5e835201f962dcda943b654fff315325b413106d38df7cbbe3407d2dba89ccc8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 09:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
Size

1.9MB
MD5

d4bc8f6e500bd27f7c91ff635c005310
SHA1

1c09c73198a5be5528c42a0b3ea795757b9702eb
SHA256

5e835201f962dcda943b654fff315325b413106d38df7cbbe3407d2dba89ccc8
SHA512

943b9731f33403c02ea2d4212fe3075ae800076a129d3904cf7df15e869aa8e8a4ed285bd9838149640e59aefbac51598421551647fa323becbe2742de37514a
SSDEEP

24576:GDMS76huDyqfbA1/9ozXH3Em9qcYdujsi:GDMi6t2c/9ozX3Emg1As

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4896	alg.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
4740	fxssvc.exe
2060	elevation_service.exe
1392	elevation_service.exe
764	maintenanceservice.exe
2696	msdtc.exe
2172	OSE.EXE
4964	PerceptionSimulationService.exe
1796	perfhost.exe
3016	locator.exe
1944	SensorDataService.exe
2064	snmptrap.exe
1600	spectrum.exe
3680	ssh-agent.exe
3400	TieringEngineService.exe
1660	AgentService.exe
2356	vds.exe
4228	vssvc.exe
2544	wbengine.exe
3580	WmiApSrv.exe
4660	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3e5c3f3bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057ddbeb273a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5793b073a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cdfbbb073a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004252b5b273a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d7a9db273a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b3ec1b273a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a8db0b273a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d87554b173a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbf3afb073a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b7d3b073a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054f590b073a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3944	javaws.exe
3944	javaws.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
2060	elevation_service.exe
2060	elevation_service.exe
2060	elevation_service.exe
2060	elevation_service.exe
2060	elevation_service.exe
2060	elevation_service.exe
2060	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4676	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
Token: SeAuditPrivilege	4740	fxssvc.exe
Token: SeRestorePrivilege	3400	TieringEngineService.exe
Token: SeManageVolumePrivilege	3400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1660	AgentService.exe
Token: SeBackupPrivilege	4228	vssvc.exe
Token: SeRestorePrivilege	4228	vssvc.exe
Token: SeAuditPrivilege	4228	vssvc.exe
Token: SeBackupPrivilege	2544	wbengine.exe
Token: SeRestorePrivilege	2544	wbengine.exe
Token: SeSecurityPrivilege	2544	wbengine.exe
Token: 33	4660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeDebugPrivilege	1308	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2060	elevation_service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3944	4676	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe	82
PID 4676 wrote to memory of 3944	4676	d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe	82
PID 4660 wrote to memory of 3000	4660	SearchIndexer.exe	110
PID 4660 wrote to memory of 3000	4660	SearchIndexer.exe	110
PID 4660 wrote to memory of 4748	4660	SearchIndexer.exe	112
PID 4660 wrote to memory of 4748	4660	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\d4bc8f6e500bd27f7c91ff635c005310_NeikiAnalytics.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:764

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1a76cbc399588ee7926b08fd82ee3dec

SHA1
ea5a957b1a2a6bc3aead27d3d0fe13b5735f3efa

SHA256
816385df7a79622bdfc8792488764d957a88f93ebac94643a4d6e639b59aa732

SHA512
07061af3d359ee5093630e2c1ba131dd65db839b3475ae29e9d758317bc45dc8cea037488fe48bd15a2921faf95a8209c4e0b48e2cddb677749b1f24a48e0aa7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
b0ae06fade3562d998b361e74e202b99

SHA1
2ee6a4846dde279626f2647a428ba64251c523d8

SHA256
d034a53aa5872eb2a743f27243e676992960c2dcc237204d4d0e7cb7162ebcc6

SHA512
84facacc4baeec26d74a96f0dd71be7cd8db2457fd08ef8ab7ff036327c362e9b2cd4e1f2b6c85fa24a7752c03780c385d4953ba66049da61d9c3726aaaab10a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
3a7bd7a47a97851a8a41012c7ad03b8d

SHA1
0279098c6e83c5175e820a6632696a0d1c7e29b5

SHA256
0d70cfe2e1ffa5786a9cbf1e423539acabc8b5cb69ae05b2e5f75b6b856e2ebe

SHA512
3f50e8ea0fce4791432838f907f52aa40753ab5f5978fee309c2f790e1142c40f4394ce1a77eefb87442288c6ea06baa7ba9e93402425a5660d865e3f22efc4e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f33656a474345872853710b67b89adc6

SHA1
64c276ff0063d23377c63f8275baaf2b5473df92

SHA256
4d860c0ae8f945ab4adbed46188d0adefbee62b8b4473f9b5157be46937b9147

SHA512
8824f484aa7abbf726e57c1b0bbc82600875f3ea5f2a25c6e98701ffd86e484d68cdcef932f98dda644c73c674df0275434ec68547f18f5c8e0582059afd9996

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e5cc3e5b364b558e4ef94d91591374c5

SHA1
3652a28d729d548010e69be357d83cf3f2e1e044

SHA256
d9b25ed88d6f3c71d6d5dfaab4ccfe180abe55178c7af9cc40d83f2a0331e8fe

SHA512
ff724f15e8a023034e0d4c61c15c64c49fe202608f8abc88e2223525cab498c79a88e807a8e9fff3b29a5e8f8e2c8f784c5cb2fb9fffc0c54d17e5472130d96c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
dba46668b4b129d9341b491b345f648f

SHA1
3fc58d2b5cbd35daeb7ce9fa82e3aa03de545b5c

SHA256
af89c5c0c57c711cc19b818d58c014c9349641aa0ba01ba3205e0bb7ae525cf1

SHA512
c91cd8dd957e2a6231dd747a7093a92eaa9e30841a47433e7fadb7e6ac842e078b13e6bb1fdf3ad32e9286232f1bb3c8d9e1585d6fb7bf44132383e7bcc9ff79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
6d125f59fbf7909c5122c82c925aeb9e

SHA1
d0901d655ab831f805fd9bde7787468b158fa57a

SHA256
c29eac9027f0dd05fa06012931e9c8ffc197858569b28ad602bca937e8c08431

SHA512
b00e7e2cba791b5d61fe4a02e0547dff4e388f213e9519eaf3b0740a647d4e7cc0ef37b1abbfe76f58106ac8f325fc3895a4f0989ec0cca5d0e465d37430fa18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5ed5ab88fdfd58a89f4e176a57976a0a

SHA1
c2711f38a9290bfa0e7285ab8b2bdf7d91019714

SHA256
40289619622e8bc1978d9785bb3ddbbdacf271cab32b59696da72f08d46f4075

SHA512
04833d19812f0915210d41194645728accc9edb342b04a85553d8e7d840e0d344cf667eb9faf202c77e9d4d726bcbc1a4a6194318bb4e18eed2b7b708f646299

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
968171f56679e260beaa98bfbee7bf84

SHA1
cfcca46b51273bc21149cffe53b39ea408394125

SHA256
5e599c3fe01ac5f7873c8a63c943b763418c545595ea92f91326c00445cb9dad

SHA512
5ba78dad6a533947c78cf9d9064c7b7b8825a6927b45328613bf9c8de23afcbb7c29ed845b0a5fc0eacfdf7f22acfdb0f7aceaafbe283a2ba24ddab4f97b9045

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cc62c91efd99c2bf85703d9adde2f08c

SHA1
6f54f3f75174d7f81cbce8b205e70b53df04aa8a

SHA256
e2ba732956e147dbaaf82fefb9828fce49e3a61ef5b06ace762f0d47fa6bb598

SHA512
deb55945af61a2d060bdc0798275084796b97c41def2891a36b24ea02c90100d1a6e7325cdb6fed5f3d57d0e93c2881cab56d86331f7ff353161b45b47accf5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f6dbb170e2789eee7ade2f4c11406f4c

SHA1
f354b66782f9c63345cc1a228001e845597a4259

SHA256
5ac1fe08a0f51ec06506b0c13c37a30e09e29e8a63a654d5bd353c22d57f7b12

SHA512
6b0a98a9d2099612465a63f42442c570f3fe6c566ba9510f467e402ba631346a2f9af21398845a0290ae0fe35ba13562de3c4afbf5696e144237953f6ba918eb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b531a78b12012ffb2f13b667db366a4

SHA1
1443ddb1cc5a6421732124fd96b5830ccf4dcb7d

SHA256
8fb3eceeedba985adb51d857eb5c82070e2e383395c23d387475f0f9559619ca

SHA512
10e9b11ecfd81fdffda616a7503342e973e3bbe9b3863e86c4bcc24a3daa21a24e7e6d5f7addb7562a2e1940ff60042fb042ea3773231950201b626b92da4074

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7d4211459e0cfbe34cac235ebb19a9a9

SHA1
78f2695e217972eb35159be42ba23630185d60e1

SHA256
4096a88aa6050add6d9f8f4d743393b44b7949c542f7eed52ef1e92f2b6d5db5

SHA512
53145fa0de048b0d3337644c70f91985d6a7eb0db256d653842c85d542903e5854c8c5add5981a65b89cea95a7ba120b09e4a89a21689173cd6a7321e2fe3c3e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
7ddc643b5eb92c150927e26eabe296cb

SHA1
510f1603fd33a9e44f6070a21597092393542fe1

SHA256
885646403bc5b9171c1a3493b13c707651049b64f5db65a6020a1863d8998aef

SHA512
d8bf2c9f21137dc0139cea0fc5f46ee083fc0317a4c45d5748548e089bb55092dddcf2422e8fe9ce7f3f26c980eddc167eb02d85c91117f0bf809cac6f855322

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
663a55fe8beabd1487fe35b6d5e0ca20

SHA1
adf3ab842377db915a85f32de5c30d9ac40febc2

SHA256
0d913b7b43bd3b8f72830b0989c0babc4eb2447312e91dfa2325330416060dd4

SHA512
355ea7ea0ace669ab5808c39bc448aca41c10c8941e01a766b926e429c720184c1dc829a08862c3741e0f6e4fad88e40848e25d5b49e3493e8dec32014e87dc1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
97721070b51ca4887167c14c98145113

SHA1
6a64f759dab0b5a9b250f8f381ac3c04e7bd68c0

SHA256
65860b124564dbf16a698bed6a0328c3d377aaad5bfa8e56c0842a6d44a37432

SHA512
81b2f6f41926a34e89817992a3e32157189029e4f6711a2ef6d84c1bbf9c1d824e3636e2c563b2832efa5be90b6a3eb2995b16b3cdbf62be1d24db8a261fc62f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dbc69cdf1364bac03f1b2c75b2eb5add

SHA1
e5192f20ce2dd06e35ff4d0d9b73572a2e38af79

SHA256
8acfd8894d472035c7e3da51d2b46ccbb6966493c2a8eecefe142c6bb939e2ad

SHA512
4b6ad01cd82c777a0f63fe3edacef5ae7695a0d1c321ac63eb2608f336e745fb90cf70bd0af46b4de0e21bb78159ef88a302d27e2086f3392f510930c2a90edc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a5f60fbaf8cbea03988de74505e6b8f2

SHA1
2bf7b3a46c59150c50e0a2b1a05d6ad046a68f9d

SHA256
c8f49a199f9292696052bd388cf91b99ea511e52d01bb11b8bf44d2fdd0077a9

SHA512
acae566d5379ba454d0495e26dcd06006420ac3863696207e9926b372a096c4e2e2f82bf8905e8ba5f7a91f4a865a188588cea9daf3cf6411eb066647a4e58da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3f1514bcf7d6fe0a78e5d0d6c92be101

SHA1
c1501283f96779b3dc003a94c9bbbf179ddc7cdc

SHA256
4497bbe422068353258010f6d744095e0a3129ffc288fbafc6844207d2d69508

SHA512
3fb8b5d2c2e6f1ea43047b6f56384def694778e842681bb4bad3d4bc05317c9566727fdb652fd6a84ffc74de5c02983c22379f279a525b24be582203691ef1fb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b5b834f71876848eda704541a08c16f0

SHA1
e61848a6e53c94234d1281f24988503a8f0a6259

SHA256
05258f13de8f66431caa4aba614b75bd8e92470209295e2d654fadd84b4c6d50

SHA512
45107df50b2bf653c9d2825bcb1cfea3cc408087352cc1ef61858f7ae7e10291199ed112f6e3e399fcc74dcb6648d43edb516557cc67ae2ca90a9d28cd288d79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
a8851e636dd2f411d9ff3d8b462ab311

SHA1
1e53b33c8fe70f09e10a1f3c8ec084f0ade7ac68

SHA256
879fbf83a2df3a27e2e605779faf01ec3e298b4baf744248a2e5fa03b803e9ec

SHA512
47b40b9d265df44ba293cb26092e5e381b505c6230d0009baa6cd3c5e937b1b62dbe472b51920d66db283f5c525aba4f9f98be95553cd6cc1d9cb0ddb9321fc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
1803c7aaa0e738ca049dc99f1ee7f00a

SHA1
05119d6ad6219dceef2ed9f7668e9f9048947105

SHA256
e9bdc3cd2bfb629cc720fa13380eda6c9435c62f6b4ea4b0d9d84184fd2227d6

SHA512
4f8359836538dd646f82af655e9490d41bc3c79622d1f42ad5917343da8d3bc8ada0c71c7a7af657071405fef7d8939b70c367f8c0f8eab2b5d40cab426d5a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
06a5a90e7d0c8ca557eeac4b5abdd486

SHA1
fd8487b736f63281942913f10e213d8897774e84

SHA256
2344567eaea5ba46211080537a85d1c347d6860be136e5e55fc091b9cf446882

SHA512
380078deee1d2d0e5736faa50965e5006e9c9b8b146caa89397edabb64a4d326c6f907bf49c9d7869716e35ed993d8954a00d44e78c0bb6cb06f74163e270db7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ee87111ffca65b49c2a0b8bdacae6501

SHA1
3f96c9ba29769d321bd3ec1f6255f9394948f135

SHA256
ad7cc94f9e6ba587648b4616f91fbe50aab2ee8ec50787626570b9b0da20160d

SHA512
62944957526ffddfdb5d54d55fcb61d54fa713a472da74fd226e77035f4fbd27456fc64b230e15502f3a0461bf3662038a8076a09b3dfda05e40e4416bd26b47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
47bc1dac7c2beb09aa8c08c3f5fb2637

SHA1
676f6107103cb4252ea33a7cc089cbf9dd6b97e7

SHA256
47b92728c24fad097803fa8ca3336d29c0f917c5363c926de56458d4f908ae01

SHA512
016cb26a802c2483bb7b8600ff23d00c17ba63d69322683f777c8aa0561c1b1934d22e8fcdf63342c5a9ca7033b5fcdea75e2dc6d8569295361d4ceed545c345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
19dd3fdf27106b991e987aecda1e8c4e

SHA1
885558026d92b3c2face89c09c62271541e0bcae

SHA256
2b1728a85ac0652fc0776a43fdeb2a666b73e7c1aa9d3d5291d2de4e9cb0f82f

SHA512
48ea6a331c13563f88d4efb73da56bf9b1d5193961cf58340e4e0b27bb3aa17245c706a7f1952062ac657862f3b1246b227be92306a689f00bc7ee07f3708e3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
7f49312b872731b77e28ce485746c001

SHA1
ba23a5e1f858d15b15df1bf633ec39f016ea38fe

SHA256
4f10ab1e13c0387bde968431fd5fcc26290c845bc92fec0e48329aa1ddbec435

SHA512
db5ff7d101840afa0aeb1309c09b511c3009819476e56e016a5cbdfcabccdc92102dad09b158426132564a7695067676a6faa082ab76bf581e58e5ed09b7ad73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
7effa8a29b242fb830cbd4b3e4f342e7

SHA1
b4ace559d6a8341fd368070c689fa0e7f584737b

SHA256
1f5bb685774ac29c6ddf09dcbb2fe125399ee91039d033cb44384cd0ce5636e5

SHA512
1714f9740dcd09bcc9f9018e65d182ef6d54311a1a516792eef8f60b78cebf67d2f7f102b70608e14899125a75b811ef6841c5aed96bbe1d1c744f9d840a74b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
d0d6c7c92aaa5d1700b1610ab4aed854

SHA1
fb23ddc7313c4285d72d796cc19c1d9d18cf1083

SHA256
ef06d5be08da3fc4e1a64d61f8e8df7ef65cc1fc2a874f6157f9ef119240c334

SHA512
29b3b2654db48498f93d88f50f6803fc8ea302ce3285c6f3fc786f6861786f85318128c5d095573af9eada51f45d0289c891d5288b045387fbab20a562857c36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
a9ef7d8b6037286117a69e9823a3edb5

SHA1
78ecd144362a64514c4f460c510c30a9ac1d111c

SHA256
3ba95a5f396facc3fe90ca8bb0d72d20d94579d660e02367de2f054fa07bc8ba

SHA512
530aff33c51d07142326b9426a0824b32f5a5d18ed461f4a6910f2ef7d8208f245d515c51be03af8a7267c5c031c7e0bbc58106e552fbc92832e0a1ced8a312b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
ad00600ee414e8b25e1b5ff26ac21722

SHA1
850fec3bcda014261f0d7f8252dbfc963bb40453

SHA256
477183987737b5bda3bcc92854a155d44ec60b7b2f2a9b3a593f98549f6c6f27

SHA512
f5140c52735f69b715d5ce46f14e3c4eeceb7e4d86f63c52af34865a89623ed04a315a77a14ace5c9f55a9f6878e9117bf60beb602c18169a838bc1681a0a003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
728e505d0cf61621ccc17da98898529a

SHA1
b40fc81be68704b4e7ed94f7372ab9dd768dd3b4

SHA256
7538bb09b448df282c3e6a0cc1c210f72a600231efc946b836a04f099906aa0c

SHA512
af6bab2c908113fbbd2acff4a60d5304dae1006a500cfcd0a987a8d41d1c53df7542878ea358665398653f91d9506e9336db43cc6ab250fc861717aecfe77afb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
7234244389ffd8dab9ccd69921bce862

SHA1
a0077d5467c9311ee8213853ea0144accb1d97ed

SHA256
32fd6bcba2e2c992419d2bb642bfd0f670ca9fb65eb3da5438f6ec47b4c58960

SHA512
b32fdc8d825178b0866cbf51f241b32289fec4b587ad40c549d83352e074bd16961d33566d15b18af80d39272fe13e80beab2f6e5e5d47ab4b56a9d335ef88d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
ba1abb1cb09e123531a71a1583697072

SHA1
1c87f42e51809056a7be0289dc449fe56991e268

SHA256
53c441cc2c3cfe6a102b1ce1d01cf507801b4a7466be775bb2955fde34fb261e

SHA512
a819e5f99faa9b238bab7705969542deef011e099c57d0c42c2c8152dbc39e497d8985c6f87b092bfa85dcb205946b28ff8277c7d0fd03b2d7f2aee47578fb9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
0aa1427cb34c9fe791cc869251cc8186

SHA1
b25cdac5fbe1aabdb3b1f096e6c6ef0a85da00c3

SHA256
6d052396eb01792e66ea804f4dae532e3342103824a4388ee3634b4b89bec398

SHA512
3c1380e98c4605051434d02314e9c8d72b5da06e4d9a041b2d0b707db491c305ad0d7b36835476dd3983821d552cb97270fa3bd053955805eaa56dc6aeaa94d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
53ee4e2cef775365b20e469b31d762cb

SHA1
b51389d3f892fdbe9fe1f6940dfd78a8f98ccff0

SHA256
8569069c20fb2d414532e88ab23f60ffd493173390adbc50b10317cf2f5f3b4c

SHA512
412b7ab414039b9907348cf1927c717bd2b594b7902c6a6efeb435a0a1f00ba08d42a0001f59445af3794d6cc4a31f8c0d9a20150678ce0d5192af25308c1bca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
489557a05e00ebe1545d458208902c69

SHA1
c45478fb3de252b02bce6fb3fde67b5f3a1cecd9

SHA256
12fe9e9219ca81017d903758ed8ebbc412e5fae06720bf6aa327fd79d0f4a446

SHA512
211ffea2797133e83ad1e1dd6ed30e6f5cea06b504a09a959499cce58530d9eee2e7b9cc3d46bd560543b52c09746768349c9039a023ccf7a3ac86d5d4119081

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0cf7b7551f1fd6332afae788940414e8

SHA1
f26d070e97e7955fdc7705b32bf5541da6b75b4f

SHA256
37984e4c941c83b008b43527f402768b8135e60e4667fc515260261021dde9b3

SHA512
72a2ab548e9af527a65bbdf31e1e32cc6e18d383ff2f5dd780cb3ad37f1aa5f228d7131b3f9c620c01bf982fd19457752694b3e4333ec18fe2f07db12ba9df35

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ff5e4708189642828fa3955e3740ad50

SHA1
a7978afc033312016d1590daf221f961dc54c63e

SHA256
1482ea77036acbb8b62899da064fc03ec71364a92dab8e6c06b24675a26f3717

SHA512
df65673bd90a6883a40441386b0dcaaec5cf4a64445ecc29b1ee8516fce6142fee0962df5a3d1041ed9d34d6cc62728ab03cc97cf8e29d94dc46e01113937175

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
0b29ec33835c4991400a1aa0cad4cf4d

SHA1
44232c2a00236a433b849f3b855a5506f7f30e43

SHA256
b934a3011fe6dd37af7cd67254c5f5c9518737f37e18380c064881771d626967

SHA512
e01a0f9fc70c4b1c65a11b55b458968dfcefafb6f34150452139cb016b171c6968e94a4571462c7968ad9f15eab9c52e746b07d0db675f5f3497fe4cbcfcf6ec

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d652a8df7d5d177f13f2de207b896f4

SHA1
84daa193e456887752e50dbdc0400572b2de3152

SHA256
8c48149c8df559ba42d4f0418c768779e9e3a43766af2a898ee871ac944f5db7

SHA512
c39551bc3a79b2178e66aaa6fd937c64969e878e26deb14f61b7d0619208ed8fb72677664fd9ee74c7e53a8f7eab7aa5ca9d9d19dfcbe29accfa856af8f344aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
680298a1d8c20af97eaf35c20f0f26aa

SHA1
62c421b974cff81fda9e3f26faf0b3f57c27c264

SHA256
0d426dad7fa870e63673b06036f0a5afc095ac9817c4ecf7fe8ab6e1fc934ecf

SHA512
526f63adbccd6ea4267b4228cf0406b65c0a7d1b375f825a93fa08ef5c58544d52ea1c36b6d486d9b2a991f4923bd44559adebe4ddb6c53cc72e81a7de95dbdc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fbfb757ba86dbdfe2f615ae0dd73052d

SHA1
91cf31ee4a57c76aaeeb12daca4d8d536d2e8218

SHA256
e5013d55490cacef3bf1710baed971673c9fd3070601d5e52650e3f43477057f

SHA512
262dec2862e7abd11c999113a272c13fed8e02104ac39084c86f51ff0a5020f06e58a760659b027e579903e5aa07a5d5125854ccd64eea6a51980f38d1660acc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
e9c648c049e96dc6ec93ab4e218543d8

SHA1
9f8209ae42ff32b2745421d937407f509634f9c4

SHA256
cf4806577f6d73d25b49224a3ca5c30c97781681f341d1c9d540ddd082ac8bde

SHA512
99563bb3d5df22bec85b6623239e9c9052a797b2ca7d8e65b0ee79637fe0165a4ad0493d521a2e3cc1fbceaee0982592214f4ff04f04139376b4c3be5fc63f8d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
6bff4caef97f1beef3b71459ca7b318a

SHA1
7338e4a90c1fe0394f37acf2775b734ef6c94a7f

SHA256
6f75f2abd438abd6d9e75c54d309d8690734504ab05dfaa5d825b6993c69dbd8

SHA512
e4b2b891583dcddd256bac305a7f67738281a1743f7e7e00e85cfd3e603c40bb912f75150bb7aec155bac9839448e3eb817d1428655e2abd3951676315b4441d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
d6678e5b373cfc58ce3e34c1fafb2711

SHA1
d9b9a5a07518f18a5beb20eaa95c83d064d172fb

SHA256
1de8ea62ad5c8bf8db94665e515c1f44271c16d560f5f4711fbc918eabea1b0b

SHA512
b237896807e70de606744637b43440aa07db8b754bd2975f0f0bf4f10fd35c223affd3b8a44f85c805a0a64346404238b8b28f74b18f2ec5f76f1c5dcf0f0a2e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
87d7cb292f36352ade0fc9f975ba5418

SHA1
aa12e9f7c937f0a72e89c90c4cd3f15391d76495

SHA256
683cd74b8903cc40a5c54d9260ae3079b5818506cd6290c6732cb3a49efe4526

SHA512
d41ffdd3591f76412e39026a80f3b53dafc13de006b971fa826217a814ffa007d08c80ade25576da0f53394d654dcf070f60c5a41f3738383ff3775d83906920

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
581e0b4c5b402dc919d278de6caf9363

SHA1
9a86f96fb2244d1e5101728b76aaf62439b2a3ce

SHA256
13a36aebe1c16dd054508fe4f87f5a31a41ac1d1b64a58f6cbad245fe4c05d32

SHA512
e39382e108a7d6dd3b3d7bc26ae0c33f849f6ff90696ad03f95388113e8592476d93f61bde9fa7a849a713e1919ffa93f5fed2eea7b71fa6e40bfb19a50ee96d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7b07aa4a114bbd3e3808b338962bfb20

SHA1
6d61ea71998261f4ef4b1b4576ef511208da88f2

SHA256
16976c4c9714171e5d93d518f26b93d4a5e14763851c6a5b76bd9d2d7cb0558d

SHA512
7c93568a621e432b509cb5731ba3b8f8fde2c3b3802e8960ca0253f2875840716e1a6490ca9a040958b76b7dc3321cbcf72522ed72aa1b7a58e7373c161baa09

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
0b7ac313b7b9c326b76491a3d23a9bb7

SHA1
a7ec2883dbaf47322cbc94d692d5ab1f9e2b9536

SHA256
264795ff64d3c0ad01de801acafe75ab101167840641add419b5b131c68d1234

SHA512
63d5033d373fff7f3af330eb105efdf54ee5e20e23acfce21234a99ea885e6e9df6737829953c9d28cac4586c135567db6b44b2f5a1d558c41258d22204f0b03

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf6574ee1e1e2dd888bf4f5b8b815f1c

SHA1
be75d6202a7668e3b3d1dd5315ee38911cb9037e

SHA256
c3adbf5964b7275241a11aafcca984e417ce5b156ae014be6419520ccfca1052

SHA512
e2e8da41990802cd0750e4c85f1de2a2ea854d7ea6517bac2a2e9c80ef183523607578d1ad34fe61bf10ef8bb5446c7f0062b421dd63017c031ebccdd523872d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
05a484a2e54bda12946532d611cab1c8

SHA1
4056d670ad8e94d5ce3121c7e5dbb1c815eeb94c

SHA256
230104b9bba653c67cd47d8558b8df7e510bf67ff57ccd2c61894ba79eaa7caa

SHA512
c27176c28fc746fd561452470940e19d850e2252da5d43150563ed7d9076afc6e3661679f07febcc6b66dbbb4c8c0be63787882bbc68a607896ccc882c08ff69

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
34dcb29220155d9fde8fa2cdb423cb22

SHA1
f1e630b199826a785616971d4381350ab5f50ad0

SHA256
d3badb21943b43f4b8a55a266b9bfc05dfed8cfddc4ff0e1ac13cf4094149d8f

SHA512
3914617daf56d805b312e53c7e533dd258fd0ff76c98cfc19c59036f7be884e4d85c57c50cb747a009fe7e9304aade6f5deaec7d3e5321223482035e7e916954

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
c75af3d934cbaa200c6794b59a1bac72

SHA1
62f193f407d1701fd5e8c8087fdaccdbac891f63

SHA256
5240510c6486ac05abe9760cbf7010fe5ee9030552bff67e1d2a41b37ba8498c

SHA512
ff157e9d31a087f3d094b7575bf9157f2d08f5fa1206f4ae85e9d95ac8070369b72114bacfae8bcbd3a74fc399ffb0d7cd6a66974df159d0af12d704570f70c4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f45302b346e087d024082196c63db15c

SHA1
14ab365550d1ed482ae28a974795cc50517042e5

SHA256
649e1df041ad6ff3290baad4932d8592fda6e5242225b21f79629e7b1935a2ab

SHA512
862c7b78572ddd0c23321345eedd70775fd38d13e6825a81419382d6e8676d4b7a67f4c11aee3b04831621f49577ac0a6a4cdc6800c72a2643cc07ce5f119593

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
0f50a8b6592a16f47ede2e0edae0592c

SHA1
3e7bc96120265000d8df43020331d5df41ba1384

SHA256
dfb0d1835fc675c82bbf6ab0a1613f91a3a347721a201db5f97e9e2b1ae4c040

SHA512
97cd1cb18d4394c14d28005914aa9d0d853c3617e655891026caccbc7d2464778e764a9e8fdadf0f144b209cf53703593c7af28ce658eccea6b58e06b0846764

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
04ea62254133170db9c7e2b72fa05bb5

SHA1
4fa676dc1f763bbcf0df88d9aaa3005de28f0844

SHA256
95c2bdc55af85fec14dd296a0dc210cc31105bd0dcd2eeaba55d266a292f4bee

SHA512
0ec45db5f89a7b14f57709312382958eff20f57bc1b7fcec816a20be05a8eb21ae6fef392c30ab15b9db466a593a11f1750ef50dbbc2d8f1c40394be8cfe9b11

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
af96a8ae769a4301f87e2715c93beaae

SHA1
f61c33b73f2a5f78866d06b71bfd3cac263e3d36

SHA256
f5c758001b00c9ab1a8e70f520aea32b2fa6176f15d411b2923167764a1a7e7f

SHA512
92e53ca3d12db08ddc98732fef2760d4cb57fd0cab0cc0c2ac287022daf425f8c38d80e00a15284ba643834b9f940009968d1e143d9b579a02c3ce3bf0f7558b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
67a00c43587e71ae562e8e559c2d8a40

SHA1
92cbecc6ce5e473284e59fc681cb295d19cb61fd

SHA256
cbf849610b4b8c7783938cffd6ebc8229f29d0ff7e998635e8b0cc27de46ed61

SHA512
d171f96f2775af5686112bcf10fee86b5dfd10935f5a2c1112e78556a17f2ea0c7dcc16cc2550d9fce914abb5cbf20950ef43e00ea4598b0420fca666fe4e2e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
6f62d64940f3ca25d0c635b70fd86f61

SHA1
7518e10a056ac806f610415e1fd42959437040f2

SHA256
e0d22fc1381f0e4c9f7f2ede2a5bfe09a6f1e50b0219f7ad9f768bd4e9cb4efe

SHA512
3228ac919b1ebff8cf55eb836b9c164e38fa4adf31c08a77d777da83dabdca657ca2fe30a73af603dc804ba5f694613cc7137d283248745cab6223b0a66d80c3

Download Submit
memory/764-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/764-67-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/764-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/764-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1308-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1308-17-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1308-18-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1308-144-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1392-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1392-457-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1392-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1392-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1600-461-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-139-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1660-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1796-135-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/1796-105-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/1796-100-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/1944-456-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-137-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2060-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2060-32-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2060-39-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2060-359-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2064-138-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2172-83-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2172-458-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2172-77-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2172-85-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2356-204-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2544-201-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2696-72-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3016-136-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/3400-164-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3580-463-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/3580-202-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/3680-140-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/4228-198-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4228-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4660-464-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4660-203-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-71-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/4676-361-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-364-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/4676-9-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4676-8-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/4740-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4740-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-14-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4896-96-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4964-88-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4964-94-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4964-98-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download