ab1edb2d38194797023e1b3e45bbe6ae561efd5eb023f3625a37d9b98c7ce252

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Size

731KB
MD5

c31e11f9d76e3348eddf240bd78408e0
SHA1

1e7e948dd0f5919087e834270fd6d1036b6ff6d7
SHA256

ab1edb2d38194797023e1b3e45bbe6ae561efd5eb023f3625a37d9b98c7ce252
SHA512

86ee99efe3f2c5fa37ae960e9435b73af025ac2712b885bd30d663a7b6557ea276c0ef860c03ead8cfba8546945ec0ac18fa9c28406dd76f55e46bcbe4a9d72b
SSDEEP

12288:rZBCbw+TduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcd:rZBD+TduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1748	alg.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
220	fxssvc.exe
864	elevation_service.exe
4908	elevation_service.exe
1248	maintenanceservice.exe
3120	msdtc.exe
3924	OSE.EXE
2504	PerceptionSimulationService.exe
732	perfhost.exe
1704	locator.exe
548	SensorDataService.exe
4824	snmptrap.exe
1900	spectrum.exe
1584	ssh-agent.exe
5024	TieringEngineService.exe
3472	AgentService.exe
1824	vds.exe
2620	vssvc.exe
4268	wbengine.exe
2412	WmiApSrv.exe
968	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\851ac7b91ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c07384067a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a303764067a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004641524067a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059e2f23f67a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f09fa3f67a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d154464067a7da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeAuditPrivilege	220	fxssvc.exe
Token: SeRestorePrivilege	5024	TieringEngineService.exe
Token: SeManageVolumePrivilege	5024	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3472	AgentService.exe
Token: SeBackupPrivilege	2620	vssvc.exe
Token: SeRestorePrivilege	2620	vssvc.exe
Token: SeAuditPrivilege	2620	vssvc.exe
Token: SeBackupPrivilege	4268	wbengine.exe
Token: SeRestorePrivilege	4268	wbengine.exe
Token: SeSecurityPrivilege	4268	wbengine.exe
Token: 33	968	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	968	SearchIndexer.exe
Token: SeDebugPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3296	c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1608	968	SearchIndexer.exe	109
PID 968 wrote to memory of 1608	968	SearchIndexer.exe	109
PID 968 wrote to memory of 380	968	SearchIndexer.exe	110
PID 968 wrote to memory of 380	968	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c31e11f9d76e3348eddf240bd78408e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:404

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3120

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
974e2fa1b7c80c675fcdfb1b0bfbb92d

SHA1
20abebcc6f190126d39fffa4f7eb00b44f7e5e1f

SHA256
f13f963dadacf5a8dc432727d48e4443f0c02d1379bfb6cb031d1441824146f0

SHA512
3da42f4c96ae1442c3f19c2bc2e8087f4be40c177995bbd3ca948251d542947cee4b53026c3c8069085fa526a0afdf5fbfcee05f9c1c11b984c462afab375d92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
903453a70202bc0eee71563914830fa3

SHA1
0edaccba391eaaeb9b856a64e93e23676413428a

SHA256
4a28f03059f41fbcbddab3eeacec9d9f12007290ba070eb3974393ce2210b9c5

SHA512
683bc4dce8b8d0ea220b9d921ddac2c19372282e2dea7fea7d7227cdb949c3f7fc4ccc0f54183d2e85ab5c1652a086adf5a1082f5bc0a9cdb8e5d6f3c11982b1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
04f3786066514db6cfdd9dd3c884fe5c

SHA1
10d0ae8489e9799af5ba526ed5afe6a8104bdfa7

SHA256
850d89b9b85a510df56d3df0a1ce92e9caddf95111397f414e1b5e4ebf2ed1f4

SHA512
be7be2f2426480b41d2e61c6c554add7104ec95a278c2ba9e1eae8f700e595b701ffffcb65bbbd244ee2a5554221afeb29cd4032b6771767026cb26c4def3d7d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bca076a0cda5629081b0cc1b0a9d1424

SHA1
510c726da16287ae673d3489a91b519f13de8d81

SHA256
e6605d247b71f04e4f11ba7f493e35ac50e93d8d7417cf2578ddd269ec952ec8

SHA512
1117aedf9dd26a38847c356704bfddbb39d17b74e291e4351e20d14c7278263a8e67e27cfa3f02a5dd2c6ff4e6564eec8d3d5ac1bc761020efe59218c51a033d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
65d9804ca2ff0f10204225538bdf6d3b

SHA1
3f95ff700396398bc247d1128eb06cfaf0b61525

SHA256
213925728e96ee852930507f2348f73e7720ec35b1c05aa1a3c33400c113f221

SHA512
0a95e182b203f2424ecb58c43373c522f6157bf2b138966f3c0dfb18be17dc9a27ad1458dfa4332ee9eb209946055b7864e5d7e3515f4ccb4b05b300a398e5a9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5d801edc41607fab786c918ed116b27e

SHA1
e4eed19fd427267c8bf1e3560a32af3dd7e51dcd

SHA256
9d8dafe3bbd311a448db0ed99f0bc8b5337218a14359aade03e2b49b2c3351b3

SHA512
a9d962368b9b0d33d1fae512d539472490737f9c69a1a1f6fe555238eb89913f39338906037109c24ea427b8c6ebf5fbc7c420a3f49f19e4c0850b6cd5627dc8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
479d096cbb835a91834efb0dbc2016c7

SHA1
ea0e3c0d0fc37f24d5973fd3ad6eb852b4a2a827

SHA256
da6bce0598a2e92ec305343ca3f65f4785b80aef0d00484cc40c8e01eef27c7b

SHA512
244bbede01b7cd1ac2af4823bbb6df820af16fd0f5d66c1b5c5fe3aec8892d16f49d110284ef3a997d909de732e56084bb05a8bdd9c4add376ded9167c9cf6c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1975276ba6f80895779cf8e1954065fe

SHA1
0d5fcc8ac37fa41cf7027de1f23fdcf966a60af2

SHA256
1821fefa8ad62f33738902d7d62c19f01c85098549690da623fcd85bc37433d6

SHA512
547792a4dd0692592f1bc4962b5eb011e7b9090e01d5e6e16aa6a685f0adca15a5dd2af8a7ab63121c947020396ed27ef2cb1080f248c6919054c6b3c1b44fb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f5ca9e7afb395637442a8e6a722e955a

SHA1
748ed7db06686d1484e9083ee9e7eb4bc839b65a

SHA256
3e737ec480e88e4f2b7363266de9ef20f7e28d4568d7c3a0e08d82e852fa7497

SHA512
d21bea74da87d06bb261ee6476f10f440a5e88199ef3d12fee8407b1efcb74b45ea0eb32481a02edc004f606e8c0dc951c36aa856fd31776c704e02ca1aa606a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c46df3ed834f628f1498c912582f2592

SHA1
d486097a200e1a2ba86b55d6313b107fc37e1c20

SHA256
9ec6e3bf632354f5c0864ca1a1f68fe77e40a510b715f9e93f9ed51178e0ba6c

SHA512
d440a941aa3eb85e0bd6b77e418a335c1edb45d716e778621bfffd8ce72fbad1b8936dccbacee30f96d91eeb1d46031e47e782b9a10b5930a861a81b5a2c5b30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1cf9d3b97e42cb75e39006c21cf90c08

SHA1
03e5ddec10eb56065c463f21d51573f55a5a7f36

SHA256
6c09f97bc620f27599c1b497b03e14aff1381f6f9b33db4d55f0160f57c9f418

SHA512
64003e860d0363cc83342a018d6cb3a878d362a95d173a7acf7ada547dd247b291f0798616483adfa5827053277d6403ffe0dd5a32bca3af4cb94c7351e6135f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
860c6d52a3b91badd1a994f7a0434045

SHA1
eaa30dc87211faa4a0e30c1508ce52e3cd15aadb

SHA256
aae5b49fc2326eeaa90f75d8aae6ee0c03370c6adcc6ae53aba328709f3f9cda

SHA512
700061424046b1dd963f01a0d3434fbeef57339c7bc5421ee8a9f6f1d9d2da669c6ee6d6e76f834790a5da95be1cd5900c799ee08ee7939bf67c9676141ff635

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cc2a404bc9937ee4c64a9206353b5c69

SHA1
8b8182525219606cf35ff848946a3280056ce078

SHA256
c45d0d8f80ce3eed34c3dd50ffae84f4aca1ae85563bf17d1fc93cf8d7392e0c

SHA512
3e81bd3c966a56d767dcdf4b1148c6a0ab258eea98dae40f85cee99e9474f5bf9543aa97a31ecabc950bbd1f59d3c0e8f2027e18c80b4906b6e3dbb5dbf0c318

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f46b433d58bbb3eb1f67e9dadb5f9f91

SHA1
d73514398286dc3d0deeb1914bc13507369e1f75

SHA256
d720db5f0afe63c4ba60b3f9c4170489b63c9639159263829d4f96c57aae8bca

SHA512
0475e9b2bb5921ac78f972f494ce974e3ee9c2508b6889867169675eb9f6681b780cd651c1d8f42399095c3a890a2932f181b6dbf12b25a56cb400e7d7322f12

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
993a546d1db4fa4739fb5892706d7d7a

SHA1
b69e6a1cfb3b97a66d22b2f508b81010b5ce7235

SHA256
374955ffacfc396c9b6f084a9f4c9a81e1dca3fcc1666434e097e27bde4e1e48

SHA512
88505983ea9b3fc9efa2f96554aa87de78df013cd2baa2ded8ee698147df6590fd9765d07d271ca37baeae83663b48660059851aba7809497dbf1d0b06ae1bf0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
909b7cba92d296bdd6969714f5a22236

SHA1
59e3178529ae74429715363174f79c554c23e29d

SHA256
78de42df8a1ba9ef9c87cb562ac6170ec741586016d70c2926f5e0c8edc37923

SHA512
c275890617a06b053d27147b15c2cfd50d9c4f46573524e45106f2d2f60635fa522f55d40e52464ccef3c15851ada4b90370d8cd827dfc608c0bed3eeb973b81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a6ae0a54f295e14cc08a229d276c3c31

SHA1
52e32dc113c44dd489f81071f7f0209096db41de

SHA256
6cea79ddaa2c160c8483a813a067dcdbc7297765d2d393c49fc7922997c8718c

SHA512
eb2225491809093d17b1a89a92c9b550b9623f307e805b3908e446785f25eca4c510528282b31a1aa3fb397ad4adfa3ce09204c918e1b0ce6e900666eaf9708c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
33e5429fa5961f5f73c71058e8123b5b

SHA1
cb425819fb898f68524d453cfc6304dd345a5b80

SHA256
95b9bdba4091f827ba4c1777cb0015b152781847047425fcd8313b7017cb8196

SHA512
420df1293f032f9fc07104006537fe69c5ad9e3db92ef2d557eff73cce99039a09ed17cb8fbbf683a9d940b0a3a692132282dc02f507d2d344a869fa30bf9ec9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7790761a9902d230f0707694c419c984

SHA1
4d76457c07f7c25cd8e86adb9188513555105279

SHA256
75d79df5257a51106ecdf1e2400e79db7cfefd125cfad439116a51c67bebc505

SHA512
c89b727773c703aa26abdf336c4be92b785d13a24363b154f8cacfc1e5d70c3db71602748ba3f0a603fee7525394a06d1f1e66291ce1e37ae6a450bcc41de12c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
880104297970ad4a820f25aecdc8da84

SHA1
3f82c37d3c861f566ce037f2be126365f0ada5c3

SHA256
fdc46a5290faa5dc6aa053f065e5796cc82a199da0c7e88226901e0ec6690a6a

SHA512
4d163a7cac198512357129f9d629d0aed570ac86dceb9a7f4a0d85e073ae08f5a4cce995d89b47ca0da4992c5533d417fb941d91b2326b3d984abf471e3b465d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
41a6bca716e6df6d0b318a1a6699d361

SHA1
852e2c372376c630417d442e48da367f5e366c21

SHA256
54b458f05c036f0c76f16e585de782445169abada2b8158a99cf426f64749394

SHA512
42a0a3afeed356f8f20899627b63f152da27778bdd11bf52e1304d4a342f2e095b312f261235cfd083abcfe516398ca3e3570b92f63b9e1b91f6802a9f32bbc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
aef2c5c81c4a14760799c00eac7fc00f

SHA1
500c91c300accf675b10dc35dcadd8258087ee66

SHA256
675814c89fc0e2999728913692538905babad876786f4d55682cc89a3e8a7be5

SHA512
3813c89d6be379c638f84555edbeb185bee12e482c9598c15f8a3b9c48a19f63106b65e7e2e6adb876dee7e01b83f31d0e7164a2def830f98cd49ed98c8e22de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1bed53ea45eb34b2e36c9fa016ac69db

SHA1
382491e01127c9ae09884a7fc3a02485b4498022

SHA256
bc5a79d3d1fa7444fdb9cb5e7ee67fb9585ffea7e2170feb3e3f3dd9c9eb7608

SHA512
a4ce75069fa49c325fb01a52482b44e11d535c604b155f7ea1f7da1e8c853a47b2eff7e01f624d2844fe8bb95a6ca9ce0e20086bbd31e922459a75ee59f1d3ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
39fbdd8cf785ecb10652b31a5b37f4c7

SHA1
dbbf8bb5a9383ba2ab96ad32de9cfafa3b607eed

SHA256
5531552c0e3db264851f1b02de705f4f7acf794043d835929edb8f10f21b4c73

SHA512
1b5517236743c87bb5922ce3652e956f391a69b5dffb06b7bc90c332bb7307184646e48f7779205317c65f2ad93d2976c2d888b7e587383bc29e788721592b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ecb55c95d1c6a1c51e62e9a4a006171a

SHA1
33b0d55417ec9d390a37b483d4e5b486e42eebe2

SHA256
d1496f7238ffba21ce658a29a18a5cd7c5eaf861a86cd96192f8ef29c4d40ecc

SHA512
c66605d0c936f9f3f6a8255e0e3d207dd5b8c4b0d24fe746ea62617dbfd17fc77d7c928ac1d70b8fdadc915555303673db35bcc799ef3369f16b7fc4bcb7a867

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
254b0983c34d4c9158834018f8eb65d6

SHA1
e77d80f4ceb66c418e2057c7453ea20ef0b138fd

SHA256
3c70e505f58b788e3ee84b191d43c7a760037dd13dedac9f000ed666d2c46106

SHA512
455617634ed3f360be113c0752433452519058ec9cc86bb45598f4ea27b3707d4ebeebdb4494a2b51a8a6f36f8fa0192a43b3594c1af23349d329cb540c82870

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ae7424db4857c65e8e267311930f0c91

SHA1
a32ab09903a0c048ade2627be5c9d9c0a0fcb6c4

SHA256
ee5f54fa7488a9cd81773cbd9029019ad5b21a32502b8565a5ada8055ea2ad01

SHA512
ec12945070956bba749ab1186e2d0306fc8264260a601fec111a49e6336cc6d096eb465814bd6c5d7a83900f03d35036984672c879f8ed55a8572eb404f2a9ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7378b330bffe0cdb440bd0ce7b6bd400

SHA1
5a82ef81d2ab6edc1d975bd3ccd6e760cc317789

SHA256
6f3d21828f55b8da9a2b3819383f1f6891d36ca7412fa598017871423159ed90

SHA512
c4eebaaca6666f7317b83f937d7d7153f013c466383ee82020a45f39b0247a7858defa9f55eab5102a7c943b7207db365c486450be56fd29e2a94b1546444a69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
bff5857253350c3ed641d03c26694179

SHA1
da0a1519d7816292f1fe18f8099c3907be0a9735

SHA256
08b37a78826d8bd55f22da1e80192f89d2e4d9bbc776c4cc38e0fe701f0e5748

SHA512
75bda7814aa29c876d2f65b97af686773130ef02565208d64535c853a310702a6b17b2faaefd2b554aa8fce5d33fb0faaf3a454811712a8700b84367924d0196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
89cf26108554a469cbbc85a924e92eb6

SHA1
6ed6ca66fdbff18470cfa08415d04f1c05d5603a

SHA256
9c924579c0562f54cb3d0a9aede39aee0f18d11e05ac981f8a325045f0504909

SHA512
f2cdd993063199b62f2e79188eb99b8a57a676129735f1ca29adca45785d8ca825e3b16fde7c34753d9d91f7f759957e12a96f853d315af33416d8a20f2e7a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f89c25736b2c98b73bdfab5ec6697362

SHA1
d252e763a295fc32ec31833ed73ce6e1e01ead86

SHA256
e79007c537701eafd44e07016b8991c8e03c8b27ab09860bb159d2182b8de273

SHA512
8439f4d179b88c0b7e5877f78207d103c25ae98c84b1490167d1313c1bf6af9e5af864ba43079b927eec0752905142b0b61ecbf940d87d82e140e352812994f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cb0fd32701c772b560e8d8077d746a34

SHA1
e761b15fe07236cf1ed4b543b8115e5d73122fc1

SHA256
159aeb4efc07819dc5fba551dcb204d648f2cd2c693acd50155e3c33c9eec722

SHA512
284b4977c60c69c8bbc2635b4a808a38c84e57823a46ba1f94f0acd6d69a15d3377036271a6f3902f82225897308c4d3b079137374586021dc1a4fafadd08ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bd9d83545d47c22c24c4d4a3cb345e85

SHA1
e0807ee3498872ca2c537c9a9995f1735626de88

SHA256
04cb7ed93897783c8c2620c3f8d08b69014ea2e525f4b23fefc72b3a9288a979

SHA512
aa51ecff2a5459b657c5fdba71b2f9f1161dc528a315c5076aada2de3239ddcdda6fcd6510554df8d360b2c0af5206345b80164cb985f4c2974364e0b2f7d90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
52dd190d53ad4c881b44d8e57f4968e8

SHA1
abb3142389d445221d8a830b9fcd9f95761f78ef

SHA256
c182eb35b7c860668b5aa2ba413a1f4162451c2113a9bfc728501dca81cb883c

SHA512
9c21407b1d6bda8e996e29db81e2335c2cb846ddab0d3d16b236abc256595b4cb14a828080505f4543818cf38218597b364b490278979bc296e9170ebfcd44c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5c6a75bb96ec1110cf709a1273504494

SHA1
2fdb755170e61d5efc5812f1e047de5b419d419d

SHA256
e388ccc7906c1c5ebc1ecdfcfc0d6a1cea49e2886d3130f72bf656d40b5d68d8

SHA512
9b005968c975b6c46182045eae71b2b57132b2edf84da826917a05d7557e02fbe1b4692af232f3d742ebf6c4cb03def282c223aa5948423c07b032e1f15711d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
93f6c36f9f0f58f5573bcbf16c25e089

SHA1
ddcb0403ce259c72c98940887eba55753859c2b8

SHA256
1ed201982d299b599f066ed07de7276744d2e9293686fc03930e08f328dddd70

SHA512
a929c7170a0332ad8eb579b0004c2915f492e4169391e6b4fe1f70dabd4c4bd4b580aef473fcaa44f182a01a8d7e98cb952acaa038b78b0a830ff0949f2e198d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8f6246b709786cc8d924064858626f37

SHA1
8ed2eebf654fb5e7f59b2c9aa057b05adb5eb307

SHA256
5302e1d961af77bbe8cad86bd173d478a4f3c1c1292a1f51834d77849027832e

SHA512
cfc74730670220d9c1db1c356d0b9c43cc7d0947366d8793b521cb9fbe1f133299c1184dec83933841c91935582bbdee72e6552ba944bb6e376edcef2b54449e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8da786bfb07c1e56e3af474e8ee35f9a

SHA1
df1be8563641d0a5f3fa513497076d0ea465c30a

SHA256
d7c26f746307ae021c69dd68b5899c9d659feffa42bb9dd500a31f9b2f98dcb1

SHA512
4098ef9d5037aa7721e523dad892782f3fe6ca2aaf3ca6038b9455a2736e1a4cf096772bdf655a0f3cf82d7e57eaee3e3c1cb45c25289bb8cd7fe28ca7146f39

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f4e987a7f0b5ed1a8b87063ed3f746b5

SHA1
51e71f10b1ce8123516057c4d04bab415c555621

SHA256
9d9ae409c1f914a6ff832ec98ad9db2b4160f4d2e6b57699572b9b42a1e18e18

SHA512
92baf1e0b7ba79ca844227e23f931956c2ea07e57c74c9e551e1d39305d36b858c756ad7285be24349bbb7d4718c56204864354655b6d68983f5456072360ee8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6d8fc78567a23e4c44563d71c4f86ef1

SHA1
05c6bc474362db9e32fd4eb8db3b1f7376e03347

SHA256
81a0da71ef5c3c1c523f1db765b549752b2177bed453b0c10891093c2618ecff

SHA512
483c10fa472a6a48d24fec26efadc1f46008905cfaabb023ab7a745768975f2a016ca62220bc3a1c8d79cb65de2583fecd1c116c45006f7bffdb51c825755682

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
962104f4e02da69a0a2d07fd87df342c

SHA1
3f45946c76a270a7a661667bc8cd87f50af04474

SHA256
ad07d74fcca2233761b0908dbf3751bf4a093afbb74b22da676051cb3403e767

SHA512
25c223a1d62467060d15fae0560d911e6a8b81ee3f00d2fbe843a8770e2ca4df7dd4dd40a0a3634e8759fa475955f655b463a2641b166237873a0f8cddb889a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77f5f97326ee72210d77f114e8a1e7a3

SHA1
c75de0a5478a38c995237547dfc29d9101c5e08f

SHA256
4a30bccb746a56100c9f0ce0a3be8e2dccd0e10b99de4af9f4df60b7d4961ca8

SHA512
de4a27c3edd2e3c77773d95c31656f288d2d94931e394ea33c784d6697a6d78fd0abe7484f5e063dd82e8ed98a4ad2c9d61e69b007f33bd8d150aebeac5ab365

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
eb248440457eab55cc3f7ef7d2c3f353

SHA1
1624ac83c0ba3cdb42c5b65de245639decd5d3cd

SHA256
6779fde95722dbb4551160c5f1eeb2ed6028af236d07db3683545f41c4cac934

SHA512
313c67eeae6d4ee9e3f305e6fddb28c4a458ca1e3cf02b985346fbfb9fb390c8c0ef45b5b37637b037ef437a64bbb1e542cbd25be019b068a9c281499510c644

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c9169249cfe6c554d2aabaf46983ab05

SHA1
f1079d91be61d9aa7c9c6c0c4644af9d6b5b4904

SHA256
761966bf33626c8b4c0642bc618f8ea7cbc43a40b23c3a9124b6e1deb0a3f62c

SHA512
4ea07029533211869727d9c16ffb5b8584a20f0c3724b000e0e98116245e70bdf2f6e0aca141d154d8e07453e582e9b7151bd1d42e318b866fb7b05566069d6f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fadf8a1b8e57167b389ee2e43f6ad099

SHA1
f191217c203a70882b3bf45befe09d943a65989a

SHA256
5db64e65f59c8cd5603fa6afd28d2e04fac53855378a08e4ef17d60dc761d2fe

SHA512
28f9790d4723981ec991c129f99c33f4e9783fff1733eaefd89c5e8f4f90c25bd5701312092c855be5f38f09c76fd6fd3305a3d4fd1a68d72bf9f9821095a015

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c271396d6c1b216549ccb4ec96de6d9c

SHA1
116ab120c8297b934fc05b088a206999acea1834

SHA256
e8990d7da50c362d5e6d9b59a79df4779d2f53642fff428737f5005a3889ca3c

SHA512
c29ece55defed7e875b0cc3a869e2051e1fb9059dcff4aaaefcd1faba22b3e81e2775e2603e2c21b572481ff53e72e3663a7498cfe474c95e21f52db7d331bbb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5a6904d5ec63554d87405c9172b143a5

SHA1
127bb27a1272592ea80ceb85734be94ec3cba192

SHA256
2c4fdf5975ac1caaceda1b4b6c4a365225e31e3b5949ee0e30af07b3b0e1ea65

SHA512
c7cccb08ee8cf6d41084800c39ca39d8eed5e7494c4a299387043003485569ab051e8ea06c1f6d0bf4f37d2df492cc47874bd8afca553085e6341f7d6357144b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d352e15176612275937114d7123a0bae

SHA1
6347235391d07fa1ec460da41b8a9fff439ed1fc

SHA256
3aa3bbd0099e80a8d7ea391b3176ef48bd698aed567d310aa933511d2133abd0

SHA512
f4e59e48ab7e09bf243751f90678549dc9f69fbbc2d027f36c7e323f16e8d8d085164d9ae443a695b70efa302ec36195e435aa0d3f280967d2c32bce96fb51f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
21600e269c3e8a167ac87fde28d194cf

SHA1
41d73a3325ad0932d2e70fcdbb83aeaf8c20f8f9

SHA256
a8a40db7237b0c7b66ba5faa74e4213f7d5ae82d9669b6df3ca2a8143eb37da4

SHA512
2fb55907337fb5b13b4f33d947d0008ce029492967cdf8672364bff1ff135110b31283c2e0911f84b32fe621149f80bc0e4b9c23decc5cfa739340b98c41ac20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f2f99c403f7f31a02d6cc0ca72e232e6

SHA1
f9b0443888747875331647fc1d8c318b76325599

SHA256
0c1d14f8f04ca2a2906fdb84f87138ca416b7074e0263aca363c32dc9c1bb6f7

SHA512
fff7761fd307aa1ad88c22ed67312cc232f60a1fa21bc3e9f2ddd9e3c07944b2112eab1ec65ff7e63f6652995fc786e945f33a2407e5b3615e9bdbc8c74fe63c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9b9760b2bc05f731ecb435b04b1edf07

SHA1
849c7562f9e525486de196a745392562ab5f6e80

SHA256
6aff6f6a5165945421d633ead4b02ea0e78e0c9f06bb21bd2b894247c04317a2

SHA512
77970ee171637e36d68796a9f2abd447206c73f405b141540d4d2701dc264d9ff6236529c8473ee794aa21f07fe622c611b8c7398eb00ba0aa0b43f71493e7ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8783a7a9403251eafac571663d23a442

SHA1
cf619c2ce2f91bc7b89a7511a9f85006a324baa0

SHA256
51bbbc951c0fb140ef47c5340f4c9b926da23523e9ccb0b9da162717b673dfaf

SHA512
f64d62b590cdcf28b7f62a0edf87ac744affcdca1bfa507e2e2416446163c176a174c09d23ec69f813d7dcda6b1739b246f2445b2e50dac3476b63cd51b22397

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
962d5cf14a136ff9058fe328e7ccd105

SHA1
a8db18d91a44eb52e6d0b60070c486c760236cdc

SHA256
ab6e4d9f9d7c95c011b1f3e0955ce4838b11fa36c129ea0f341ea1fafe74e093

SHA512
8b771ce81997aa18b34ea8cc6af45cc593e082532799107e36a4425dab9b4515cebc9fdb164eeac2145cf0231242487f6f2762f5d408be7415a176492bfad732

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
22b3ecd03f44ae594793e90679d379e6

SHA1
02a8075e37fdc15d43af67c93b4582c3ecd01df2

SHA256
06a91a052415302b0c71a9ac53fed8c34d0384aa836775badeb9d4c88cf65029

SHA512
0741922a379b6199b4fb395838d9183db2978683f582677025e1f3da959638b35fa6a88426018a993e0d52f76c3a28f7c86a5170e581cafb6fb8daa7140be2c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
18c1c0a1211bbad64cb6c5ebf264e1b1

SHA1
2ba89ce2247bd66b52b564e429a649a1f372f8ed

SHA256
2781500cc496bd13a503c3a38087c4126629cbd36b090d1136e8d078920b3c56

SHA512
04da6ec8ae487bb4c08027eb2fa0aa6c3312693b81788d4d1dabba0448bd0f98371c0e743a427c0b37ed930844bd18d25b4f789fdf5053e9b30e964c5aae88a8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
458141be57543f2b8783592eb575dd0d

SHA1
466f7f2ffdbc61d0cf19779861269aa508a7349a

SHA256
d7371f90745f90498a91b398a18e96bd9599e7f1256f63621f7f82d1a9187806

SHA512
1e3ae04da323a8b8bf13e8247dde370cca7512fc12db94e4d7e77f8ec810ee4d89ed6d82b4f147aa2ce4885acda6584c19a276aa941bf23b90e4bc99d6e81317

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
46b4fe1b2379c75da9ddb2ff58f86c03

SHA1
77a2f616f731fb7540e1dd226b21aabe74df4ea7

SHA256
7859ce7041e76407decde2bbdc46ad1893ab2dff0881b246d7c78c32df4ececa

SHA512
89b6b96be71ebdfcd445060bf0a75da59e325b16629edc410ac5b98782d5e3cc88b02d8a530c0f842a79b1a529e9e014ea421f0f41bc890e5a7263ac233afffa

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
75725dd486f739859d68a0d1291c3e86

SHA1
667290ade49a32bbaa6c0314620f557c569deb2f

SHA256
8061ac4827f8530d537930a603f326ddd1ee782716bdfd922cbec845246d0713

SHA512
73eb089e5cc3735e97617e8590e3b1effa6b6462a1063903373c31b0bc5b1ccc14f8bb6fa2da61978076b46cf0a735a4b990b99498fc422a7bc89c931900cc36

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
81ab8d2b07bbe1f512fcf416faeff200

SHA1
bcf00bd39b746ed1a7d51e208e6ee1ae68c4a08c

SHA256
93b0f529e874f44d8c87c703943b929ad13c3854087a6c0504e742b10c6ef143

SHA512
0ee5346ce8e4f4baad631ead476690bae568ff3531541237e7d575f54a8af2499937acc13f7713b751bfb74c8f450f13200bb66256ebd04faa2327162a9a9e99

Download Submit
memory/220-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/220-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/548-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/548-456-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-157-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/732-100-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/732-95-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/864-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/864-466-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/864-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/864-32-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/968-469-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/968-202-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1248-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1248-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1248-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1248-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1584-162-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1704-158-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1748-465-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1748-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1824-164-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1900-161-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2412-468-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2412-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2504-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2504-91-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2504-85-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/2620-467-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2620-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3120-204-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3296-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3296-9-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3296-8-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3296-462-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3472-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3924-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3924-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3924-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4136-17-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4136-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4136-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4268-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4824-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4908-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4908-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4908-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4908-470-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5024-163-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download