696cb26c3e72ef54fbe8adc98f62a56d486be3792e2b7ac43d300c8af8912f38

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
Size

625KB
MD5

d9d8fc58def0c13e770ca6720f632ab0
SHA1

deba5b04a66787fe1d6c5a1196afe89203620b7d
SHA256

696cb26c3e72ef54fbe8adc98f62a56d486be3792e2b7ac43d300c8af8912f38
SHA512

9f8e4c3f6d8adf889b9ef696fc96b769219ce0dcc524284adb137dcdd0c27c46cbf7762bd6a4ebfc1f0d5942d411fd88846c20dfb33c30120acb3f4723474f06
SSDEEP

12288:A2uVqKNdQ8yRK6rkObwsToHOOWGgqvoEWH/lInNg4JYU5a0Cuxy:tuVqIi2lObXobHAEW9INFJY0au

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4372	alg.exe
444	DiagnosticsHub.StandardCollector.Service.exe
3892	fxssvc.exe
1620	elevation_service.exe
3868	elevation_service.exe
4896	maintenanceservice.exe
2876	msdtc.exe
3044	OSE.EXE
376	PerceptionSimulationService.exe
2188	perfhost.exe
2600	locator.exe
3524	SensorDataService.exe
4948	snmptrap.exe
508	spectrum.exe
4464	ssh-agent.exe
2016	TieringEngineService.exe
4512	AgentService.exe
4424	vds.exe
3208	vssvc.exe
4268	wbengine.exe
2812	WmiApSrv.exe
4764	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d3ca99bac3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5687d7832a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082067b7832a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098ce17832a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047cc607832a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011cb7f7832a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a286f27532a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007da4787832a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
444	DiagnosticsHub.StandardCollector.Service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe
1620	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	116	d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3892	fxssvc.exe
Token: SeRestorePrivilege	2016	TieringEngineService.exe
Token: SeManageVolumePrivilege	2016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4512	AgentService.exe
Token: SeBackupPrivilege	3208	vssvc.exe
Token: SeRestorePrivilege	3208	vssvc.exe
Token: SeAuditPrivilege	3208	vssvc.exe
Token: SeBackupPrivilege	4268	wbengine.exe
Token: SeRestorePrivilege	4268	wbengine.exe
Token: SeSecurityPrivilege	4268	wbengine.exe
Token: 33	4764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4764	SearchIndexer.exe
Token: SeDebugPrivilege	444	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1620	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4364	4764	SearchIndexer.exe	112
PID 4764 wrote to memory of 4364	4764	SearchIndexer.exe	112
PID 4764 wrote to memory of 4820	4764	SearchIndexer.exe	113
PID 4764 wrote to memory of 4820	4764	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d9d8fc58def0c13e770ca6720f632ab0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2876

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4364
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
08e8bb670f55cf440973e93a6c6e1d74

SHA1
2f24e55d4c77b55105eb8c340b4a83c867420e1f

SHA256
e9066b495320dc774e11377f8a3da6dc870083095d5d3ba85e18e5784f7d0b8a

SHA512
74f75c700b461ce9dfa8085a7a3ec00e015f54a7150ded4971614f879c8efd89b20f63d08821df08d6043c16dd3f1f034b9afd2b033bc45ce224576690abb644

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c2b0cdd6097ccf98d36c6e95f70fb996

SHA1
859ddbd17029435379e6a5ebe70eecff587dbb1a

SHA256
c8b8dffec316dd5746322a1affad30b8758477220e9277a41fcdb59f5420c689

SHA512
c26b00ae78310a13d54d65255cab2dd0072c37399516addb3ff23b4f90c4013d454ac0e67e8b095b3367da574bb670f973deb3251c8acde866317566862cc5ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ce5bda0a5582ae15045a7c35c1e8cc48

SHA1
dfc65d1d2a649565643c4e61f203fee6d8bce076

SHA256
0cfb08089ecdf8f2da2b334de9103da230cb50fa624deaa36c8f73248c886dee

SHA512
2d09f1eca56a67bbee613d58e6d3e272c4a97c1a6d96a3e83e393e52dfc23faca29eeb9008ff3492e8e200422da763a1d1af71229d517fe17541032599f88b5f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7dadf8875f62cdcf2f00710c7d69e5fd

SHA1
1694833eb6e4b208d074ead69424ef0e1cc1704f

SHA256
b2458180c0ca3ed125a021359cd968c9980da72d452531bf2714b118b8d4a77e

SHA512
0b18cf26c21887546beddd655e3fcc31b77606064f878d25000ebc870f4bb47b3b2b094b0648c4217787dc8ee3cafe9f69eca5f2cbf8e419f84dbabd561475ea

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bc223acd8ab8d1cd90087dc5d3d77804

SHA1
6ca57ecbbbc3b0b182569684f0c54b0bdfe47c2b

SHA256
eb84fde9454a14c8dea55bb182f06bec2284261da5366ace5d3105a989dd64d8

SHA512
bcffa3cfa51ff956fa7d191b11a51ee0ecf17aac85b9356ce1b8c30e069021f18c9dfc662241733f5f50c93967078d7205a7bd4e5dc4abeae085e4f7a60f6e15

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
73f62d40c496585d2090cb59e9ccb5e3

SHA1
5d45e7fb07da4acb2f964b0c620c20c55eeaef19

SHA256
2c32feb7368ab157f37660ac201a8c0f99c42b7564f97a2e432afa37c6cb5658

SHA512
d2dbc9390c72a376d33216b5e704b2ae5faf68a1e7a5acf63b2b922cd4dabc89f77c4b6df9c18f360cc601fcb0b76de82ed42139320abe29bbb2e98eb1b505ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2b5482e1d4491d8d80910791144374b5

SHA1
66c2e150137150eeee6d70ab21866d9d25312396

SHA256
8f682fff282a0a0e5a805e879b7ac06e066782bdfb31fc1a60c3fc0fcdb74d6d

SHA512
5ffd6adc15b84f3e6dffca9452835c3d813375645a2285ec2d026367ab9575cd43ec0811932c80d103aa6d2cbe191e115cfe6637e0d13f6bb4bf8c9700f81349

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cc66c0d79d9fb41268c30828e4f52a20

SHA1
3bbab65b38d22a4a62cfbfd40801361d6d9b6897

SHA256
d57aee436adcb10a4cffbc1bfdafb67504af88bbc3356b905ed586360f54175c

SHA512
3f46281358a1461ccc195af7c92d45d326636ce959447f14ecb1213fdff951b5daae46dba8c1e2520118546486da6e4bbb3562dec0bb130bd8af705a86a5dde9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3c6f38d928a7dcf9485fa037fcc77b75

SHA1
a4f2a7018d882dc7ac5d86818d8f07ab2111c30a

SHA256
45c750cd8accf5da05f1c8e49955bb9ed7083a837b733692ba40777ee75928dc

SHA512
7afd09948b3e56b222dd040d64e465be032d18e8725b2ef8d125736863e687e7025d67cc79a716f989655607d5989f6552a236610d13df56add746968399a1aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5000fd9ab6a762764e41b18935e02ea8

SHA1
6467c79f7c576891a408d3281672ea718a0a545e

SHA256
eade416bc6e040234166d837e2bbbd94d26292420c1fc8d23674b617381dad81

SHA512
a1f84ade44cad4e113306a39f0c68b6d9ba6640779d86ce9db17d686ce0f93deb21ae55c855549be6dacec85baac50be68e3a13366a5d5202c44416acb1f3107

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7e0710c2bc0288f150f9729580b49567

SHA1
aa287d3343e658943dba773805a1f1d3cb99275d

SHA256
d33e646c96c056f8fec7f74e95efd8048b6a3ea4d51cbc735c7f973359dc2e4a

SHA512
ee5d819bf0d1d5f5db3295ec3ea398a30ccfd5815e5f9cf7122baaa1c7547f0e444366da30e0facd42dda2e4f2797864712c6740b22dde1a42a3215ad00774e2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
284d6990728d93d5664c496901992561

SHA1
1f5729092da07878ab5d45b52c62b0ee4833b0d5

SHA256
ffd226bfeb9fd1d6a672820eff9a9c7ab6a335a472d5a76e9e778aa8103d7b3a

SHA512
920ff4f85114c57f1ea7d660082ca4c63d679b127cc737e1b04995970a993c2cb5c461ac756fb1e245e0d579338699809af17683dd11370f6c2c8aac4ac7dca4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
188975f8d226b39fe0ba2df99bb506b0

SHA1
2a05d98092622cbe87e97826b3979b3bdf4e83ff

SHA256
ebd013d402451afa5bbd1a5cf1e8067a72ba75d72862a73d54953ef44b77e39b

SHA512
941ddb6c82353c17a0be3481696bc95a13e8cddbb4da44993147f6b41e5d24aadf2f34d0d417114d04f831cadb61b4fd9d6e0b096e22eeca21eff2f0cbe3895f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b01082b300873780a7bd91b2e9dce01f

SHA1
347c8b5e05583505f8b4c973dda37d112cd47683

SHA256
12d31e62363ed54a4d05b3346bc975720ac6ec78a09b0e1d77361e55597b423a

SHA512
8af43e444d9a283694d91c27aa4ff140cf7d5015ac55cb34e9d53e14d4e8936b3047b4cfeb0112d929896dfa1ba6e928bdc5e9d01cad8570d89835c523d4bd50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f36b3b664932a96214d7f4daf36b2c37

SHA1
9c940b2625bf6abdcf0f1030277f0c358f4a900c

SHA256
d36ed0723bd966d3ab500d932b974ddffe27b0176ae18ff9b16f5ecc2a9ccf73

SHA512
76e309872a98eced2daa54799eb5fa47f50d1c18ab47963f94f3de73228b47377c4025fbfb228a03194233a1585b32c1dc8289f69aa6c657cfdc5c91aadc1d94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7a27496123a8c13a2f31d2a9bfde4418

SHA1
6f289206bf1c4f94de0534266cb4f994d69cc4f2

SHA256
dfc717d53fb3484c84debd3dbc87257c8718aaa2fb9cdf79945be40a6b79a903

SHA512
a19abbcf17354cf1bd2d4ae73cd3f49bcdef88107c223a70f694fdc525cda8db673bc9e6c27f1aa326910053d1fe5a7b2e013557b4f1bb7a6329403b071a7f3b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4b02a54f9bfb04fb25f43dcfe114ef67

SHA1
6cfd0c9b6e13e974f268c1e66a7d6d8f0b37fdfa

SHA256
7c846d7af3727a7d31edc9fa7ce343fba15e85e064e269bfe5518df42359d92a

SHA512
ad922e5c2186834d26e943d3dcf190e942da5b5f3cda83bd2e93867f7497d47b498fe2a87688b51a2ae2c3365ecd490f3a9f40ee80155dd0e15f061ed9d4216d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b7c3eb30d792a20677b4ca4bb76f77f5

SHA1
76d6ab6edb60edd478c466139d2405db0a9d2982

SHA256
bdfa6397dd65c30142ba289e6a33464bf8de8c438927ad543438f5ef6d52049d

SHA512
979db3a2ebacca2df6f55bfaec25b4a66dfa452d1780345c085ca706229e73babed886c1309022185ba914c0361a95221266ac0a5640f21b4d830e043bc39da0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
776bc12abc7edbb9ae85dfa54e6f9cc9

SHA1
54c18e75a00454de4dbc4a5544c411eca1a5635c

SHA256
dff417dfb73d9543ec35916d4e47cf01fb2e749fa8e50e9d9bde00d97a393ec0

SHA512
22a3d4ae23cab868af66f97b9cdc8c0612c9430e619c87a759d99671b8cc7ea9dabaa36e95f44d2c53e983d4e25d12ac04ddcae0ef6600e2dc0b7e2364251f87

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f73ab95ec685232471c4891d9e48a658

SHA1
1637f638e1842b9523ecbdd415eac894dedca432

SHA256
d55bb4e46459641dc73a7eba06f4b04703cb0a297bd074c14a8e966470aa012e

SHA512
af082a5116d35e862bdc5e5e74e00abe7984df2f354971859132c82d860031c0f5562f383dac8d6fd20cba6646bdc4fd65b14102ec6ab559587bb8926739996e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
dfd36f5a634bd9a5b288b5ff55ecf7c8

SHA1
48a842574874eb9b815964a15ab9016770815a2b

SHA256
d16418e789414df7010b393c31f8dd7ebbff4efe8fb365cef13d0dc93ae1f1b4

SHA512
0ecb1417a3ac1c4eb24acb37f9e825c50b9a54470904137b95c0a017b54abe49b258e7b979843725b50b4999d3e96a3b720fe1e75e3035be61848f2cb7a36553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
242ab8ba781204d1c47d21156fb8f5b6

SHA1
77b76c99c4e1331f4ad7002c9abacfb02319f877

SHA256
94f144bf27f52dd26ded60dd16f318eccc13387d8c66b2c54d0d93ff8b5ee324

SHA512
c4e8c4d77b478cdb97cf49179dfa8fd1b510ba8a6ce890c61322fece1476f4c0bfe149fb06a0dc93e6b09fb3dd27659740dd3bccc9e2de0a6d7e85e29b39822b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3ff3826440df08630ca2b3d0593d3832

SHA1
f73d6dae4079ab9518c30d52a066788fa72f2653

SHA256
4522106fb23fc0b0f95b81c268bada921733efac31fd06e654a60d6377ff7e3f

SHA512
b0d54edbb66cedccc9cabb4df81ed7c0586ce3707ba7f2e5a4e86bba315bdd2eb541ebc975eb203d31feb5c0df4f5f3a4f2ab54d426b6cfc69e34b59e97b5067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
aebbe8372c0a04f4d735fb28ae989f07

SHA1
704d50cde0c23486efbbdc3e55b8b65a0d576afa

SHA256
de203e07136cba097cea91f0f75164b4505e2f260c2d270071207f9059b1f3ba

SHA512
c8b74c46c2d936bd2320051ee5784590361884f68c12774602f4d54da26f3017f873c610f5e384e51c7f326262d3f6cf1ebf3867c93cdd0e53c979df37c91d7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
90b4528f4819841f5703847291810b50

SHA1
6c180b31ddeca74769d1ab7a4514fc9a6104b529

SHA256
85b3a06299c445bd4ac12cde3795fd192503dcccaf9367529b9a1008b0316672

SHA512
e52c026142c8800445949ebb194882fb28240cba0071049329a64848877364772338b238408625896609073deecdd26181a44ecb492969282f3281df7f059145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8023d775b7556e151db80233749cb1eb

SHA1
f8ee5fddba26e5253ce3e17644b6e059ace292fd

SHA256
d3c6d3cbf46d56dd3370bdfc3d49f4f2674f615f7852efa68e608ad67b8a4dfb

SHA512
137ce79b0da80d1d73bdbd84d7406fe06db055b98ab2d128d2e8f36f7245121f198b0e4a51b6a11524a5bbb51a8cf26c2f0e60fdef14e6f7210cb29e3af46587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
eb951d97ec2ac76d0c005377f52f1605

SHA1
16569ba4f7d509c072e3f589a0238544defa59a3

SHA256
4f3086205875ca8f13b0e79cac72248ce8295cab212607e3273b5c75887bf37a

SHA512
90185f548f2fff4a71770695fa0ae2521a8f118ea4495883b891f1ee5d7bfbba65e66bf090eecfaba3942903f74ced175c8cc6bcbb177dbfa7d6840fd3b856ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
662f9ae83cb65f1b8e1c1af9459e3c65

SHA1
4be57d174d084fe51d13160990decad6e6f250c5

SHA256
eb47c6727c2f4bca9d32939cb145dc660b18009e12c1a6a0e18d209d59dfe06b

SHA512
0d9b760c9f099e6c1cc69614dcccaaade13811d7c345cd9e5bff697b976ba0241c18d04c5e5342a17bab0ee7094d12d8755ac5e3d4e410a39eef1e6e332312e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6ebc426f9d5b3839b4ab7bee6ca0e2e6

SHA1
35f34eff1215af0d5375faaac326c9232c52bf81

SHA256
844272bdb8927eabebd25f5f6456363be81a463f4effa6076431bd892f6fe069

SHA512
9016de4c6590fd0930ba461e2c4829a99545d6327568c0f66d68287ee02c43a887c9b7cc7e1c4ae44f0ec8e2ee5d19725cf5e061482833ef4106369abd13d624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
fedbc9384e984b222e7799a61447a779

SHA1
285880f8796642a05faef9988c67466ff0a9aee2

SHA256
c2e26645178db14445a47c01102934901774ff4ff8a5cb27fbb2540a06a67ca4

SHA512
7862674b699df9f4a54e0a05b581234214489dff9a95eb21f9d69b1b5d221e8adcf46d6d07fa086ef00264da688e879301cbb45ec8fdc066fea88a9ad4ff5f03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d939b555bce3e579eb4c9f4b3e6c8268

SHA1
381d023663313e3b9e7bbf0158d0314aa95a858e

SHA256
b0c8e3fea36fcf163c646cc4b65f1d9f78df9ca28abdc0bbed57f407b1bc92bc

SHA512
61ce6acccc710f2e933036bb3a47b118f86ecca95a52bd89c833153ea183ee4b1464542e87b07aed133119e3fbc6950ed21cd2d34cf39fd08d0fcf65d35d3a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c62707eff889e4ac18ef523cee13a6f7

SHA1
2fd4e35d855c0e21d4f81b1f6687d61cc5fbf292

SHA256
0702563833883cd59bce77fdf18352d0d6231af1a06c228a26f9e0334710e439

SHA512
ddb7e054740fdbd4c43d98cebc5a70369b5dcf944fbf457faf0a7e153d7cb43c01f78973a0d147b09b3e137ab7a72889112165cef269e59d17055d904714c213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
070a3f36ffd9ab9a0ef8595e9d62463f

SHA1
7a8d77c3ac7c7feb88a7525e6b08592b7a69f347

SHA256
4a8b0d5971834abfcada4dd7b66b601844c5c161b8e2885c33dbd05d5ade4bef

SHA512
3ae5c0e5047038edf1d8f23d890a8ac2217a96a5a7dba737607ab171318169d47d0b7b100e55ff42bb130a7bee215e2debf63732105ee9127e1a4e7e1e2c28e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
44948a42beb1863e6bcabe61a83b782f

SHA1
105ac5fbd866930d43776859f4d4e440664a44f0

SHA256
a9b58388d42781554be2b78920071a42ff3f5550e81a94c43649b28958c38851

SHA512
619533c14b66ef28781b2b7316a725e280c72fad67cafac6e96f75a9ab5ab7e84bb5f6c6162e593633948699b9fff4e48570fee5fe6ca0dcd029991f773c0e21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
127c4d1e9e76e8a064537dd514580e4d

SHA1
d272a61240fb6e8619e938c3a1cf383145384b00

SHA256
4822d6f86192bc0a5d9e92b5c54e1a773fae703123f7228017f1ecfc19c8fac0

SHA512
0cd8aae9f3a348d0591972d9ac30b1a8fcc5c7b9070485178e70500137e4551eed41d3ccee38d0ab884fde0380501d6b2054a3f7574b6c61f5f39c0e7cd8e93a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
480b1efd58aca03434697cfeb6e44110

SHA1
8f4a3f6122d0c342ce8bef87a3faedac65088856

SHA256
975f9ac7d8af6d0acdf7938ae176fb3095832f43ad7c7cd4c794c58da26347e7

SHA512
b0d25de1ea023e967e7092bf78553f82273e70c2f2f15dd05d1bfe284e412713644178fc8cd2d84271d8111ce3a5e14a131f9bd6bffd16e18640d51cbdfdf42c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
90bde0c98588278c1aea6f68d86298c7

SHA1
9c0b47b388f9a740dfc32135764031e24eceeb10

SHA256
ceae20d682760388ff221ca04dd6d81b20e2c9a99b2aca521827f0a5b4eeb2b5

SHA512
9410f075c849a18539d011182dc0b7e59df71f56f150460495c0303aa1219f870909b9a431b7650b15120f49a7410ea39aa13b098c26d86630e75baecb44ead1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2c46836ee6fcc465703449f468f186bc

SHA1
ca4ccdd96302cbfc1827587c9073826f49eadfb9

SHA256
bdd9195f60a4264d26dcaa8d124ae8fce970c7ab906e9833fd05cb327d26f8ee

SHA512
1a996ccbc5243562919c9261ebaf40a670571b0f862a51ccb68f19b68ab5e6ee05bbc23a884ad868dd2cdcb4c5b8896de26ee74ed5010062c126981c5fa135f8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
06447ffd1535166ece153498ff8b5234

SHA1
8d841e6b1357bb9e90e5c8a9e2351a3f83f9c3c0

SHA256
8c27137dbaa063e21285f3119eeeddee5f65d5da83bcab707a22f45d2cde94a4

SHA512
d5677a745ade7bc40f01556f0eaaa5f7123ffa033f9bbf7b63aa7d86752bdf20da1cc6bf9d145037bf84b2ebb1728d712cb198b8cc255cf4a852e74536848a58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f75795f3b01052745bc225a215aa8d77

SHA1
a8a4b56dd7f4d23ed0699f1fb42c6eceb008707a

SHA256
954e5cc9d6c6b8252985ff445daba26f4c0d88a8ce455692e4fefd9f7647f0ec

SHA512
867193c5f807737e6e937a76c22cb8f0a72800b25e78667c19a49bfe495e6c2574c9260a507f62d55402cd5a2f704e344a48dad73dd595584f2147a899094013

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9474458045ab2053eec54ba363a6906a

SHA1
441ae222708f6a7da5601781605889a6bd0a2269

SHA256
449dbe8cf58154c63282de06d8d12f2bc4a6f0d4ca6c5da3d5dafe7d80c83ab2

SHA512
99f8e7735c0ab2c4bbee5d02a6b47e9b49460dbf78b4c466435b3d003aa37c37cceb29c5fc86a8aaed53c96b240f70809d1011269aad94c8d67371375d8e3322

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
12139bab3fc8998af9730576a0fdb66a

SHA1
bad4fd4df3a9fa1439c513c528be3f2490bdd70e

SHA256
95cded1f3e63ea2af864ec9d7ed43bdd9bf281398f6ec26219f3d610b16aec20

SHA512
f2e5e8819df7f75a40ad2fe7c06310c265543619de536fd05229d1fe779b84ee0b3616f6de6fc4e48464d3c240e7dde3e16bbcf0c94e48543b6dd71f1699fd32

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d883d69a403d6a0b57880d5f3ea9e2aa

SHA1
d6318535890eed379b9a1a8754ed71f491cd7e2f

SHA256
7e5f2049ecc176c54340111d44abd7307cd7fc1fdc9e8faf0c76837791ac9143

SHA512
10e4bd31e354ba5b9a59acc5f52b71c280ef60acfbce636a5a37c2366d7329c6f880d8bba8e2a9939495c10dee1662b6b43c77b2c8a50531df9471ab4340cd50

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
89aef6f286e3cf2a08b6b6ee7e24a7e6

SHA1
c84994714cf02838566658b77e5ac47ce368c01b

SHA256
4a90993054eb2f6a23788016a26cb6f4caedbc61127352cedf0b8a3d14a6fc2a

SHA512
cd6ce11bdbf02a2d193b38b80d40f1192c5e398bb4683c3b7a20fbdd14bcbdf17e466e5b0a5ae598e8b879ea0444b32be73b3e623c73090fe41d8e4c3fa87853

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c1a2339d5f03dc8104097567b8e380e2

SHA1
6dd66ab98c91741e202c9832d49b7fa54d0b7dc3

SHA256
ebdbc1a07949bf292310e7b7fe80bb95b7dd65cf3aa9f7ac0ee5047b88705e7b

SHA512
cc45b7a17c96c27e4f52ce262cd372db60fb51c4c1d2085e637e3c80811fa91589d49135483347b031aa6109d387360475703d1a7e9f5bf078b214b3fc60e790

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
935e2562b692e0a509e3931991528d67

SHA1
3045077125267410ed6d42c8706e31109f476387

SHA256
6515cb14f69a7796154dbadcd4bc59a0c462d3210cdd6d23718d06c50f636694

SHA512
ec8cceb18faa3036235e3ffad056d2492a31bcbb66484aa58014fda749b9a3649ac591c53a6778acf6ef941f6efca5a414933ad5c5d86bd73af42841dd8e019b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
96a1ea6f2603e52b050786419502d3ce

SHA1
422f5d8e83c0eecbf53387ccb6227ae90f3612b8

SHA256
71a32b33286fddf61c973cb5bba798ea4171b5f3abb5dc227fe0df76ea9bc403

SHA512
379217e6b16229f805bedc6c169c7c3d6ae1f1a40377867f2f521f3cb07618145fb8d08f999beaddf90ad150157b4c472ced766bffe77b166a1133de1bbc7aa6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cead2896fd40c4021a3fe9fdf7883c2f

SHA1
41822bc4a20e88a64054ae8b8a68d1331f9707aa

SHA256
06e8336ca63fea14745bb61c2dc7e0abc067d5f8155dd821d01cf43f92841a82

SHA512
58f99874d9f18573eb0ed3a6c677681e88174472548eedf67e0274d67285e67881f53176d0dee598e28a867afd61dae747edc913e30f7131c8e2ad591b59ca20

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6fefef8bd9986fc98646877cab21d69a

SHA1
7a529fb05c6ea0e0588ef9c45909341a531757ce

SHA256
5b73fd800b01589a6e437fec1e8052367297c95a587df8cc29f5bc3e42ebae9a

SHA512
60c53a967a7f2c037a8aac0c70a4b27ff362b9f93a80b0090e1f22b57c7a47a97fe256a9bb0e79e1a1cbb660ed650bad739292e17e0b4d21964a9d72d5437d71

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
70712ce50df46b4f6c104c4e2dbc9c6e

SHA1
dae46e4affb977340666de162c99aa82fd4854f9

SHA256
ac10fda9ba01d87e9ffee2b74e9c9ce98e3f11c2f0536c770b872ca0ef0a55e5

SHA512
512164ab97d260d863cd492f9d2bd62bf342d023db4e3ffb3255d044796309c3f56f86bf0b2c094d4497f6e0bc8c378970da20951256a6185f1cf45b0e25a263

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3de5b3b1641d90f1c0552c2e06ed1f1f

SHA1
539b2b7779bd3d89925e8be6d96b592c9f442146

SHA256
cc16e25de547641012c25a4ff61f0441665503316beff74b853f8784e678557a

SHA512
f8754fa6c9bef5879dd1f99b0b7966387108695cd7eacd2b5eab1c22320dd975a23e6af14656b676c49677c4997bb660a291cf5cc47e0ccafcc488a505c6ef90

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
83aadbc143368ce6c20f06b272345984

SHA1
0b3eec18567a2ea8e9055e9a76af6f0f2fe6737c

SHA256
d5261dc20c2e4a2baec690c56b1bc14c4d91f33b85de925cf9ee119db9b26b67

SHA512
47a7110cf9b0df65be616cc05c2b91904bf8dcc6a044bedf33df9728f807dbc7d3b3decd79a39bbd08a8a83bea7adfbac0c0e4fde3d1680d8ec62e020746f231

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5c88b039c31f66e8dc93777e1ebd5327

SHA1
88a868ab4a03cd77ae03f4518193a44c4d591711

SHA256
26d3bb4f5f07f26271c6faac2d825d3f7e7d4f9e36fad110bd73b102294dab27

SHA512
d59b16a4c654c21d1e2328371f0b22997c80719c0158a3070627e5e98bd87af6a4f2950de4ab2ee5495fcfde8997383c5a4c8e36212d12cdf003d1cfda309a9a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ec530ed1d62429df30c20659b375fd3f

SHA1
8e2fc952f28cc379d099f75cf97bfdbc73c70903

SHA256
39516287c01c308e21c61aeab48ae1a539154359612259342ff95de845977ce6

SHA512
060255a052b7927c06494a8ca403f35efabfed6ba4f7cb21f1f557799b35471750e4d9423354c2873dbe0f2fd84063cb58e2081bf8de0ee3508bf72dcd1a196d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6a466138fefad331a6109393bab72b92

SHA1
9020623e8c7558192d29251294df05b6d8458f00

SHA256
53074bf74e1dcfad4c8f2ae3f9a96d9a8b993f22273861a49cf613b38f587071

SHA512
f2102d59708dbca551c0399b928cfe867649672095b75c90afe69d050340c1eb3c5e1cdec314bf3dbd0e363782d4c6951d81c4fed520b5d2b53a796cda311e3a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d58532f49c39f383e2b45ee515c9ea96

SHA1
29eb1aeb40abb90388731704acf5540965ebd83b

SHA256
520c746f5952a651c00c3a8b96307bd1d775df2d3f27db780bd45ddf0e040436

SHA512
f48dcc4d384d70355e5aa9627ac71bac5e882595979f89d57aebbe29378f316b33441984824829d6318395ad8bcada475c1719c24ff2c84ae499463d5e5aa28a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
545e4df7fa8a05f3f93db2db58114988

SHA1
4abd295cc182ce1de4624f1ae1656eb5533d17ef

SHA256
ba7f39a8a77ae30ad9746d807822762c4ebfdfb479bb8178b8c46ed7d8aa0893

SHA512
11abb221961771c08c711853518c7687817496d62c22d3d0398778b7e84fef92cbe254b981d06b9479a476fa7a6f7645b916feb260076f19595d7ebfdd06b01c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
908a4857dc2dbab18e91d7c6783473c0

SHA1
e493a84dd6a61118e42a99d61c96835c6bfeaebc

SHA256
f61fed315f8acd8bc12b2fd826dde76a7017e55c38c020d3fac77a91b167c5eb

SHA512
ace743ddb08700589ce491641b169b0650d7d28788b1886c37b4120cf7b4460f9ecdb48760e2878284eb373726719c3026d32a8dfc048b49948bb2946697fcc7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
45d168d97f06ba124da9078172e5dfac

SHA1
d1e4e1d15f577d3b3b77c1d8c511132cd42f90a7

SHA256
484c7f0a5c2938235492933369a6d1ae9d85ae3c1bda782bfedeb16c5d10b473

SHA512
cb1727f802cd2a2611d62b1a4a71cb867d9032c38973960b0fd797f9b9c0d457928399bddcb8e17a22d1d3989b2e31e00fdb2f73af1c3b8efba17990c7b95a3b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d517b96e197918a650ad64d50d5c1657

SHA1
31fbf0bff17127657418fb500fb3a71ea2943262

SHA256
593bd91809bfe3094bdd768147ea6b16bd0fe38d47a951929dd583ceb1c86d51

SHA512
67298c638942898d2ece2b04fb2c17cb9ce2a1585b4d141e60ed223d7a959e470ed15a491f5cc667072059b4a0061bbe77d85191006537998a064d5a0a900279

Download Submit
memory/116-1-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/116-93-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/116-8-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/116-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/116-357-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/376-84-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/376-94-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/376-90-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/444-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/444-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/444-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/508-473-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/508-115-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/508-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1620-32-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1620-415-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1620-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1620-38-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2016-162-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2188-104-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2188-99-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/2188-123-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2600-124-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2812-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2876-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3044-467-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3044-74-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3044-80-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3044-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3208-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3208-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3524-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3524-125-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3868-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3868-466-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3868-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3868-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3892-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3892-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4268-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4372-140-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4372-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4424-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4464-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4512-146-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4764-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4764-475-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4896-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4896-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4896-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4896-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4896-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4948-126-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download