4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
Size

1.5MB
MD5

b3dafc814584f7e1b0a657ca07d56910
SHA1

d0118bf744926400351fb50a528941cc9edc5950
SHA256

4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540
SHA512

262dd0745a54e05dec7b90b529e03dc55dfc4756d61a6083ffc3264e678383c8563c439b0f2b989fb12cee0f49f65ad6537b42095f8b7379b2ffcca3e3b4c56a
SSDEEP

12288:3Az2DWUM53Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:Qz2DWr5Hofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3080	alg.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
3168	fxssvc.exe
3464	elevation_service.exe
908	elevation_service.exe
3920	maintenanceservice.exe
4640	msdtc.exe
1584	OSE.EXE
1444	PerceptionSimulationService.exe
2308	perfhost.exe
2240	locator.exe
3948	SensorDataService.exe
4564	snmptrap.exe
244	spectrum.exe
1220	ssh-agent.exe
1668	TieringEngineService.exe
1336	AgentService.exe
4784	vds.exe
4128	vssvc.exe
3560	wbengine.exe
2448	WmiApSrv.exe
2276	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e9eafe6c3136770.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033e482f77dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2e952fa7dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6bcc7fa7dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a5b5af77dabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000304685f77dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006393fefa7dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000374766f77dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7e644f77dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c31c08fb7dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe
1828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2296	4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
Token: SeAuditPrivilege	3168	fxssvc.exe
Token: SeRestorePrivilege	1668	TieringEngineService.exe
Token: SeManageVolumePrivilege	1668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1336	AgentService.exe
Token: SeBackupPrivilege	4128	vssvc.exe
Token: SeRestorePrivilege	4128	vssvc.exe
Token: SeAuditPrivilege	4128	vssvc.exe
Token: SeBackupPrivilege	3560	wbengine.exe
Token: SeRestorePrivilege	3560	wbengine.exe
Token: SeSecurityPrivilege	3560	wbengine.exe
Token: 33	2276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeDebugPrivilege	3080	alg.exe
Token: SeDebugPrivilege	3080	alg.exe
Token: SeDebugPrivilege	3080	alg.exe
Token: SeDebugPrivilege	1828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1184	2276	SearchIndexer.exe	112
PID 2276 wrote to memory of 1184	2276	SearchIndexer.exe	112
PID 2276 wrote to memory of 748	2276	SearchIndexer.exe	115
PID 2276 wrote to memory of 748	2276	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f43104049b0d504876cab7a1a6249daf7ba6b7267d072c1d8065c9fda23e540_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:244

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
71ba1bd9e33235290641d2591a4a432e

SHA1
8d0d767056023b9acd0ece88aba4a77cf7ad42a8

SHA256
f009fc0368e2baf49b5fa305ddddfb8d6dcd5f73704b784cc89e46d6ce897aa3

SHA512
4e10519960b245ea630fed1380f881f76f2fa8adb0ed28cf5354fe368acafc0f88731991264cbb1cd5622c1bb03c471dfccdc39bbefaeb4e0ed185062d2d0330

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
56f3091f1410246cff88684301ae0a8c

SHA1
cea102d2c8076604252e8d201b44693fec0ca29f

SHA256
134f3104beed345c6fa003c74557233265c0a6f6017ea96a1a5dfc2ddbc3c5ab

SHA512
ddc110bc7fa690e9e8521d8dcc50c8ffa000c08b974a555235e4a75fd5b3f4bf07f91d8c3777be2ebad270ee6c8d7d989aca6f987a8fcf595eb35cfec0b13060

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
97a003af8da0e22606624810cae1edee

SHA1
338818506b6ad2ca93dbb7e9dde9a5653543abd5

SHA256
46e361075cec8213cb2e9ceb62aa66d3f976252e3f7c6f75ab6ff47c1e9ca336

SHA512
ef0031ea68518fcc51438951dbf29f6731d0d3e54ba8e65c655cef8d08c39181a33b79238f01cc813f819c892c63b33304b91b39ea69f2bd1a180bd113aa3492

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
db7ef978bdc4da36fb42d4cfe30bd4d8

SHA1
c07a66569b14a22161cbf94380f2ca28b32197bb

SHA256
2c8f24122a22521c5e4ce4fdff328882a1fe54eff6d78aea17b07f33ee3dc124

SHA512
3d87940b91173035692d3434dc615c4de10aebb731c60542d0fd5ad63e0f066e9438105ebfdaf728156d04f6905f79168ac630714664efae5a6ead4c7255a624

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d6f276dcab1263a7550206c443cf0af4

SHA1
7a10aedc2120e5f2c3cee5723f1817335d510257

SHA256
25bc29d9dac6ecc603c73bf84d58b9e1395193abd0da607086c01aeb9f09aa21

SHA512
eec9bed64dff0a651b407860e0b23f43225ee7ae127d4db0a2470ceeeb3d25bb4c5e8869341a5b30e3530db7b994665040b0bc410b3d9bb81378333006817c08

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7eb2b6c4d08605dd435e504575241bbe

SHA1
f1113c419b4dea9f138ea2d7f89ef0bb12e470f5

SHA256
9eb60d392c63e701c66a051014f2f1d283c52df7d238872bfffb0c8f90b78b6b

SHA512
815e3912ca4b62be78faa11d512c1ffff2d70ec1834661b5bb80949e4102d9098ba45111f9c90944c3bc31c2422bfafe2067bf9c0d0e4bed99069ffa0bb72700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ce40b676d28612b0cfef0ca0d4b3a039

SHA1
87d38dcd03ce01103f378e4d80d1d07d80ad9ebf

SHA256
920df533d2fe917124a1e18538a7c38d526ca7954ea2296273cd06cb3c58cbf0

SHA512
da619b42a57dbd8e377f1259dccd62ea628c7e278e4b3b52d0fe6debeb6037ed7b4b8a7fc135248cfefdf4fe40715d1fbdb26108d1fd34b7509969f7278c657b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
68fcd78c36e1c9ba7996bea2e9bf86fb

SHA1
cf8bd62b3e3bdde698f839ac8542c94fa473563d

SHA256
9c6f29bc3964aa124d0a712b1b310936c58314728988d68e07899eb87908585e

SHA512
29db54d0009191663a47bf7167a32cb544f17a002646f084ba68b24fbd069cc9ead5af7cf9c0ed17117087b228942c1c84214c819d6a7bac2f4dbcde12f6a11c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
0a1f4dbd4b5aebbf933680ea4bff9d08

SHA1
a30f3b155f8bcf874d6b19ff3bfaf33e69d24dee

SHA256
90cc802786e6398004a6bdde5cc6cb28cb62f0664163ea7b5df23eee66ed0426

SHA512
378249e29ed23bd6379f026313825c05531e90d855144ccde8a45abd0d2a20050a7d7a035e4b53ba64408033d5ea4a8d9db16820efe98ea04e6a525838fad90b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2671aa74e2563a31d58938d8608ad024

SHA1
172986683be25d473f254579a92341199b1fdbee

SHA256
2a3c13c85660034408b37953fddda530b5dfdfa0d8b1579d31cf081c627e770c

SHA512
6252fc50e6085fc2f401a7c20c0dcdb65df88d110b38e73edb7f08ea5bc9f419cd0b7970e3c2b1f052c7a34040fdac3154017f8ed7c169fae074e530dcc540b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5941c0b443a4b8a0aea8ef0727ca9bd5

SHA1
b9eafd919db0ca84393e05d15d415c395b92b462

SHA256
73c49dccc2af4b0c69518d73bb0096fa275e9b8488ce39d1f4aeb48fab8aaaec

SHA512
83b599f120e0996a6de8a5e5c9ccae29e7636fd13a9bee1153f513b53f623c904657c3046d8b93528a05488a9ac0bac877968b60357a81d69026fb7bd82a5825

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6e1755b0d979cddcf8cfa3c924a5899a

SHA1
392290955eed66474f32c7f2400b265c349018af

SHA256
0f2c2951da15d78afbd5f4b69ad421d0b8c369f8aa3215c9206f1867821bea9a

SHA512
f192a6df839f97527b1989ceb6a7e70928929b1bc5af46ad4b448968cf36f9d2048a4328d63461fb5464fc044ba23814ccdad245faf53b2aacf41f9b1d13b80a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8d1802f639c2be6aa361cb604abe9947

SHA1
40e7b91c009050a0bfdb6643248b0f6f60b5702a

SHA256
65fe241087d2f4a2f5d050d0fb582d8d00ad257d0f390dacff6694431d7c2885

SHA512
26cc3c22b4fe3895371e124d39b03dd0b2c643a834b19a154e2d383051e2851619b1c4f3b610f59bf672c8e8ae7d2f4bc508423c6192682bdfa58c8c9e963c49

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d2b8c317ac541dcfe78e1bbfb178d2ac

SHA1
d4374d08beebe052da9abe54f2479e94015d41c0

SHA256
637f4474132fd425f23c0621fd5cb34efe57f319aed7db25fbae7cd99d663d51

SHA512
b13a4ebf0758b5f46ce33f48e9f37ae30fde66d06a9ec64ae1d49438e664a3416422c8b883115863b7370cdfc0ccb1a5bf056f357fab364592c9f9a16398cd74

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f53ecc1d8181439273e72cce0973661c

SHA1
6943e6317f48a598c2cf3706861de3ba9d7768c7

SHA256
e31090fe9b170c77c03e32d0d79f1e2ccadc815a6eaaf7b8dcf7a1049df43789

SHA512
355a0ef621a76b04b04f124b5acc929f2558bedb9c195df3633aa392ec2f04aea209b6610e8c989ec40581322431da34c0132e12836f1ae73f841e575e145804

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fbc0f2d47edf3d583359ba69c0fdc70a

SHA1
b58037103c336ad746664399b4f70bbff259bbc1

SHA256
f484d093fa1386cde1defe7eaac2f7b51c4ffea2ede56b789246431384a84918

SHA512
a05837b2a44a7d5fa9016014076e92ca455e584d86647affd9718a4925494f655bd6d31f6e03946403fec369bf92fd5847a0951a800e2d38d05f4398dfbc79fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
25b00f86e8f26e6c633467a85ada5001

SHA1
9340bb01a8164ac6dd2db46c06d491453a46d9f2

SHA256
2d5a21f0c703c863c6df92963517232e5953987667baf13a71442f0bee227248

SHA512
43e5e944c2099bd7ac0e0c1effb0537897554fe92a5c5b85d2fd4028e26eccced349aadc675ad9cdbb73bd3e167d627ae86bd1d7cbd9aeea84dac23142955d0f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5f72d741017797e842d15d9ae82bbc59

SHA1
3918fe4977e4aabe8c558f006791ca371a5f558d

SHA256
ee6865b4bad82e3510dfe6e45ec6378667e37147826769b58ee522b239d4a70e

SHA512
4dc206fd38a4fe425b67450724f48a3a1c948357731d376c3e0847c6e88ee0c68597a2e89d76946f5bf92641b6eb862ac45e57a70e5cd8cce56769be30d8a487

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b1b403c69c4919089c51a2e96a4dede9

SHA1
63d228f172a5e3a482fce2018800fec0d04e1eec

SHA256
8c6dcf17b44c2b5bb1e249bb078fbb0ba8d6111d4104b70ad7f25abfe3a4b8ff

SHA512
c5d1ef870778ee8943eb5a1461289838bfad03c873af78c2d84eab5a150e63b7e4ad57b1c1feb88b3c652487da31cdaf8ac977096ee466944114c0d3e9b71ec0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0d590aac14b78840920a8ff76ddbf8b1

SHA1
e8e9d7fa60fee503a773a33ca642cd27a5c3dc3b

SHA256
3728b5dff1fd2c0398b7acfe99a38c57f794a7e1fb0009d379545dc788c10059

SHA512
d3df827be323204c0ef61b1b309fadc287a7392b402ef2d56278aa61e6e2401a1b40d3ef18404e68b801b28954be94d3b1c61109e03365644a4c09e1deda4984

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f0347f01d9a15eca5dcdc0a5bfb0278c

SHA1
b4f7699efbaf8e99c4cfbda3f0cb0b46ea027dcf

SHA256
839bd5238b63bcbcceb94cda331b2988e84d71c3e44781e43d72d1b50aa39a7f

SHA512
9f267fe9478011f1496ee4c97d65885c64723a6dc6be9f4eb166cbf6c007c21d38d1080d38607aeb175e2ab858d6bb21b53d9a905932a736ba2076ff30830899

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c3e4a536b2356a3324c7a10179006a9f

SHA1
69f5bd845b07f8d20bf1345e43706b80c9e0c0f8

SHA256
29afda8cb10a336b76cbcd8dd1931828699bd921fd914b64f1112232168974c6

SHA512
e233dc0fdace748dc19cbaf2d82ef2fc1249d0c82ec6d8ec67e6d5b709782f366b573cd44ff72aac90d5724188a6410811dd52fa1547219e0aea27f54b1d4f3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
4aa6ec805d636a7ece95d0f1433332b4

SHA1
a2e06375cb3aeb040d4cc5c42def841cad39bda6

SHA256
fc48801abaa61fd061bc880940d7c36594cbba714f77a302634c955e9089e9ad

SHA512
a76046baa7053e1f0ee9a7832dd04a752067660ca84e55121ed77a4f6980af2ad781100dafc6ed5b786474eaaf685d5047fa50bf2f3c91f05db10cd2158122e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a563414f9432f1f76a42c7773f7f287e

SHA1
0e2e137e306d17231cd162e7e89fee4929c8895e

SHA256
970acac74b013ed1ea043ec6c2e7a6bd6691c2e9ec558efd8ea2aeb77422c439

SHA512
08d0b1a77cece69de1079565b1f4a45bfc05dadbe567daa4ceb82a297e03f4a86de4d732070db3009054040ad465e74038a93d7302132c64a087843d479d39d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c3a9c2b9699926f748d053af53bc8442

SHA1
b9adc11f86065034be9cc6341080234064359ff0

SHA256
21a0a6ffa2d887028bd1885b48d2d1abec55fb28fca895581598afa7c54df3bd

SHA512
36a5209447042ea2d7cbb1058b902f817cc9d573829fec7507469c16a44749fc90ca3bcf89019f0651c89471d7904b117b59a97208afbb8b4821eeb2edd36669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1a30d3fd43b38254eb1169ad9982c6ae

SHA1
1773bbbea9d3f72ca8f90309ea480de1ea6332d3

SHA256
b5b48fb80d85ace5cb8985f5cacbb7e0cfae2db7f9055cef04489643b58c5f46

SHA512
8060b35892d07510180556ef3d8387b1655454a680c71a5d19f4255b279d977e9ee8005cba64d891b450fc9a42a2a4966aba55e3e0d082248a200cbe11c7f03b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
fc9f8c05b3afa7b00a9df7ff1cfd0b54

SHA1
c8588f5f4366fa0d85ee03a98b446bdc71ea95c7

SHA256
ff752e8a150c6d8204fcf638dc6ca93a47be467c069d5600b86394d891f65113

SHA512
6d04d03df61f88b8e49c86ff71c567ea170c2c482547191ea861a2d20bae965b7131e522b749c010665a2f5e58309e913f2c6afe1fb1c0e4e61c5b192f3a7450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
22babab6b7a749ae431f1fb105a78a33

SHA1
23ac4a252ea568ee5dd46921ff0f887305e5fcc1

SHA256
834dcb918e0b50d7d8b2e68379be0765dbd43847a2df46cc59a49302dad2e5fa

SHA512
d142fc38ccb194f6fb4ce5dce70b7d3d24dd585296723b832371a47a99238f674b8ae1dbbd38801f55559c5bdf406995ff3594ca072ac50604ba1a8f8de88b19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
e6ef8fe3c7116c1555a737725533e1fe

SHA1
03e6a947890f345b45e5a0ebaa667c9b2dff18f6

SHA256
4c282d6841969e8ec314d44fda592cdc521d3b3443042537b0611f3a5ed5bfb0

SHA512
4ba7d039164d10a782a25870d90340462d57e79bfa9b1dd2368950f42b49864fd547c4bcda12006306f4d269c1acd713658a86f906348a72f9c8c2800be6e56e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
093f9a263c635efb4333432199c0ced3

SHA1
14d4010ec4e660e0945f6061ee76153884a64fb7

SHA256
568269caf5847e72769a7f096a006370735327c50401efebbf0ae57f3621752c

SHA512
ecf56c4cc8e54b201616fe690fb25bd3cbeb1bf4c9b2ca13d178fcc8a1047528aac71c35f79ca41d26c0b442e9da993da58a9fc197d27eff8d7ec34ada319852

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d722a23fcbcadc5554a33e58a7e2f462

SHA1
58b721c576b52f7cae0e501ed0d0259fae2e75c7

SHA256
10e79df95c07b469ec7cd27ba40db38ea240f39933067242d67023b8c46beab3

SHA512
420ea6a6401c1152aee843a65c22d839fc571269ec3fa2d9c8d7aa9a0e148b1fea5d0de45d83d5e7b55febdef43a6b29d4227db9933323ba26aaaf0d9d64453a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
dcbda3fd935b8ff564a94b97cf8214ff

SHA1
22e10a1ca1c07b4e84abdaeb2c0b3189c8e64346

SHA256
96341b99f98db577757937c4e0d52d350cc9d912c2a623301fb26f9140c69f4f

SHA512
e96b546d31f17ac10441af05c2de3651f930a06c4879ffbaa20e39641562d7544d2fd377f320f09f03f8b37948bb6ca9bf2ee4ab4d6cc6aaa2931455902d8def

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
9e90ed6b5d726bc9efdf8954eddd39f2

SHA1
f6573b839b41a159fea178dcad585c06ad0f7d85

SHA256
49c23cec01ac6abd6e68392b9eb2d9daf145448c691828ea1f1e6b27de78d8ac

SHA512
a207f79a18ddbd9b7bb8dc854df0edb5e529ac204ba40c53ae0c7370e4409c72c0f3a039d5b3f80445471eca10de105bece67be5b6cd91bf0638310f0c804fe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
ec1b74a8084c4b6cd4a3dce57f23ecd1

SHA1
9ae4fcfa3256afad2eb0d437c6ec67f12bf2987f

SHA256
b52fa264e42f38e92ba306fcf0579af956b9ecf68854f7dd63996c4cc6e3d7a1

SHA512
63d83e93ab7045673b93e13d48f9a9be1e2eade7ec369a260f20e02e50e121a8059ad0d5f19f7461d76bc4bbf6d0f4e2166bf0a3ee9ba0fb91280f6e52bbf407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
06511b32349a73defbfe10be508ca469

SHA1
436099a2ab983a1d7475285b63ae81fd88cd862b

SHA256
15a32c439e5a0996603d6121fbabbe690426ec3749a8ddf56aaa3d288e331531

SHA512
ea055d61d63b521749b818b4569f601528eacf0f73de8d6195a0188a88c1be818fecbfaf78210406411b34fcd5fd55385d8f56152efabe67bcb33e22c635bfb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
93e078763229f46629777295b249c641

SHA1
4d3ea7562aebaff98fb59ac1c8eec8363c89f5f0

SHA256
6fc3875f5a8d722444df8b884bf34f2fd09aef69b7d3a7cb92bed144e659d0cb

SHA512
b204f8aaa730ea83feb9be9519512ff4cf66d08da0fce834aa04e05ed942217bf0302f6e4a6e017304e5dca310cacc081ada52005176fe545bef308c53645061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
c54d058a884ccec237bbce106da6fcc4

SHA1
49575a1394d3f15689dce767163e676a24b35ae9

SHA256
914e6233959cdfb64c373fab77c58ad1e6d16f0d704d1caee3eb30245d3540ba

SHA512
35c6d1c56365d98af2719a0ac02e82f74563f683fbbad3a00cdae957dd0db6d25b53bac81c9262687d15d24b94f0a44e211ab1e582f71f032099301658d3cc4b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c0324ca5309cfb7278cf7ea80a8864aa

SHA1
350de1fa265dd0c28b35a6697053eff39b0e4c3d

SHA256
59d2495bc0ada07fbce4110f9013c8396124b32cc84b79bcba18a8c81ad3b8a3

SHA512
7274bfb7f62be664a6b5ab248cb5befb0756e06ba5281a757fa7464e888073cdd0c703f6650d9f77b983ad390a40550324db5f2b69a106c29e9929859be96be6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
55828ecb9412c5f6cccec6c5535a46c9

SHA1
fe97ee81dcb42d4151ec5222ad70815c6a0a9302

SHA256
1300500ec6f33c1ef9edc81143289fede5f7eff0f83a260c6ae95aace5c0d733

SHA512
f8926f32617bc7bfc5af255f6ef716cc6ea30da8ed75bc0399283a6b24eb1a1c8bb1b60631467afe0071166e137b2bf15eb50d6a6323a5b8e2f652c9927168a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
8255d145e8d140aac78817d0cb46b59f

SHA1
d4e829cd06fd4f5cb622524285210dc16b3687c5

SHA256
01d5b3a6bd785c7b0a0aebf3415d27b27c8fbf62fc8daac6261ee091f69f9340

SHA512
7165ae1020435fe30c16169fe2070cc89c5c2244653e497edb59cca37e3efecb75f41b00be0d135edb4ce5be9f85b91eb5314e37c656549ca630e70f075fecc4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5b164e0b75565ef007fac6d42c25e5bb

SHA1
54b7b8798f86ff923d025db714aba3617bd0d808

SHA256
efb2ff6a5630184384c5351f0d6d9f680543e14626afe421b326188ccba967bc

SHA512
3961116b4adbb68f81d0d0bda75900428a15e9d31ea96d28f47fb823ab40a5020ce2e7e6d1e4234a575d8ce7702855164a0a84d5b669107753faf3e4dd89bd84

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ec2687b95bfcbce3ace0eaf44a92b68b

SHA1
e8fe2870a94399c32333e11f6926ece583beb3fc

SHA256
6b3e584476c348e2515d8eee1b6ac6d3ad9d4a83167fe5cdca897898a06a6e90

SHA512
271535fc55923c5d0977b7d7cd347413c869e3c6560aa79cc30666575889a4157d91cb434ebc14a0e4b896cda31d2e3698e9b757558f8edd93237e530e01ad4a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
78037bc1242e109b98b4abe5801d80b7

SHA1
06eee4c8884fb17f6d1632c6ae75d16709bc1243

SHA256
815116dfd330a56cb130f546ed1fb3b69b6bd3c1af42fba011ede233cda59618

SHA512
e65f09dfd9dc3e8a1a119106ce97b68340fe563065f811dca7bc52150dbd1a516e37db3135629383536a2eac237bea19ad045825dfcc364e3bb622ded584e60a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
49bbb9b825692e78368545dc5fa15e20

SHA1
44490eedbdcfefac54b4e262bed7425c32a2c298

SHA256
84f060a97283f7679ee958a199fbd4f2c65d08ab8cc6b706382cd3e55b95829b

SHA512
db70ada2056ced88e0edd4f9155a2cd095b9014ab1a6d8dc5c56b9b9ae2bb47d4f211da53bd90c26b96ae2f29fcfc00195c7a3a7e8c42c5d625a1776edf664af

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
0587510f3872dbd28bd6299f1b31ca84

SHA1
e32a76d2e410b2feb184301db300f493747d05b2

SHA256
c574b9af45021e8ef2887eed8d1c3c841ac25583607d47edb5c96ea621b0c8e5

SHA512
4e850665befaa9f0dfa1097ff0d634b66ba7904f5c401ed5849be7dcdd2590c2aeb01b17f2199846e27eb042237e7c5a9739964b78bf918c0183d8a8e7b602a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
ccb24a81cc3e0c317d5444c6eb27e3c7

SHA1
a462e53e1c32ae43ebfe879553e633ba0e9fe51b

SHA256
79e8f71e68dc6790412741e4442e9dea5296bd755633ceb32d5ea5a6b03aed33

SHA512
3ccdd3cf355ab5b69ec189fcce0a19be5287342e9a81c6af30f102629990a78476d186327f2d6c39c145d29f32cb4b72a1090564fa241e868b4541b6ef4759d3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b9cdcef0bd9aea7692ef099661dd6e97

SHA1
6d3de504b0597b5f0aea927905308555ed4400d0

SHA256
0d09c674cfecdba719abda33fb617f638e6d2913bab222dfc733c32d523dbc7c

SHA512
b186ed14f7c45bd54256f776d387c32590cb7c01d44366b08942936585742c463f87bc52ad7135be164e630f134a54b558a18d511018e7f9c2ae663e44a07c37

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a411238f8c4cf7c89fc120b84f812163

SHA1
9eedd1dfc5136b8940f3b98134b9b77d6920fc19

SHA256
05cd89466dcf15ead653838fabb1ee5e660dc8163270511041883efc52cfdd0c

SHA512
eede369ddb69248184c04273784f1989def579ff579e9e3b789b4856a43bab8a6b8a3a45205dd5ba25245b326593bdf11a204cd1ad991d34c83f35375af6e83d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
07c7f4213b7ce7b1e1f5288df733e977

SHA1
872ee7a7e3d264d2ba715fb3708ed25363c082b8

SHA256
572b239fb20411ead89e959cbcdd8d1594dd2e4826aa551940720c6fea66d60e

SHA512
d438dfcef37b72a76ceb5d7b1d84c96b80f14a0105368c5fac40d01fcb4f3519e6767ab0ea598263dfbe12358787d017a6c759ed94cb3162bd5c49eaaf450295

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
79c05a71bdb5c93065c7ee4b04856da4

SHA1
86fbfce883034010c5ed89edb0124116a151c3f9

SHA256
19d91864a89641ea81dc072cf50a1b77f8479e7cdb29b3f8799f9de38c8949a4

SHA512
91387aa2f13aea040d9f9b5492cf9cb717302f26045852e51d84292e8280840abaf823ac69c4477949c0a8e42d7ac7c6e9b789ef9213519df1a9ae5d8400acde

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b7637003ce9ee821c55473bfb7b02488

SHA1
ef5f778d4ccc7d006420a9f747b457787cb82786

SHA256
edbd597290ec346d235835f1bc35cd120819a54ebb9cb350ac8fe5ad7d53abba

SHA512
6677d6f1c102dd8345e3f942ad252a724c6c288463bab6aa8472d8217f712339c680cbb0fc41ead7eb777f623fb33b64383e732424633129b5296459074db7a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9ccf90a23dac44416c35d6f7ea914f5f

SHA1
64fddca386c2375f7f8ee7b5cb194f2d5cda4ee8

SHA256
13eeeb09c154feddc00be5c7dc74bd84d0a001b96b41f4c2db07a2cf2492d357

SHA512
50b11ea8f4ab29093168beae8243b747c840a164c9224ec6a7bb709212d730f229dca2e4ffa4062bfa067998b71351aaca15c3ad17590b25317a6afa84533319

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a8e00b7f32f99d2c0edd2b97bdf77c6d

SHA1
0d826446e5fe3d278ce62c4d4baa053990c27fbf

SHA256
8756cf12119101c292c217ec8971d5bce1c6b924a91814ed0a9c4a172b669545

SHA512
a0a546af317684a165e5433e8ab1a87c6ee72c3dfcfc579b787c9d264b3bedbe947c158443d18f14f8edfd1d7375de8934155773e97d6641d3ccb248eba1d462

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5b979e8492a9044bc09a92c34ea2eb2b

SHA1
5535f74ed87f39471feb486a1d409dd0a098b0b3

SHA256
02e7f212d859492ab63ed2ad05f3854b38a07a7f49f454cf9d3f1913698972a2

SHA512
89f5a4f580563db97e9bcd88a9e707afe8c755a31b1f61e9e7a549840f99aecbf835c9637b9980a4c20b323c0d72ff736e273aa1c712fae9e61b4d492e397eb5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b33c5e904f2be9d93ec0959fea68cedb

SHA1
fe4fa39df8bd3efd6e0112b3849bb5c82e3f7d04

SHA256
f8fb1ec11f7aa59c949dd6a90cbce7f96b98b783727528c4394503e6915c000c

SHA512
021c52a4312a909e0534bf6945500b9a50c5cfe0bc0e774d01c4f82f0539da3f3a838a788e45dd62453332da730b69bb21498d0b1e37e948b456649c68e62fd7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a19c4527c3a833d654c20301c281c0aa

SHA1
59bafb9e3fd7eda5bfcfe8d15dba00e37a4b8b80

SHA256
500202425bdd471d083127b74a795b27421ca782929a7b99f7e690ded6c8eb8c

SHA512
75a83add4a214d64a82c8921f727aed7af01972ae1b0d1c4dc573bda04cc5aea538ebfc49e6fc52ce6321805a085a0f4bd442105336534cbd28e2fdf7674db48

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8d6857b574253526aab183dd4d6241eb

SHA1
e1d2f50596ab2c084e6ced0982ce3185101e4181

SHA256
116981fd660fbe2f6f2784f0a23761dda86301613172ea66cef99b01b6bf6a1b

SHA512
3415c19f5874109a5bf895dbb72f615ffed21f80153d2b90338c6213faf2c123e703cd5028a8aaceb856d274f94b9ef3f9533bba05f907303adb49682ddcf2bb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b2f9f10f912d31c27fa520574a74d06e

SHA1
ce19989fbfc4c60b3cce9ec8392bfbf30aadb547

SHA256
d6671e039f561cf9c34108774e0d1dc540b267f7dd80b05ee796a739a62539e3

SHA512
0661bbedb56e3659f5a1a176c35ab2e0cdbccfa9b13a0c435658ff08461eac9f48dffa6df0d8ba95b47111dc271f5f18740f055f4e1d7fffda362642f7e543ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
abb66e02818fa23d5f69ea4f0356e024

SHA1
5551a61a47ba73cec254e6c0aa5cd069e3145c0b

SHA256
b3c718c5d0cdccd57e5013de3082ce00300920b22fa69748eb4930aef1be4cbc

SHA512
b2351341fa6f72e5365853cf035efbe17a1358e701044f4d26d21f17baa8f9a3c63515c84385e344ce588b8ff14a061d249e536311dbaa3f45aa1643a4a1af6b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
15bebdfbe9562877542ed05368fc9c32

SHA1
fd1f3e6508f96d33224b65712c6667f7780f06d3

SHA256
ea20a362f922f91d2a18e85e4abc3fe41294dca9f67a5cd1b274fc3c3f5f0ad7

SHA512
d9d9664157bee99cae3f701fde1a2cc2ab7070a49f849c595ef03fe9aba1dc20ebed98b583927ec4398954aec97eadc62bf896a46ab63498dc7dfa61c29de834

Download Submit
memory/244-612-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/244-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/908-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/908-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/908-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/908-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1220-615-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1220-187-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1336-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1336-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1444-227-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1444-124-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1584-113-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1584-215-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1668-198-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1668-616-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1828-34-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1828-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1828-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2240-140-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2240-259-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2276-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2276-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2296-0-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/2296-431-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/2296-435-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2296-8-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2296-112-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2296-9-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/2308-239-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2308-127-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2448-622-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2448-261-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3080-14-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3080-24-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3080-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3080-139-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3168-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3168-43-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3168-37-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3168-51-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3168-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3464-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3464-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3464-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3464-52-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3560-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3560-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3920-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3920-82-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3920-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3920-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3920-87-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3948-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4128-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4128-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-541-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4564-162-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4640-89-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4640-99-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4784-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4784-617-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download