573639b461f37550a26e7a3e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8230391f767b1a97ad51b5a4ff8769c7

SHA1
39b7fd9b5605e6e169eb2d18ab0f154a8e8e6312

SHA256
22cc585f932aee7400eec014499bddb2f024069a126ea1d9f0593c07d6314840

SHA512
07617a3636c0cf7a441ab08ab11749680bfdd557ed22702b6595c58531e21baff10d260c6ad18ca51f7423f53e7b8ef7d7f8c8af52f38de5224f7fccd47847ca

Download Submit
memory/536-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/536-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/656-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/656-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/872-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/872-97-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/872-8-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/872-1-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/984-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/984-232-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/984-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/984-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1372-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1372-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1616-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1616-57-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1616-51-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1616-228-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2196-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2196-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2624-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2624-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2624-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2624-43-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2624-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2796-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2796-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2796-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2796-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2796-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2868-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3188-27-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3188-183-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3188-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3188-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3292-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3508-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-539-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3800-165-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3968-164-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3968-13-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3968-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3968-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3976-255-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3976-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4216-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4216-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4328-557-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4328-195-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4752-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4752-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4768-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4804-540-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4804-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4860-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5092-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5092-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download