328a06184aed12fa44eea9b606c92a45641dc857a16444bd2df7b8e5d7c755a3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
Size

1.2MB
MD5

d47c5ddec94fb9abc159a83b80c3ca80
SHA1

10e7338955af3acc3559cb4ddfe3eafb0d3efa16
SHA256

328a06184aed12fa44eea9b606c92a45641dc857a16444bd2df7b8e5d7c755a3
SHA512

502dbfa0dc577c398c2b5c3a526e4878700747ca87dad1e2052d71913abefe94e47478d38150554617db3cf5d789e29d1ab2cb571fb127dcf9edd42a536d6415
SSDEEP

12288:NwDUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJz:6DUMj3C/Uvw3B8atQVpZJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4364	alg.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
4336	fxssvc.exe
4860	elevation_service.exe
2744	elevation_service.exe
3460	maintenanceservice.exe
3028	msdtc.exe
1684	OSE.EXE
2284	PerceptionSimulationService.exe
1520	perfhost.exe
4204	locator.exe
2300	SensorDataService.exe
4188	snmptrap.exe
4040	spectrum.exe
3584	ssh-agent.exe
4340	TieringEngineService.exe
2760	AgentService.exe
4456	vds.exe
3188	vssvc.exe
2348	wbengine.exe
4576	WmiApSrv.exe
4900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d9cb04c2e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb6fe4322fa8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b2bf5322fa8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b973f2352fa8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d60fe352fa8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052a888362fa8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b3716362fa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008534e9322fa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c67111362fa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c67111362fa8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d9818362fa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4516	d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
Token: SeAuditPrivilege	4336	fxssvc.exe
Token: SeRestorePrivilege	4340	TieringEngineService.exe
Token: SeManageVolumePrivilege	4340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2760	AgentService.exe
Token: SeBackupPrivilege	3188	vssvc.exe
Token: SeRestorePrivilege	3188	vssvc.exe
Token: SeAuditPrivilege	3188	vssvc.exe
Token: SeBackupPrivilege	2348	wbengine.exe
Token: SeRestorePrivilege	2348	wbengine.exe
Token: SeSecurityPrivilege	2348	wbengine.exe
Token: 33	4900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeDebugPrivilege	1528	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4860	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1444	4900	SearchIndexer.exe	112
PID 4900 wrote to memory of 1444	4900	SearchIndexer.exe	112
PID 4900 wrote to memory of 4624	4900	SearchIndexer.exe	113
PID 4900 wrote to memory of 4624	4900	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d47c5ddec94fb9abc159a83b80c3ca80_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3ef8ad39163c0c476f5c30d3b00b9062

SHA1
51e8d8d950a24599b5f5afc7ca12f7f2b98025b6

SHA256
e240b4abdf01c449f4f87a365eeb19e93e866868f4b2bd6a6c0b1e121878919c

SHA512
2d1891590da710f4eaed5aa81e8ef8325a756871c94c401a16365c5b150071e8fd9bac621b654d7891e288bc2c023ca2da6e71992a33e10b54bf11823442fd42

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e77b7f6a28eda6c09d59aeeeb5bf9248

SHA1
f32c305b8d7d80567c3b201b655750b189f7060f

SHA256
ad1184382ff416f92a60f56f2044e7b82074adb5d07919a61986e2008ed463dd

SHA512
77caa8702c4250ae95852d1445a432f7d849b1407e277b1c9642e70903d5127e26c05d7ec035506a74fe36eeb818150f8aebf70103b1711901ad6a0c12214129

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7cb93a1478d1d8e1eac0769cb7f812c6

SHA1
f41e7d16a5bea57cc5bd7c3bd996dd08b9181bb6

SHA256
a993c07bc485d6076cc730758aaf2d0903fe00eb15b3c6259b9b6a40bd9a525c

SHA512
4cd135c5c5259db33eb03327919953c277a964a9c36b72b70c312f84f9eb412443e375c6c634c5cc62172b8156e544abc9e363d6567e931ab6ed65688bd48822

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c454506f3d35c0816661a29aba46c2f6

SHA1
42244680599bacbb262412e0f102d3f4c2dd236c

SHA256
6afd198d6349776d63446d2582366ef17c574913892dd578ec3c429262e2a630

SHA512
258e59a00c8ba0f5991e4de76adaa6cfc5ce4c4422ae609f0a2c5c1a1e83a62b5153ead6eec649b84c9d19bc14295bbcd72f22c1cb0a381a9f431b9476614647

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ab99705d5c4634fb2f633783cd16bff9

SHA1
d41a69253dd1c5a2150528c96f681313448508b5

SHA256
14678d50809f1ac3d6388fa2773fd278b4cce74878a718d7ac78310a9f7b3d57

SHA512
7fda25622e333ae794813e08ea2b1e26736ee0bb05be95e438a9d10868859d5b604cd996beca205a817644b17d2d02d42c9f3f0ae322db2e9e7d7701f7b6b8af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c337fd914aeabaa79c2eecdafd8f9c8f

SHA1
bab740a6d8985521b871e9bff255a74b3ec34903

SHA256
572c9b0d4d3f9b9c4f3add38eb788962a0f106ccc2a17217b0e4bba23b18b9df

SHA512
648d2f274e00a1eb8c37e8627d4aebbde9cee57be5482ef2b78b3eff8a5ba66aa5a8265046f2e55a7228b850a1017f4d9490c44f4d35f89080d14bfc23fd3d7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
19606cfc438df009f6cbf91b92b078e4

SHA1
f25f7b2f6c7bb1b0b9ebc250cb59a75497b1368e

SHA256
242299c34717f66da6b6166897dc99e252794c7c3f477c4de0d289cfe01b0de6

SHA512
cf6a6d728cb74032da28f84687448ebfce51b9b168ee990b5163b926326488e1143e44e19c1de360ccea5845c6a9a830cc5a140bc38280510e2d83f44e2de00e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8d7135ed730d739a6838de55c927b48f

SHA1
31a323207b1812a193e20d7f31fb51bd30f6ed3b

SHA256
c15fdbd79d6b3367d59a00e868a951266678cadc16ba9c413c28d2e6807b566f

SHA512
b547e585dc45ad96dad232c1393a5b184ff3069ecc14a9b702acf7e817c3fc3472e5244f0030fae8fa17c03c72a9bf8313e0a13ed29e83a1dae5802298d7e158

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d072af657691e602406a6980ae01e224

SHA1
c9f25357a676a024dfc2e51c018d1d3f0b6c9acd

SHA256
809ce2a8ebca184559210ae08fa172542e4a43666558c43990f6817a478aa4fd

SHA512
fe392f0220374377c11190395f8310e5501e4db1d85cddab75a13367a06d95b888076bb3513ef7d6f24d7143f4a94ecbf30cc25a51d42a89b5ad01dcfbf3acd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9a6aa5d7b9edb2c15b1e060b3cff89fc

SHA1
f5c1a5f7b03b326a062f58ef3f29c5752d7b5519

SHA256
853960b870339dce9d256abdd605f4c119ba38bfdf8e1aca8ac2a9d1752bce84

SHA512
ba27aeb688c16b97e1fdc626a55e096e9d4ac8faeb3378a8a8d21cb42e8f30bb7cab3df72293e999510d696a54e3bf159d27248f80276bc10882cb9c46756a4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d06cc257617222b1b24e8f3834cdf31c

SHA1
d7b405ac7d296b42b5aad11fc04bacc3d0ac318d

SHA256
66569b58abfb762ececdfca2bc964c99976abe805890057f08911c87088e1c20

SHA512
7153e77f6b970ba0c61fd1390c8d473e7e991ecbb4bae6088b1645ba8da5a4cd0c592821a961740455910fb134ff877f5a3f8d4953bccffa119d352a66e1c14b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
52f4c3f74c7268116a49b5ca0c678f64

SHA1
d5c9837c8c6a48180c7fb2769f59081d9507a4a2

SHA256
27a27d2e2320d049e999920006c476a9e5f637b5fb63faa215e09091b93288ad

SHA512
d7325db0578c6eeb5782b78ddebd235d5a288ea47c28dec8964ca2151512ce7d22472446c5f02abb0901c08464fcec4ed120f0bdfbbebc7f664d838aab243ca7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1c6da863a7be0e10e2142f82c909562a

SHA1
17a2bc8f658a52abd95ae977b8ce58fb41b9e832

SHA256
42f024c3c3efb8b74d330bc7d0f92e85bc948ece396162f0b2a014c77072dec5

SHA512
73fc4a51f8ac185d111615d529307c871007daae0ce9ad6603ef42dc34976084dc2e0a15182f63e14342fd858526cc8da4470864acbb5aa64867fe9d6c810190

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
875c9de2cb2aa87bd9a005856b0ae136

SHA1
f793141286b3bc98d9a5e73418c3097169291a77

SHA256
c03e43977addb38bfb99e754a8feb5799a6c59db697e80f2368380b7f22f1657

SHA512
4cd219b8ca2d4dc7a5c5eaf63fad047ce9bc6c178b723a1397ee043586c2742966a227b4bb4fd1df9e713e3c4877472343cf04294f3ef200cedb3a19d656a833

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5609121f1fa970a413638c60ae7baf64

SHA1
18a7a5fe7191b916e0f6796a87f65177033110cd

SHA256
c453f1eb2dd56420317c2a0ec9384223f99c656969505d26f1716497e5d2c5cc

SHA512
bc027bf72024de79f799ff64c0a41e5590b4a2a078905669809c7964960cec82703b1f41d87a50f67bcfb032ea7d11420149b31595b8b182d8d05a745bbaba96

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2d239d4d356912ab8134ea9dc2467b66

SHA1
3d47bf05f75eb74a4618e6ae10ab650011ede8a2

SHA256
395ca18d406ea022bb25eec007e8887c199a24dba8bace328150be38e0dbd8de

SHA512
11d2ad4aeefb269fa4dc703d47615c6d953faa0cf6c61784cc85d955015c8a0a7e1e37137a9401c5ffaa933cdf6a6efe5a24c0cbfd3ce34e73da226212cf15d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d0b8557aaf82dee5017e64c4ab0e98a3

SHA1
661ceb81fb59885ac3a9beca25c2deb49ac7059a

SHA256
09b4bccc6fc7ba1c5726109c43cb1f80addb33b7aff65ba50931570571de1c7e

SHA512
a52b152b2bbb4e5f88edb38c59d358c23e2c0d2e180c94e8ea79c350e27214d1b49d9c3fece4decf6dbceccca1fdd1dd0fcdc5dfd619187fc2634d2cf0a61e9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
23cb941fda3b11d3a544c34cc867eedf

SHA1
8ce191d4ebdacd6ae4d2dafb3bc9eda70add51db

SHA256
0bfd29e0875ea35df500eca21d86743668b9a4562f3c34052240d4149b733717

SHA512
2512844d6302691e433e96237dca48a56e8824557af0c2169cd26df5c977399f1344febce5a14dfeaa0200a81fadc40e71ca836866fe9f97a470474c210d738c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
04b372258875cce60f113f261da34bf5

SHA1
fe83b7b7f0bac7ec289e91b97064701a0ba1577b

SHA256
0df68589768487a067f8de901e75a1fc30674395734924bbf99026358c0b0b87

SHA512
aad40e7f7b65a5c2c98c60872033aa8c61e7368174ae3f15aeb4cf2aa19d83e0b2f259edcbd9ea63f107a589c9e57f246d87baedfc38fab905a805a529797dfe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3a377ec16e392b56e1e66fd08cc802f5

SHA1
0f07e68283b549e0816f9caf62e32afb121e98d2

SHA256
2f5859417ec54c9c3c9b86ec1323381d890668a8095442d2b50280647907cb61

SHA512
0b017771f49b494019a5dae1eb0c156e8abf7cf96f7b6fbcc95d9af7bd101741f0973b033319dfb353c11ccb912390caef907cace41207237caf675de9b553ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
cb2cca58b768850269222b8f22d1d366

SHA1
c54758e343e57ab803646d3fce8ced41d6988af0

SHA256
4375e9448e145a3da39db461442163ba016ef6f78050090428fb8c48e079e7c9

SHA512
6c5b9b932a031853a9a74fb4a99b9ee3c6212d8edcd733dc4c2339978a896179b36bb6e6f6a09a5233a32a75e2ee98d623ce0c8bbade192c90693f73c3392bb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7bd10249bd101609cbacd495dbbfde13

SHA1
3926b030345148fe1e3dc1bd7f1986294ee8a5e1

SHA256
bd885cf59f0e821732b734861da34218e23be59eecefb1af41abb101bfe072e2

SHA512
61398eae649aab1d09b6c8850bb64829002cd45149602ed49516a0fda5a1f3699a1b80115eebf81d028bcf8412ccbb0292829facd4bfefe70d54d6530f1d3070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5c1f2aec582f7ca47aa7d9ded71a0d7b

SHA1
7425ce866cd7e2be6b59d7e98b22cc349237c878

SHA256
0b4a300b464bec5c116c96cfc2e075da3c7699e7a645c275c28fe3968e70bb8d

SHA512
a8f34199c99c7327c3cdb5405e3f2ea892641a2cc740c96974bd0b1ad004102cdbddc0913e549e6e36c58cdae9628c689b1638de0e014f21db2a115e7dd094c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2400434d4d6f0da1cf7c7c5aae1db18b

SHA1
60961c2ac03a2a030cc29010756ccb9574af8241

SHA256
d16bbe5971f492872402c7f9360eeaf785b26b9d10ece47904bc3742e7fd64ef

SHA512
01357eb18a1e0234d5a7527ed32fb5ddb277377e1ee2949e44f1695b6cb04673bad01bb4800c6ffafa48c81ac39a008e13e7f6447a945fe471e4027bac17cdfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
85a2427a5fac813c7d1a3f2c16cf7836

SHA1
bf142610084ee86385842af6f8da0dc24b481058

SHA256
c7f0d2929c1658fecbc0edee569b82422c3fe620980dc4bec231831448b99097

SHA512
2c3169fa18495bb04f9c8850c793bad50392f369ae4b58311938f4c2b13b06f500e1623191baaa1f8f2481ed6ec56166ca9c7ccb0752656f135b72a1ad4e680d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a01099cdfe4bba0a2c05bdbc96c0af1b

SHA1
616c815032dedccfd2031c9c661e7be51b12999f

SHA256
bb3ca41604b852cdbf7a33ada27d4a856cb92aba792b8ad6476ed920c9e4bb70

SHA512
a49b4380eafa5ca71fab3f8e3c31915e4adc764e58692151d8977046977a5673453b671a5bd74eb79fa39de4d914258f154e347be139c645a6134db248a05579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c18dbf135d2b5b875c002af0e85611ac

SHA1
8ce1ad9e783a32b85377e1f4bee417bfcca2dd37

SHA256
d1168e696192a192e2a42c90089af27309c1ae38e13e5b177cdd011cdaf2947d

SHA512
5677d9b9dc0488734d0acb265c7e028bf39ed3827e2a654a4d481c8c9cdd010f2a9548970fd2c64c350b0216fa2e52e0214b45ef865ecfb5dce4234a92373788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
d59bd185b7f14fe492a0e3f07e99085e

SHA1
af5c9da562e4e882e07b6754d6e0a00a37362496

SHA256
aa9b165b66d56067d7c846cb5a01787dd2aa2cb95bef9337abab002791bb0fac

SHA512
d152d7b32aafd87a99b927945d1bc404de0154850bf6ff7abf2b137e8801e6c66e3406ac187ff1971a6a9d953ef51a03d6122e4045ce87dd9d00e7d6883adccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
705d424ee753646074dd8ce781d7a2ec

SHA1
a1b2549608c1181e94efaa93e1c06913169f16fa

SHA256
8292ad07350344c6838290fa933c4323f7e43e4e2a818a6468f912ada5d2c02b

SHA512
1d5c5bafdf4f76919fbb476310d2a22318f67f70db584da60c9c999f8960796bd7f15c61f0c12a50d5ffbc47794faa64ce10351a0d876d2cc837e9b02357920d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
dfb12fc3adbc9dfc885972c25156c73b

SHA1
10fcdd6231232f6c7f8193136968c56f1564a7aa

SHA256
573a85f57fcb221c92f31c489dc94fecde5eb8ee6d2eafeda5b9a485ae936dfd

SHA512
6d0c9632ad37de7c0e2eb6d79d11dd05e106c1c175aab60f329062b4d2f27108b878030a53be3c9ddbfe2d046e7a3bfebec2eadf3c26635a84fd790371086982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
662aedd464052674b444cfe0336fe8cc

SHA1
5b5dd7000a0a595afb65c5dcbb9600c81dd6a683

SHA256
00bdc1f605306a688a004ed2e5db2495dc5f5c7fb7eda5e0c3bd6d7fdcc32233

SHA512
5ffaff27c8a48b2f9d2ed3a8adcaed17c71a8b242324197cf41aecb76ffcd6da748a3384f06ba12d01c55a7d34f6dbfe455652e0896323d7832d2a8a0c14bca5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
db6987959d584472dcc9577c117c6e15

SHA1
cb366927ae213657f0f73a4df6a92f0a7877c4a5

SHA256
cfc379dc3d13f70914f32d61d832712228f7d1634b248971e1099a73e4e7c720

SHA512
0c46f015a9b7b00c92e7a3d796338f2d66997796d6896a1c332333073fd6cb99d0ecb3d64be20a45cb40364b7f92bd8d7715209e0bc7b193c75b35d894e61458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7b963b2f9bcccea6290dd00d888cf2a6

SHA1
0ccdda81b413685549b38b0c7ceb2a298745b0e4

SHA256
5ed7146f6703729be7a97198013530bc275db15616b16b68eb9414babf17f240

SHA512
5aa0d4873b450b5a7f8530b75863c19405282ef407b24abb58aa76af1b6d7e1b77ef96df5189a9ef1e8d28f0504a0da7c0114b19604bc65d29a2d59e9a3ebe78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6bd65c2ed896f8d34fc096b8d0665b84

SHA1
726815073084aefb7428b6cedfda9e8e0e69d053

SHA256
bb52cb7f847b1ab30fee05450377fe01e5c2fc06d91f940347168b92e199aa9d

SHA512
1dbb7da11a6ae6a3bf1227f3f7e8f06b9467f2d17b86fd172d0650a4d08b37249fb51a7740fb90a60964de84c7ed1a31e6c64b112849312c3146fc9eb23e8f6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
2f0cb3138ef2e44ef87765e6560a3c34

SHA1
f841ddec61798834c2489c6246c6677730b502d8

SHA256
04c741f5269769fa5167d6e0e5580b9ba877a352df6948c3403e08499602f48d

SHA512
07f9119fa51ddc326d619c20f122cb8097cc2638c41fbaf982f90079c29ce70762910979c2f41b5dde2adbf5669acfca0c37dcb60a379e1d7333d8109e5081c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4e14a8f9e60ed49081bd8739849841f1

SHA1
199c792edf077eda94cbb61b871a9aee7a36d728

SHA256
e80c4a372f41405033a0677afb9fe78626403678556b345d667f44e6f6c07b29

SHA512
b5d609eab6c9c13b8b1481f7b1cf8cccc993cd1d4afd436ef9451500c4ffbef056f1671f46c21830bec50cbab6e4cb0a97a508360c19945c69e512df32e3757a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
48e629260fdae577e4222558a7cb75fd

SHA1
331a3fd6993804850aaada6521ae064a1b6790ad

SHA256
197b21dd020615f1ee20e6eac02245d7c7c82d317b8d5e9da88ad63f09759225

SHA512
7c675a3bc0826383615ef0dde3592cd0891f904d9b956bb44d7788a0fe88ad50ea506d7eab667def8fff44bc53b0f21342ac9bac91fbad554567669f520393dd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0a6e9832c96eafae90c1b450c1987bc1

SHA1
902e1f682ed0c608dfa5755405f748c3cddb14de

SHA256
83a32af1762340bae562314f203f8456503d75af638727613581315a9018be33

SHA512
4ed3e070bf0d2a68b1abab39a71ee3fcd255fd4c66c153a7878ef357d4797f6f28b79fa8798eef39d7d1fbf1262e9b1bb0bb07041b39835098e1603c7295da54

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a793559da3e5af664ed151473b291de2

SHA1
637c1f541336b661ae061ffd74b5e0e7c2878bf9

SHA256
55accc1cf4801493c07c3209cd990b49c76a97621262dbf6b7c064d1282cc8aa

SHA512
da01adbc9565f5f6efce006f8d31decb70002ebc994c71a9c9982d3bbab14326bb17b2bc8fbd260f45a502abc65f61d30fd77974d60084672dacbe6fc3662568

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e47611c2dc2cb7b819e900928a42cbc5

SHA1
59236d3012756b67691f857cf4c36565c71a79f4

SHA256
ef20478221847a32fdb75ffd5425bb71daf06221606855a4ac919b3da4652bf2

SHA512
4122d54cf54021aecdc46e19293d0987251449964ef28887604a97d63cfda9ce48d32694d22b9b3b5c593e39c731bd5ba5ea59cf5ae908e96ded5a67809815ab

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bac5324583e41c0280eec2b7f3b7781b

SHA1
b81fbbaf8682d06ed4abbed08b809bdb82ef907a

SHA256
4523b0783d7cedc4faf62a5e540493d11aa6c280c56276ad2c04bdb3f34bc838

SHA512
93330ebf10fd9a62ec5bb832694bc2ae5b8ec20f32e7ea4c101bdbe7b6ae230e96db93288371056e35229b1229aa6431abf3f229edb2e5043bd30733120bed90

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e77f01534b46cdc43769470a099e92d4

SHA1
7b06e5854775e72a6007da0de3bc110c588b7d19

SHA256
eda7919e5875b956b64a0831913a66426904538a0181b80ee865f74da5d6202e

SHA512
09c3b475610ebe203ce862df58a23bc4d307e2b92438127068a470f74ffaa8df5c2381dead79dc2c896ddfca96c28986e46d31be358b4495dc33c8f4d42549bf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4c5c058fda1fc15288d17bedf1e54e3a

SHA1
382767a4e7d549efa4f5d2246ff7eb133c4ea4fc

SHA256
da68ab7a304d025e61364060173836b510df323826efcb800014f32518622a3a

SHA512
04f795f9ffd6daf3b05dcdc47223671387da621a39c37d85bfb1411edabef79e3c762c11756eb8b3453eb9a9a76c90f69b73f94d6c16129da27c939389aeb2b9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8f1139f5af24a2d291f5da801adf8a7e

SHA1
0e9fea54cd675f257dc9b593670904a3e5210e03

SHA256
eaca7f6edd0bad0d7283511a8942b58fe6a8bb8eeb76fd9bb6eb6ac3abbe746e

SHA512
c19c159f059fd05eda2b23c4efb7cec467f5b1ae6e2219767ec53611ffed98725a7563bfdc68ae2edd50b26ad3cb93724bc18da3504a8634d1deae9129e2f88a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4da658dcee3fa8c1af624ac54f115e5d

SHA1
4f39fe30750f023dea442b10a62d04e0ba72bc87

SHA256
4c5183828e559e98ce85ece368cf010026097e316eef83f41f74c3d6b26d6eda

SHA512
d2e6452dcba16876dc660fd7c51f756d1dc023a25c483eb0ab9c93bcb7e666226bd8af34cf2f20c49045568e47e6e2788988b262fd0c50d8d08744e5e618e67d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0fdc08d308a3ad92e683d93f49e43606

SHA1
289a0d999945515efada8a17f0a6273ac1771ffa

SHA256
5cbb25dceeb49719086a905b691e167ef8367559aeb5107e2ca20ef34e7176f5

SHA512
0455aa5b4a8c1379251a401ca48b16ae9d1d82c16f2e06a85ed9c777672648f5cee5dee549f82de7421e1544b59597ad7c35336bda4099cf1b544f9c0b7f6f72

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7551d2362ddad54775f0175e31fcc4c5

SHA1
43f2094a93f8068ae34d0f8caf8fb7c540e2051b

SHA256
69ae1e848d18ccb131301917eee0b44efcd4deca0713873df6bfa5e7ea02237f

SHA512
84cc11ec4e18c1957de0e30b29220a17d1fc23890fdb11545e2d2931b8d82d2135c1779f9705e5ef0dc3e7d1a5e769cb1f3f691a66aaf5377a8b91b44014e2e6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0677aa0378fa6f276ee7c032c6c7f5ef

SHA1
996ab257dcc7079ef4c7440784abffb66431cfad

SHA256
7779296b6fa9ddca80a2a5d2a1336a5524046522c44b6863e5ae69f03b5ce103

SHA512
07b45a3a9cc1633029d9e628475015841bbf7787689434c9645fcb39dbc8c29e490184e6653960f46a4543b94816ee42b293947a4029587771dd42c969549fe5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
afdd5b1579c79af8ec727d2d37f05992

SHA1
a863346cd46027ab82c92d8884bb0223b02dd9d3

SHA256
fb6ad57c4bef6c75749959a412dc64853723d5b7789f227228feac5039474d07

SHA512
b8a2303cf45ad872c9ae4d81d550d84d2a641d67a551d994e337a095ab6cd809c327ea5c152ede65b2e9247591f57a0981d9901f364a151706f50f8c20b64037

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
40dd5b0fe70d053b2a10cc82b3274695

SHA1
6118fc624d521c646cb2b35f6a757b9101c94c86

SHA256
245b05ea2469cf4eea45ef2d79a622f51be6cdf945f4bd2943b82c3d8de76669

SHA512
c95342b189a4004b717fd070334ae6bd135d3e9a10ee545ed803d4daa892f4dd46c72a04bbf54c096b5d08b30ec543793bf772a37f8647721c329b79016108e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e18fab231888cb6040840c3263326fc7

SHA1
28413c06031060c1d9473cad1d9bf050aa77cb50

SHA256
cc04a39b94827fb2197e98e4c5c5bf125fbe4880b9567897ecad6b351177cfec

SHA512
48931585c9e53de0e35b43610432e9e436bfd9d084e3c952b8db8e25d1936f882c507cce338ee8c5cc1477f4289de63368d8dedec6d8f2800ada33f4257f0383

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ffad169a876d18a3e9b86945fb062e63

SHA1
bce002d2937f594bd7e0d524148802c000646b73

SHA256
98d1e0402afb85095553e5b1a025147e72d55d95b08b7ef95e2e70c341a5619b

SHA512
9ebb6b93e93f595e2ab9ccde3622809db8653a18020e5be22ec0611e6aafb484c9aa9dca7c6bf2ed7791552954df9f58148a1ea26fedde64a2e2220eda3c4ea3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6596056ef1c8a09b4977bd1ec9cd9cd5

SHA1
bc089346a6514acfc2cd9939d6dac86179b78b02

SHA256
3646d96d99e59e04b0352594190816ddf49a63825e3242d3581e8ab490be2527

SHA512
e52206aa340d58771494a06068301c049a0ecaacbd8d1a0d0bb29bad657c5c38efd770f7809bef89fa738e5d370f882e5d4075385c2d07764e34d76ace480f55

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d27f70ad40042c731302c6764e73989c

SHA1
0104aeb7f25994fa53fb0cba9e3ea77f50c5ef86

SHA256
1d18d47fcaf49ea0d364dc64f046d4d49c662b88baa16bf6648ac0453a408dc9

SHA512
e112fb3488607f865a977c0607964c1585cdf740b41fa6f7c708ca20d8c1340c82c5f7474f7be4960395c0f84155b0b2d5a21f5aa09cdbe0621ee5a9d7574a3d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3fb22345a0e5b54c78c48e4b6609ea5f

SHA1
0d1d98ce395efbb40680d7a9684075caab7eadd8

SHA256
cbf90ca5b4f3d2c978521ba36c472fa60b6f9c0c2989191a11d5d1a3b3ec253b

SHA512
da33c191808686007ab130fae603f79ad806a02af928df1de1122ebfd980a71d8b5ee8bf26f57ca1f0f76a813230b23229e4725d4b1a6a546316948567179b01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
814b836d5a1be1e5b27cb7cc14ca8b33

SHA1
587d566fa64a5a5f3e101a878082e0a52be1dc45

SHA256
1b0c37473bab86f0e242d3fced168e21afeaa38bff319587db282c3546b0a0a8

SHA512
912a6e16514c54dc96987a02783e72b2bf060eb23a68549e93221b4a8a2c9ce975e9c2b2d477d5f9a96e76825c8c8573e40fe98d2c289ffd349e8cf982babc07

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
78dd095108f26d129a38c4ee9d037698

SHA1
e1de61aa734613019bc35b57234397f320967531

SHA256
4aa48c575ebc61a8893dca8a6491bcd232917137677208422f72835058ee151c

SHA512
c5bc85c3e0e965ef59a79783d9a64c6496a0cc879daf290f670d4ea06f3f8551b5e6724513d18a25d05d76955974c6329bf62cb6bf55a893509d9666baaaf6eb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
49bf84d8c64cdca8b564ad79aabfb221

SHA1
3e244f54432e99a3b95353ff11fe74869cc310db

SHA256
94b7f857fd9f00800c708c70b79145f3866b283439616c112cc889f3dfcfd0e9

SHA512
2048c91e098c6bec928ead255bf6fb33a3d58d8e483d00e1d51c178cefbf3aad788d32fb8654c2ba118d4953fcbb8d2056f3564d5d054c75ca99bdf692df9a6f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
ab5cefd6b0df949f2c5c2eee88a7a877

SHA1
9d7f459c4f4bd31dbecef460e360f9dfa70f9ca6

SHA256
53f1fe46c4b879ff4150efe280ded87c207865765da1c8c3e7f992f16940f11e

SHA512
f86699196334ee3a0faddac79d083f609831e18461e51e8f41b4320bde29c190092e12db16932f538f1b2d0ad450308380dd86ea913b9befbea437b1a4cbce6d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5c36d50434d739bf46717147112b6f29

SHA1
35bb79b447f29f821a5e67b1d216fda0c9f3c0ea

SHA256
cca42073a01ab84c4713b5b81ff2d5e8b88a5ed5345065924e0717981f5c9735

SHA512
30e7c9ffc33d07632a30532bb070ba93a1200e33442d4e5a584e994566e3ef5e67df249ed960fead49a400d196fa1919b6ff935523456b92d3afd7f22d87e18a

Download Submit
memory/1520-98-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/1520-109-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1520-103-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/1528-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1528-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1528-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1528-23-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1684-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1684-160-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1684-82-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1684-79-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2284-91-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2284-85-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2284-107-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2300-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-408-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-546-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2348-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2744-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2744-148-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2744-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2760-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2760-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3028-156-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3188-545-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3460-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3460-67-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3460-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3460-62-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3460-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3584-141-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3584-540-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4040-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4040-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4188-407-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4188-119-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4204-110-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4204-164-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4336-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4336-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4340-145-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4340-541-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4364-11-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4364-112-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4456-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4456-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4516-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4516-293-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/4516-81-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/4516-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4516-0-0x0000000010000000-0x0000000010140000-memory.dmp

Filesize
1.2MB

Download
memory/4576-165-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4576-547-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4860-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4860-144-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-32-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4900-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4900-548-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download