d3bcdd94bf9461db7e2a0fed91b660917831e6130271190ea843f28af6855f45

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Size

1.2MB
MD5

c39662e3f034b1f62d2ffe366e83f5b0
SHA1

2503dc14cdd42f5e1797cab5daf01c22b0f24296
SHA256

d3bcdd94bf9461db7e2a0fed91b660917831e6130271190ea843f28af6855f45
SHA512

de05175b4f1e9a30318c5e743ae2caf6ac5be21e314a4e044a58d7853b11acd0db6696fdca53654d141373d9b189435d251e7d14869312fa39ea4a0a4527339b
SSDEEP

12288:EQBmjRW2OCzR8nAVSHAA0zu73bX1rCqB2opTMZpwe:EQJ2OCWnpgA2Q3bMH2e

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2540	alg.exe
4652	DiagnosticsHub.StandardCollector.Service.exe
2808	fxssvc.exe
2332	elevation_service.exe
2708	elevation_service.exe
2680	maintenanceservice.exe
4616	msdtc.exe
1240	OSE.EXE
4896	PerceptionSimulationService.exe
2000	perfhost.exe
3660	locator.exe
3292	SensorDataService.exe
2108	snmptrap.exe
1428	spectrum.exe
4244	ssh-agent.exe
4628	TieringEngineService.exe
1368	AgentService.exe
1920	vds.exe
4076	vssvc.exe
4572	wbengine.exe
1300	WmiApSrv.exe
840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa80a64f4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd3040825a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038c43a0925a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f11680925a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000186b7e0825a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2a1d60825a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084836f0625a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2808	fxssvc.exe
Token: SeRestorePrivilege	4628	TieringEngineService.exe
Token: SeManageVolumePrivilege	4628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1368	AgentService.exe
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe
Token: SeBackupPrivilege	4572	wbengine.exe
Token: SeRestorePrivilege	4572	wbengine.exe
Token: SeSecurityPrivilege	4572	wbengine.exe
Token: 33	840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeDebugPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2168	c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2540	alg.exe
Token: SeDebugPrivilege	2540	alg.exe
Token: SeDebugPrivilege	2540	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 5060	840	SearchIndexer.exe	112
PID 840 wrote to memory of 5060	840	SearchIndexer.exe	112
PID 840 wrote to memory of 4284	840	SearchIndexer.exe	113
PID 840 wrote to memory of 4284	840	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c39662e3f034b1f62d2ffe366e83f5b0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3292

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0d3bb30d6df6863d1e470dddaaa78056

SHA1
a05fe14da786c9397991050c330f111a1151712e

SHA256
be25adedcf06dab45f1b234c0b166dda3d3cc9b30ad8bbe6d25fc5a75e735edc

SHA512
5ecb38fd822c5b76da7292feb1572a1853bf818e729715d9618e41ff01b2ef6d933e7bca3487f8a3c24710be832ee08385c576aeb32ce4fe2f385fdcd2ef55b6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e9fff6d3044a0be335780c5ce9d31261

SHA1
3a3a523c23e4452a5044e534a329ac0c3ad0b62b

SHA256
51efd34e232d4589dcfcb480e9080abbbaff4b51451148aff3d068cb08b4118e

SHA512
7871f32dd6eef6254a74128c82ec6cd1ded665fce18c0feff0040f4c3ac5c2b33c2bb58bce6e35cc8bbb088014ab2eee3610f0fba5930e1ba55193088c55db1c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d8a4556bf42be562c899dc6e5b772c48

SHA1
31413ed42fa115be57dba89b67fe9144bf1e126b

SHA256
4872832f2622eb1598ab6a136b4f73f5626e6d5d4e7abc54a3e02ab5bbb2396d

SHA512
3769881d01648b158bb91305173c50163f8068bc62234fadf615f48830323ce640516bf9da822c34392ab98e463707a7054e172f6e4d0ef290d4d99fb6ed6271

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dbbf41ad882c8257fba5df3b9d8b2c22

SHA1
a0bd812a90b3c4f7e80dde927dccbd949b02c856

SHA256
0398f8910b53c150012a51e1e7e78cd605f40a471d11d43f99d6b379d2714074

SHA512
10acc739101dfb7d446bdbd193779533d27313ee4e61148b535a68405b108cbea930d8428fab562b7389e59ffbb74cdc50180f26b15fca1a78c87cc106faef0e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3a43df3fbd1f5e47b036619a46592a6d

SHA1
4892960b1424209849115488b25d49bbd43b41c7

SHA256
09721d610db06cbdc3f2350e3e998fec975a4bc9337693afd6fc467e097a85ef

SHA512
90924e4c6eeec97dbdd1424896ec763ac3ad6337cc61f4c775cc7c6428da2cdd2eb0ade330745ce6579182a33e666e0b325ad874e46a451c8988add44d8b7037

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b063a37891e6e7d03674fd34f839ed19

SHA1
7286cdc1721125f70b0384b71af276b68d744642

SHA256
11e4aa7293e0bd751364840a8fded9f4b4aaf8f307eefd5f26163123390f2893

SHA512
4e9df74769c7fd473cf55f68c021b0254c6458e7820f7210b82b8e2469ec29afb90f7183899c4fc3a39bc4d37f7279570b97a30fc253c696b1f057718546bbe0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
21bcca6bb55ae27ae5a67dd49447ee49

SHA1
4e9d2600ae378db36ae54f97ff9086fa4e484d11

SHA256
11ead0f493b01f0e0d7a528d254be320c09320987ca6786b6a6afb86dc16f73d

SHA512
5e54d27a4bdf0a082d7a3d2976dc3669ff251de501d2089a0e8e0677dfe8ac985b9abd46aaf9450b94779bab79bce93f2fdc2db8afa560ed28d9d7cc9351b1f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
263153d639554bbb3aede2dd02e81f0f

SHA1
ca04fbc3e087d34f38bc4f95b51f7136ca8e6a6b

SHA256
b6f438e602b77d6a72a8e668fc4c4141837ac84c526f10dd644b7d0b642ce3d1

SHA512
93657dd1cd6a547ffbe8ba69fcab2099dc82e045130e2a90faffc74d1d99f17fe3d70260ba1fa88166dbd06c444e0bc75114257616221375aa659fbfa3fc8b65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
e87b253c3de47decb980ef123b6c8f3a

SHA1
4ea49a34be6daabd11d3dac5df8f76a9dda4bcd6

SHA256
261e858e0e49fee21761070ad8a5dfdf8eb1ecd9e266dd42d30ec73c5b8009fb

SHA512
a26acebc265bb5383bd49219556cdd4dd47ec826571686807e4ca4097cc452eac9f2114dc2e528d5d192552c4c42cd0b023d21035d1980562dad6e781eda63f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4e053117afa51ef47348c373fa76b787

SHA1
8ce73cbb90671bf90bd82ebbb5e57de8f2046ad6

SHA256
68f74726a406fc131535f2a39c0113ff71f5dc9b74ea69507747ea6c6eb8112d

SHA512
059967bb69928ccef81aaf777771747333454cb2e1526cc93f9211d4e330dc2b2163dd49b0faa2b6b448480bd8a89be16433550198bde1e32d0b5d31956d4676

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
18d0e1a4e0c0a001a5b1fc728dda52fb

SHA1
8d14efd0120ab30998e53fe1bf1326169aba25b4

SHA256
222f6fbb022e8a22002c6d6cc29bcea3639212cc3f18550129f06e3ffb4ae49e

SHA512
39570589d58e815a40288a2fff01d45eb8a6de76a418e255dde0d3e1e405bfdd447cf9494ac5f085fd726a172ff0105c021d668f5ba12efd85089ca940871a17

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cd1a28d42617df870873e8b3d70ef812

SHA1
3a1da4102b6327623a07380f92d355c8ca033cba

SHA256
e0d1263613d4f0ce94fb75261e0ca770cb31aeb53f1a725dfc40b41245c5911e

SHA512
8b23d53c42c556a3cac9ab22f85f2f817aa613362056453bfb1fe3e940118748ad493408a39a984da73cc0426bbb0d88afcfc7e5f763c3dda8af3806cb3118b6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7d6f058df4eb25ba58f3c5ec368deb61

SHA1
648b6e89ad314fe3de9331ea30db238ae0645210

SHA256
fa40193a956d1f25f7e3ca4e72a8d52db1ff8e9a006b88fd7e0f15fd0e87e59c

SHA512
9bb1d8bfcf9c263584df455f693ff686cffbfb5c2f61c15d732a54f7f19f4ff702a0b9e36147414f854ce273117e0b8714cd9f77093d5d3d1c0584b8be8d2b53

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4474d1c5b810691af04a0cf1cc91947c

SHA1
cfcae0f1dd69a6a7a4cccfa00780dbad3b483d6f

SHA256
09a90c1a17cac73d5d6c93afd52868cbb7dad19934e8ccb83390ce87d1168849

SHA512
56f417625e422da538e1a0c47824c899d4c6af64c0bd46ad1c0160f17473c1b9f5afac00e3bf666f02a4f2f5411f97b4bc31cb3d8155a1389351e6d438d48c04

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b7a451402dc5b3f4ba4776ddf7406f3a

SHA1
32903e8d54919e16bdafb44cf4ae7bcb708badf0

SHA256
99dd4303a2f95d547d1bc2de1925669e1c500d1d7f8494582851065dbc43d091

SHA512
d909e2508bf304dd17ef2a7fce68901d671a25da4c8c7cde262f5cdd355ecfe7c909a9ccbf06ec20d457e94bf3e34d49d1b41da5f120f616a42b253f68444077

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6a8152bd59a0f8f3da92a0c9469779dd

SHA1
4e35ca0144403dc07e88ed189ac1db930d843a3b

SHA256
6ff2744be87061fc30e1564d5b75329c17ca6b41551092ea29d28626adc7f85c

SHA512
4ce2e06332f6b912400556008b3a0eb37ba009422ccca358dc31b1a9f353fe4fe890444fc8b6c192ef3b6784e5a72730a6cc80d4c389e1723778017af856c43f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b0d2f2c12393490878c2fcd2429d07a7

SHA1
fc1c5ae6d607fb188639d0920e21a036f7d7219c

SHA256
b161e9239c91ad61b2d0ea7499ae490653facde83b60cc75f7104f1f68a316c4

SHA512
3fdfe5b767211c84c1bba56d9ed8017f5152d33c57b987bf6aa0806443941706d62dc1abeb0c252b5f9d88115e77a018a04fab88e8bc5b2a179f192b2219bde5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ab868e6e8ce1b7b6d132139cb1138569

SHA1
b06a6a1391f7c5c8d3f13cafc23c81cbfc85aa70

SHA256
16d7383b763fa61f26a0943bbb10c888813e5717e2b9d9a87f4299d2f5252274

SHA512
10a8bc90025b32c9524ebaeaf127c8b53d4856871cfa7cc86d66d30ec391bc6570149a7ac24eba4bc57ec2e2f212f57c2c2d919fbb3ace2fa189bd3454272db2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6be794d8e290d1dfebfbd0ed561cba4b

SHA1
e1aeac8ead94f50495f6034294ed1ba9d27001be

SHA256
2c2f9927633560c57e697f10cced6572dffe683d5332a7f79721be9eef6007e2

SHA512
04c433670f801dead48174f7c33950e9de52eb6c3596ec104d8c2345a2f7a7d9500dba94f7d72206344ed03a17e5d73aefa72bdde83794214bca3352af2c59a7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
283161d5a53454128fa64d922bb181f6

SHA1
4cfbc93a415392ef0ca5a7d6e29fd842a4d6561a

SHA256
c27b63cf536298fc94149d09f821f4af736333bfae044f9451d7f75472f4a5cb

SHA512
69247434da1478304b363bc02c62d727c869c618b3942f57d07e65d7037b1870088b1bc1f22794198f55547837ce69551c3a05ba675cfb0b97a872a6e90ab33b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c5227191c5b475a4487f8397e303606f

SHA1
24b0aae345aa9ef2347d1ecb939d1017489f963f

SHA256
cdc38b21da34e6d2dcc77f8e5b547ef8c775d31a35611632cf69abcb4e358c1d

SHA512
175a87d4965afb33d2e3176bf7bf8725f20553c16ec4b770a1197bbb14e160bd1aa4e11d8d445d24632cff917736e5dca284eae803ddc5d868847531a70436ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
51b0a085cb13dde93ad72881d5be4181

SHA1
18e026379afbc2dba1b406109f51c6218f9c431a

SHA256
9f2d3a202d5cfe5456c7ac9ec61a7e4fef9186063b2c14251eea1fa897c2c681

SHA512
f3cefe18215e59c887aa937fd818fc0d519de8bde1cb6e79d3601f216c52d58f77139fa03fbf61d3c014377216df04541cd95f6bc8772c82b3fa816ec4a36cca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
47120465880f4e6a6379ceb43b3eae2b

SHA1
cd6b91c61bf084ee7fed8dc972fc500066f3e466

SHA256
8c007810cdc5dc8e870590f348d2551b74f0af1c66b5dfbcc67500b026f19511

SHA512
32fd06e647a877aca678fe81fe3c3ed4eab401bc0d03ab7a955798ea89782ad85f9ef5a1d3e9f412488ec506c193c9f62239b80faeaa26390cb0219083ef1101

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
19e486da542f4afafdae6bf21b4e466f

SHA1
24fd38948d5a619b2841f154541b2d232ab440be

SHA256
89e34d07a2db5a69cca8f4197b852b21d39603f21dc8a0e1349b368327630e13

SHA512
4871f894e34a081f340383db35e97668987f9ec0c4ff3b7aa532ed2328ec3835c0184c02d4cb1e4715aaf7b1e2030f611c3279cbb82b7cbc4777c0d0815b725a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3626f2c59ef68ad0159f4f7c354b3d62

SHA1
eb20b8778999bb841f9a397cda79280ba57fb421

SHA256
1313fdf5f348e417a350fe2f6e8baf7a62bb461644382f2dfe34bef41fdca211

SHA512
5465ddf14e634a205e4b440a584fc2b52d453aee1dfeeecd2818ebf2139af2b2b3e03fcd0b7710de46c68dec46f8899d484e79af42612b2e2b2210c2de06803f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2a04d61caae9c80b6f657f569432c3df

SHA1
bff553663b9b1874355d137593c3720f0585c29e

SHA256
ed66f9d6b8da77324dbaec03a47d70fefd8a0759bf35fe33693c4f53d42635d0

SHA512
e09f2c1b01cf48133f486cf178aabbd2a27fdb0623482edacc76794c407026eeb504c601c7ebafdcd3c6f642fab113ebad445732e7f9d9b06305f45f60637c5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
86a7da792e8798ce98e0fce1bcd79d1c

SHA1
8e1db26e026ef17726bd69f4d8ac91dc24d1ab67

SHA256
cb2809f65428b9456ac91c73c703ff892893b9ac7dc485dbae2450c470c532f4

SHA512
6d79ca5949ae90f4a01ff455ef792854321283fd0f1d4c7909b131159f320b7f4cf9950c078ad838a774a83dc66ba83f3d40e819b17a8ad1c3728111a9075abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
10f1b05010dc66f2a90578c7ff7ec40f

SHA1
c75998269143c9404872dbb294ffa01a034996c0

SHA256
7fd693f0d838f6122ebf50ac465f6318b2fc6d4411d838c9bf041133ee1d462f

SHA512
3f79c89307e6c3716a590bf6d78586b1b830e50bbd37f92f1e2f827abaae9a9b198180fde210e8d477ab9ea89c596f3ad254acd8f7c687bb73f312f4aecdca14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8488c8e29e737348b0db361d8a8aab88

SHA1
a94d5ed05a7f8c6e6f0487143e82b5705b984888

SHA256
ff5054f6940bc493b8e1cbdeaebdb7b0c9f09e44f61145fb4c2bb539a7a91e8a

SHA512
69b27a9e1c278908154e8fbcea005fcbacc07c28b77e84795fba1b0eb813c7c85cd78983d99e2f78c8ef5955e39ce65711b7ea57c87ed1fa913959d7e0a75c9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e78c44318ff046f9745f9f0dd9458a79

SHA1
a51d174cbdb47a03b268d9cdf4aef42975b84471

SHA256
95184667dbe6f68708287ee9afbe773875ab005c31af6581b9e1bc35acc660a5

SHA512
01a45f2568eab1c82fe9608e367d28ebafc3aac6b44a8e5f9a0cac66165472bf1487668a58fd57989ff146116b08521be95b1d1816d41efca7e6655a806bf990

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
17ecc9662eba58949c6bf3da60fc141b

SHA1
9bfb2e1e7ee52eed3d2c66525a5bf7edc9140d3e

SHA256
8fa028fefeb8784759c2bd0a56718014d263ec4ac7911874d2e258a27909073c

SHA512
058dcb45d7991a1c7e05d3b78c39e7dae064692d32dc21c987ae83118c9f165c7d3ac0bc5582a826721da2f02a02e5b64a497178f72be98a5a490b5889721aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6985dd118c8903a47a69ef5a739286d9

SHA1
bd80f9a670035c8cf92aef963ba01517bf9b6940

SHA256
0eb71a8ffd5b52d1e9315068a5eb2baf9659603238fed2079254d77146c82801

SHA512
85e34e759e0c850ccd05b6d134dd6aa27956dc97c63756447a932e044d8aba4a03d78e8b2a466961345f6b8c9c1a88d7d3552f72763649ca43b387718fdaaf05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e4ac88097d06d68adfd3229a5166e506

SHA1
3b09fcbcf9922c99f1cef4e504ac7302cb610414

SHA256
9ebd1853e5d3a31db972caee55fd69807f5152a7c8f8722bcf9207d9e8a4a0e9

SHA512
52b0bf0982b27794b4fca25df807e99e636f10381ad46797b125728849a8cf88196624945c82beb8c9e1884b94b5962b9588d25ddd2a935f5a1768eb7c54bded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ff2dd78a82da339bb24c5733f7977f93

SHA1
dabc590d01097ede927814ae772e5028d9342990

SHA256
403778c6067b6492224029a88dc33f951a42213db959e42265bdc414ad2fcb57

SHA512
807618e390a99cc71539ab67ef101805a776717c285d3ff8fdb948163752f137fccd54b7138a569c19a2c4e3d8b9657f0d9621664cefee19fb9e4cdd1a44a4fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
08d4486a8bfeaf316007b0fdfdccf3d4

SHA1
5967237ce87d8953b20cf413e1e0b66b5087c4d6

SHA256
901b71652ad0623a3dc36ae04d3dd19b2456048a8cd13da44ded0bea2b8e0894

SHA512
dd7ce53a33c5ab8992e0bf03ac57ecb3a6d3c6b73448cea132ea0d9b7753bacd712ad3bc3e001d24b9f48aeaff9df75ddde2f70ac9f23edf24dda0717dc1a85d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
de95f7631a539a47c83d31e3cf48bd78

SHA1
db18896d0fe09c0015d81c5dff985ccc1ab20bf4

SHA256
8ad258ed60036b7d920f14ed0fe80635eeb8a9049ecdb2d6f98efbb034347d33

SHA512
1c4ef56c223bc1b3463b95ed81b8ebfb7b5235eac629422b07e7e73cebe9aa746fff6c482c8c5b96125b1b9bd3dbb39cc99f614af9362504b4eab3b7dd20f985

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a90a545c95a0467b653fd9dd60ffe4e4

SHA1
e19017686b964fabb165c69bfbc56c4bd7f7760c

SHA256
f6a3c8dc82eacb22fad2c83fc9b71b618b566fd94638857caf90f60efa8e9ffb

SHA512
85b531ef6e9f3cc264c671d3555f3bfdf1b19b5db831f165b622b771d18a1636e0c2d1dd6245bc1dc5a5e943833ac149a4870d57c7ba3a76a9405171991411ed

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
20703d9c5753c1f6e56f98960d27fac1

SHA1
5a7f106dea05ede8bf13adf9ad3b45151f0c29a1

SHA256
b4260d28acc3b0f00c1cfdbe17d3d8f02bb2a015b85f9e464419d4acde315ed9

SHA512
f443930863c5b52f4e3e3390b531bac0b3e8e518a8db756ad21bc0a7e88ea0678088aef998b709b7d994a3fe9f44c30a4bb657a4b30aef52d9fe5685d8a3bc9a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e0e6e2f14d9a64cb1672323a551bc95b

SHA1
9d828aae00fd9c98515a48fbb6512bb83a9d593b

SHA256
91b7731007e2650d2b6f2c9cb75a07d9ca0f34fdb37411ad5c9b191ac93d3495

SHA512
016a88ff25af5754495ea1d6b75b9ec1ce9967e20d5cc0aa079137681a62f38296a8fc776662b29dde5e18d2993015cd441135c9810c40f2a7f8b75f3a4759e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
43a13597a7daf6a8b585df6a7d3b8dd2

SHA1
31b0388378ce114e49e2d4c834ee1d9ec203d4b3

SHA256
02806dc8562d3c8fb1828747b041adc36e201f6d8b0adee505534d820adc2f61

SHA512
9eafa49a49f830010436d8dce46ce7cd5a116f8a6fb082e1cfd022b8581ea6f186e8ee3db28fc027693e69a4397d5be47c75fd4c67e74b059e2af2fb6ce4e6ca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
19fded3a806bcf210ac024568dcf5031

SHA1
5381017d688b09b187a610c448460437489efbcf

SHA256
3393b2fcebd9463fe0f6ed010b68263f1da097842e2bacfd8ab41fb8f74b2af3

SHA512
e9512c04cf87429d3d59256a0edb10e5fc1e80ae888a9068e35851b20ce5768adc84af4923615efa0427f182cce6250c4e497c7596f02e614fc378549328da43

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e7888e69f2edc5e7d3a2a80220245c00

SHA1
c1ae357437046c43da2f4e801f77fa966dcf6600

SHA256
58fee98ebcffe77272d35ab53ef5946260abcc1b1c7abc9bdee0fe412ea10b04

SHA512
6a42aa43d7861fa2a4cd5714fd7e470658f9edc79cb3f379425781425d3be3499090f98c9dece90abd45b5bcb37e8c10848b8798c1d3699a9dd61ed9540effad

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bee6605f6f349c432ad3dc618c121073

SHA1
c5d39b16581f2c4972c34557d7efe3191244f10d

SHA256
29a28c5b0bdf882f2495091c3e8a62b51e29f321486b523079b5d325131695c3

SHA512
56bd39b43b3c502d28bfd8fa4eb586e74a13e27a0a650fd8bd1e27ec6083b4e47497790b11bb76eeb24c6e7e9a682ebdd8a8e6c34b5f862d4409794e29c0208a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ee47f9fe383fe01e6b29424b2ec7ec2c

SHA1
ca05bc6a7b9d06dee615de42f1e5f8749385ab54

SHA256
63aaef867113b5adcde868c1eacc07ee2e9c999f965a62c0d05f00750830e22e

SHA512
7d6e69ec3339bc1cbe4c4edb780442fb61d43809dd8f0d6738763a8bd83a28349bfb9c0bc9a4f563cf8a384a45e73d6906b42a053d568e330402ba03ecd567d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b5db5295ff9b58a2cc44c381a315568b

SHA1
3f1486c19d0e4a95c0dd27b48b24044ba239441e

SHA256
386d42b6258d4df19a2204bc8e999dc4fee7e8d7b064fae3e8d1188f6f10c637

SHA512
1ec002ff78653588f0675d993cd1818d935cde72b3b895f3b5b92d15266b36ae50c570ce29d7b4557abb527efafacafac5007e8326e1d9287ce4dc86aea6ff33

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5be578dc97719567ced32d811c353506

SHA1
62b621cfbb6e07ddaf1ea9b3c7693f1badaa3eeb

SHA256
57841ad45f828c3c56b8890af2c2cf7948cbb4a75ac0e004a6ebec4e42d64b71

SHA512
866b5eed3ebea0238d314c8ffb8e53ac3a1053969b7600a47576b2bb4db8e6e3759d615aff1ad005d851c31a8a499e615ddb529eb4592e6c7be499a618f5fbe8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0cdd9a40edd06e0e015131177d6c9ff6

SHA1
ac422e5a9b174c43a9edec340e3184c50306d9c5

SHA256
6c79fd50afecd94a3d511553965def5e97361a2d63e3f181143a8c14daaa16c4

SHA512
f52fd7339078eba400c7c7d3e2a87d618a4d5793888385df30602c301b5b59d944296ec86431c19ef75c5c2d63928c5b3dc99879daec9016f1b62e4bcfa34ece

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c70ce67129f6a185cd94f916970d51d9

SHA1
404a4b74ff2277407e0b1e3c87ea9ecf7550d48f

SHA256
8e5745bfba0f1f5f5aac00edab5690231e8685c0ddc5ed685d54e8fd08c99be2

SHA512
02ef9bb65b693cb349241051cd54c20b13c30d5d0c898358699fd7823922dfcfe5abfff167646b4111cfb4c93af882b4e69efdbbbdf800d2d2111b5d2591fab1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
560a48b224e24fc93904417679ea58c4

SHA1
4d78e03e0133128a2df27c437e93be3fc772032f

SHA256
9ebd91e3d5bb1350e4e9a299c978db098df5a5efc23c4d54fc9e6265fb4ba2d1

SHA512
4cb0e70780c2c9424a1d8b6d0dab831557a73d9c31cf10badfe32bdbad128eef041323503bf272959193511a99b4434650625d9f0db2f4e42e1df9c3a31f1547

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b896411bef17ccee0f2f0e495f262edc

SHA1
bb814bebd1c755a5afb2d59ff01b735c7eb1edc9

SHA256
2c594924468d622a87b9a706054b47d6d817442c4b12417e4a921806dee74afb

SHA512
4a89c4accbdb8585dcfc7fc633a289098d1d5507c8c1ea92c5ad5039043811c43b322ba6fca0539da2a69dfd9b1fcab2e3e9452c6319b61961858f47194314ca

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4c54317aa7e5eb84fda0b41894c4daa2

SHA1
3621cd7980a808ca1915a7a808e36cce92fa90e2

SHA256
57e382e7ec183b3911e065de6df88dca8fcb971213d3d7b835ca34b7eddf90ab

SHA512
47b337e005e6d58f02371c9825309c96a6fc70681e59c02a3285d100337758be1c6a5862e81eb332da4717473c8bae155e10b3f218eb384f3e857b326e1b1bd7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b9a5d58bc7177813ed1c5aa8bcd93c65

SHA1
31867dd23248c94f5bedd4dd93af06a891971e21

SHA256
6907a8f2f7770ec0de1930e38abcb7af38dfa67d4d198518a313c824919129c2

SHA512
33ac89062795bca1b0cc9dc4a058b2d6a715e2a9106b7aaf4dd4e0859499b234250ef3dc9d84dc9dcb788925572ed26b27f0e861d05b164b7f2a5d56aa0a9edc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5811c342030abec51e992fb2546d40a8

SHA1
6cbc32ec9f23703e5de80d2cf1df9362e6c676a4

SHA256
6fea46340cf8b08901bef5303b042494f58cb359b9817613330e8397905b9ce1

SHA512
b0c76acdce84e18123918a92619d6df65d4d00338d90be8ce429607e7bc1750bb1182078bdd31b9f19bb5099ba63f4d5b525987174809513d2436eb62496bffe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5bfb47e5610072eb9a6842a63d7e6166

SHA1
2f8ce91ef5f46278ab25785c498a828960f679af

SHA256
c738199e981a8f812bdfaf70002fd92aa737d903946ef8dac36c44855284ab8f

SHA512
4821993d1aab462496125a514c945db5641659ae0fe2941233ab401273f61526dc6823491d942f8e198a3a151920a335fa10400af9ee4672faaf2363be512376

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
09b71ade423619b144d55242a1feb7c9

SHA1
303c28a603da221e18253362913a226ce3379978

SHA256
5fc5cfc3ef17c7d23fa6c11013bde4d0abc0edd4365537f6814498423d8dc244

SHA512
21701275ced8d52b8d32c755a6979c48e586a70cf0c1f97e6a8c9ec6d2789f841c7f10c57a24297861fc7cfd73537d0512d08aaa945f539f2bb448b036feb6bd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ae87dfde684c4b06dd04582a253a322a

SHA1
5f10f9768e3e0414ed63c74410b033a34ba8eea9

SHA256
86203e56daaef85a35d26b88773051901f74310a03fc067d24c1c108c94eca73

SHA512
39e618a143e5e82eca5cc1ef15cd8560aa7c33efeb75f3744e44aea2743f8ccf9ad24f4e893002cba3728b428841913a3911ed2705bc00d44c1fd023481eae89

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fff4d27df7346ee84a67e75b28536621

SHA1
0181fde95c010548bd30720d2770cfbb42dd5a69

SHA256
010470a5324894c0e0e48d7830a70b8119dfb5a35a47603fefd1e07a14942ee2

SHA512
8def0f6b7e801f316c0304b86ab32500991299894ae97caaa0da75351dc1626d4557d3d06d3377d534512a4bad6ce9943d6cd65ec1259c85eecfdc1820cd464e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7d2913560811b7efa28145fe32ed14cb

SHA1
b4cb5b3b190db8b152de2d4a48a590927dcdff4a

SHA256
70bd549c251b9d81c83c09223702b822c939a9911aaddfdfb920e7104990bff8

SHA512
c53e5e7d20179c3849de79b21b16c74b1a597391d9eb0d79ea3f6654cc3f94b9a53ad5006940fc397e3a00d48ee42d0f6048e64ded6bb17f504b5beba5e61ffc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
05a4427e6276d4106ea0d3a9583dc519

SHA1
fad76fd078b45a7c50e467f15c52a829a83d320e

SHA256
748fb1b40f4208ab480ce5ad16cddeec865914217c850c7099f2e9fe24dd9571

SHA512
9a7210abe9dbd8b7de8bfc9c8606b8f8eb970039428347f0f0ef7d8b875b11acbcaa45683df379cce6a03553f845f3a7141bb1b8ed1196cd56980f697fd1ec93

Download Submit
memory/840-699-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1240-111-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1240-229-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1300-698-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1300-258-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1368-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1368-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1428-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1428-519-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1920-692-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1920-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2000-126-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2000-245-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2108-167-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2108-422-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2168-6-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/2168-0-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-1-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/2168-71-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2332-50-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2332-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2332-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2332-57-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2540-11-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2540-12-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2540-110-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2540-18-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2680-76-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2680-79-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2680-72-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2680-82-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2680-84-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2708-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2708-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2708-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2708-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2808-42-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2808-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2808-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2808-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2808-36-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3292-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-689-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3660-144-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3660-257-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4076-693-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4076-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4244-606-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4244-191-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4572-694-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4572-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4616-87-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4616-206-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4628-690-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4628-203-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4652-125-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4652-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4652-24-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4652-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4896-123-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4896-233-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download