9904c4a71bfc7e6c056ea8791ccd16e7650daf8f43bceae4294bdf807bb476ea

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
Size

1.8MB
MD5

755f4682855a1959b0e8d6a91c4f7fe0
SHA1

c5b99d6e181bbd5b42bbb042a53102a1a42979d6
SHA256

9904c4a71bfc7e6c056ea8791ccd16e7650daf8f43bceae4294bdf807bb476ea
SHA512

13d475002b159015bb9de4fca6e10fa805aaff944eb39749b07118b9d22a819dd7c41d004c2e617c03139fa33e807b2532b4e479c23ff2c9641eb27ce48d35c5
SSDEEP

49152:cKJ0WR7AFPyyiSruXKpk3WFDL9zxnSY65RjUV2Vo:cKlBAFPydSS6W6X9lnF65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1800	alg.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
2036	fxssvc.exe
844	elevation_service.exe
4284	elevation_service.exe
2792	maintenanceservice.exe
4976	msdtc.exe
4388	OSE.EXE
740	PerceptionSimulationService.exe
4796	perfhost.exe
3988	locator.exe
4820	SensorDataService.exe
4564	snmptrap.exe
2328	spectrum.exe
4664	ssh-agent.exe
4580	TieringEngineService.exe
4360	AgentService.exe
1416	vds.exe
2608	vssvc.exe
5024	wbengine.exe
4692	WmiApSrv.exe
368	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c223a8e6d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM68BC.tmp\goopdateres_en.dll	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM68BC.tmp\goopdateres_ta.dll	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM68BC.tmp\goopdateres_iw.dll	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Temp\GUM68BC.tmp\GoogleUpdateSetup.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

Processes:

755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000890242d0b6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005414ceceb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c51771ceb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002001bbceb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef9bf6ceb6acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9491cfb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001db56eceb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f27ebccfb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe4ec9ceb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
844	elevation_service.exe
844	elevation_service.exe
844	elevation_service.exe
844	elevation_service.exe
844	elevation_service.exe
844	elevation_service.exe
844	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4520	755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2036	fxssvc.exe
Token: SeRestorePrivilege	4580	TieringEngineService.exe
Token: SeManageVolumePrivilege	4580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4360	AgentService.exe
Token: SeBackupPrivilege	2608	vssvc.exe
Token: SeRestorePrivilege	2608	vssvc.exe
Token: SeAuditPrivilege	2608	vssvc.exe
Token: SeBackupPrivilege	5024	wbengine.exe
Token: SeRestorePrivilege	5024	wbengine.exe
Token: SeSecurityPrivilege	5024	wbengine.exe
Token: 33	368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	368	SearchIndexer.exe
Token: SeDebugPrivilege	3664	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	844	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 368 wrote to memory of 2088	368	SearchIndexer.exe	SearchProtocolHost.exe
PID 368 wrote to memory of 2088	368	SearchIndexer.exe	SearchProtocolHost.exe
PID 368 wrote to memory of 4552	368	SearchIndexer.exe	SearchFilterHost.exe
PID 368 wrote to memory of 4552	368	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\755f4682855a1959b0e8d6a91c4f7fe0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4956

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2328

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
5d0e4029302c00e8ceb2cc7447e796e0

SHA1
7c2f23ed283a425a45423ce6d72240d8d6fd9a90

SHA256
24fecec03077777764e5318e2af6fa3b85b41af9e3120f94f92039ef68e1a748

SHA512
dfe2a0f71289d6264dc7367d6f7188949b928b19259b460d6d6a56c748b0d261532daecea27e6b64a49d9ed9b55ca22b01c14ee7d66f8ede632204f95f8cad22

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
da92e5dd613255bd37914aa4975bfc53

SHA1
05c2f948e76edd5e74da40e56f283f92cd22347c

SHA256
8d9a16ca37d81a5e95c3780ff0710a2a035f754dc57ea07f98aaf554acb1a8a7

SHA512
fffb60320728ca9cef7f7a0063ab94f2e878533283748663d1aeec2a5cc67eeb9a743dcd2733f13fc5749d85859b1519cfa58354332a30d9e6bdee8a0acb79ab

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
264ecaabddefcb6717ae4f5afe4650cb

SHA1
3aa5108008bcc67230adaea40f76a3b3cc6007e5

SHA256
5b872fda5e021eb9fde47ab80aa75506714b97c72dd330363113b946fac8c482

SHA512
cd5010631bfa5a82004e11f41991de0b60b24856fe4d6a15bc809316cafc2b36f2f1bcb1df26c6eb098d1334d1f39fbad090345d00885f27314bc5da609e5e89

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
fe27947f6ee61bab0285e285f0bf78b3

SHA1
11b31673ee8af83fa6b37de0f1cbc768b85ada16

SHA256
eb2cb6f28dddf973ef060d3c6f1f754ee2239f3b7cabf2826f6b96fefa6d881c

SHA512
45c236fe1d907873579af16c9fd1af91da548dd55276a920219558aa8439ea8be554aa7a0526a6623a7fc48d5c5946f3fd14603094177055d5fc07648d481869

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e9876d639c43ca7a1fc4d35035d1939f

SHA1
0f1539606cb8be788025a4d152d3b2f803087d39

SHA256
ccde38d32c9a6572761b9cdc9a81ceafd6616a88884898d51913e48fc7ba75b3

SHA512
c51ea94ac226791e67b1b2a70a2df9ee54ebe50372b7816cea297607a069db8b97d2243faca85b0a2b1b9afcb0fb354348a480c48c192e392e34777a6afa9f1c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
a1a1903e1120f3780ee650d8026a9b6a

SHA1
b830eb501c5b947544f4971556fdfc2d595d7a3f

SHA256
8dca59c946bf15433590efb735402a1598b9556e8edb98e33bd7e5a868b02b4f

SHA512
b6f9f1dcc26b1cdd6620b12e9e906770567f47736c99a5b27fed1d1111e262bae52c96299bbfe9dc1cd4487cc8935c01bfb68cec841f4c2df68ef113d78b6293

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
5d042d299a3263e94eb85b8d5b6b7ca7

SHA1
365050345f0594ba6c1277d3e8e43c564005643b

SHA256
f9c0eee0075573bf3d12d2547a084593084b526344005978c88e7f2b9518d57f

SHA512
d405afddbe960ad93f704889fae8ca0e604646557707f70f969342629c5a2d2f021f5fc1fe7dc769c2e31cc31597b20db258783912e35528486799878fe7adc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
752ce70aa0d0f36d9b90ebe856af4f17

SHA1
8718672460c8674d88b7d09bebd2e3da9d2b812d

SHA256
b03dcdbdf1e3da4a2d8fc3f5820a58fe8bb1c3a896f9318711748c2fa9072280

SHA512
74a85f7e9d851015289b79ca9c8abc35a1b39d1669787ae842044e4c20fc1627a22bbda1d67c569b052e5c2f693b6c42e0d321f52761eaf56ccb19b5ab20fdaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9718bf2bc6b9feaa0d42f7cb3724c04c

SHA1
1d9eaa616f87bed9a4a1254c063ebf1aebc04b8f

SHA256
caa41f01cb8c21630810e931e01bedc72b24789e8e0897e8e1b02e3a95d9a51f

SHA512
0b180311f5fecd8b7bd3b9dcc5dd95761253e5e99da7f4293bffc75f1d15953e56d36e8ca4027ba8b8a65de27cf5abcab7afec65b19c5d33248c268c2a055ddd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
49bab196579bc9827e17d1419722bb6b

SHA1
09531386ed61ea38da01470f50d672ab956c11c2

SHA256
5ed9fa64a7b288f8a75032fc07511305660cefe10d72c44ef5cae7f600343d32

SHA512
3802683fa4dbc1dc7798782658a2e1a2b8f3bbe902a5e89bbee217a7ad3b05eda5f6d8742b240e2e1a49b9b8fb5fe3b614e4bc4a962b614fdd0d3f7f23a622d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
16bc8a7f82393b8af1c3ae048c863084

SHA1
5e17b3409a39c0ee5429e1b8408cac27dec7a10a

SHA256
0b3dacf6887daa85d007b52fd4df88a0e55d42a39587265935238abf3796d0a0

SHA512
94b00e230b45fea7492178b4ff02b6397340457395ee3fd49b61d9ec14da43ead29e1baf0594f8cf851229518977dacc9d667f284de23a6e7314c10c86a40ea3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7792ddf249ff888acde50f62f991f3f8

SHA1
6418adc1311049b0aa06bd223ab53fa06857128c

SHA256
e9ea0c883bf28d86f9065cecfed9b22c34078025989ff045c70c9c3c94aa1c43

SHA512
d8e951f943254b80587db1fc32b671768ab4fc0e28e2e24358c35a30447b7e97e27201357ccc0a6c6a0314e70b096a5f20acc92b77f5f2d9191d9b7da5add5dc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
99000d2d45c74b5af4b54422f6c71de9

SHA1
49fdb85fddb1f9548eabb881c1446d6574e95670

SHA256
65d5b15f533498db6edc9e1d962997c795d3fd604f3c3572bdbd76da7fa04d50

SHA512
d7470e448da42dce5e125d1049d4a75182f5b25af053af2f9b42170e1a495a5c56f972f109c9d6ab74cba115155197a54dbcd45435fae2174e74a9ff3012050e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
ffadbe0adae759da9e3e4181a2c64312

SHA1
74457924f9462e617bcef90cd7756f38a53efdc9

SHA256
6d7c358d1d7a2f494ab6f76d35f8547d5a108700fdbfbeea7e9598b940198bff

SHA512
613e7a6328acbd4146fa6d7c284362af05c942a016a655a2c5600a52808eef71e2153108ddf697bf744756f16adbc9fb9861706d046882d9ab68f0cda875a99b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
0e9eb79de092988765602557cb5ec317

SHA1
5525af897751130eea8348ac3437ca07f3dbaa4b

SHA256
3fe748028a69b6abc069b342f0e8b22254f4013cdc18af30b649cfee97c2ac97

SHA512
efa5bb39f644566fc88ec066eefe46f8574d898e1a184dc6865c631c157fa478f42caf36215920dc7a11e4b1c75e8b1f10383549a809903efc68870931dfe953

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
fa56b716cb08f417eb3d1336ff53047a

SHA1
88d08c159c899a23f8fb4b2f5911761164d335dc

SHA256
7804fd2763d5cc4e31f20834bcb34f8b957389b3917e3c64402482788258c897

SHA512
f9db72e4f7b8e273cb05002658b3be4a4e0fab82b5f4eaf3b80063496572bacdc621d4034fdb91bb517d64aabb9161d7042209717ebc42fd2711861210b6fdf5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
651fb49f76ab8bb08f363c0e75796b58

SHA1
ca98fb0e315ab5c4fe2b8a5c42dc4d3c3b911def

SHA256
b5e4e8e9dbe5a31325c23c1ccfdedd3f8ca553356cd0fc5931e7aa08119ef547

SHA512
c7bcb7ead4a1b6476184b7a142e41f497d752dc7919d20f902ca6a2e6cd3287b8a662b9ba5430715cee6fbaa5a35d98b0f8eb29c5053ea496c0e7ec3719a258d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d2345b2e2204197c2129ce0e57ae0af8

SHA1
e4b007a265ad24a497e3479f5c1bb2b4e125499e

SHA256
b91a3a97e0986c673b91b4338bc3c9ff2ab73e3b78c1072e20c3b937e7807212

SHA512
3ff4cb5aefe916e3e017d4791feb388559c9ff86d15a222f8e52af4ab85675f86a07d9fafb968c3f6e298593f985db72c4d0e9e652552d1ed5459a105091c357

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
eaaf78aa1eed61f2a4ac353d4d2541eb

SHA1
1617f0a231923b9477be3c41620a4eb91fa642b7

SHA256
8397ab727d7db68adb8c86625935d4ec302a44428cecb2a8642d189eba21103c

SHA512
49a14a2b9f1b1979d6ed1b9a8bcfa99ab18573d672b4a538cc8bad610537a99453eee2cc9e83f5509581edc278a55be7abe7c9a288dada70d256b0b611ad6118

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
3908f98a0e3ff505aedb106bed3e55ca

SHA1
8ce4aa70a66cf0913de44b82d52de0b95672c3c3

SHA256
572ac48e4c472564fdbb7b8ec20da10a2afad3a4f802bba03dd54ac52ba1d7db

SHA512
27be2505a46f74ce56657737d261751d347c6587878fe380fa296b76cc7d14d374cbb10ec35b5297931e82a513ad9b45bc9596a069ae252b6b91fd827e75c7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
7cd8242055f2c0baf944ac60ad75da91

SHA1
59e547bbd0ae74a6b115b9e05122c27d8ec92b44

SHA256
90f21488998e36edacd80834fb18952ef4d2bb28fb6362e05c0c46d8a947a3d5

SHA512
ec314b1d22f7c44baf16f22445f99bb78dbbb16bc36a627fccc63558dea785f3e715ca7c7148ece313a327f9ff0a6b5fac6bfa639b91d1c4070001552c24a11a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
49190fe80b285f4630938e3d36008b96

SHA1
8eb9d5584ddcac61180568e1ad23d62b282e8346

SHA256
d7a34a5626ecfb018dabd0c80efb9bb06997bbe87bae1dd2b4bd3b8e1364c80f

SHA512
0d01e9e1851dd67c2508567b17d1e996a8d66d60e5b0beccb8ba6ce44d25a1ae7fe25c1126dd284b8b7e52ceaf3a6278f533350b75694fc168452555faddd7c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1ca7cd071c1098ac060a5400f5ff0973

SHA1
11a0cc9d510da2ac647bea9e2083619f4baa760c

SHA256
8fcb3e23eb342798a3f3048514fa8e39515d22ba16e9c01fd6bd258506e5d84f

SHA512
32214209dcf85bed050140fbbf0d8c8d3722e7c79ac372252512ecbdd81caaabc56788cdb4cb57d756ce3ce0fa4cfce29014adaa65b8e44fff235ad62799a759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
ec247dc63f3a6663294a023000c7cfd0

SHA1
7d60eac52ce174e1762ac4e3cffe704a82d18221

SHA256
25065164df6ca8e588895465e74425526a86af99c075759cd3c460977805f899

SHA512
33233d690ffa803d570597ac9d272f30d979e605f35462e23401eb52cab983122f312eb45783fcf10ad678198cf45d4bc2f5da8a13ac45323587f02ab7a40a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
240177917851478c9c302699dfe1f5f7

SHA1
06c4272ef3255593f78dace85c46b8f4e9598ebc

SHA256
0486e7c25f5702294ae0a4326ab4051140ea7cd4c73b23845442a1f23b202ba9

SHA512
129d687c43ece4b9e5a30aa09c57c3d010c82d6bddf364068804ca493b0e84c6eec0c99fe1416993834afe44e4be2c7b085d17a3c9aab1c74e3d630694eade03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
3b85efb51ce22d172590c79a0565cc55

SHA1
e130cd87b29cebf7f5cadcee67736a11a3738a1c

SHA256
973e57258287a80fea7a1e5a10e257e0eadc5cf1314ee6591d4bec59de52b9fe

SHA512
c8cafef32309f87ba347b11968b40baf126845dd85b4572fa8ce69ef0f4d9f41917a88d1c808d4262b9507e2e4ece22a69d3ab87d9a4d1733841dbf9933c462d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c11e4ee83b38179c76e0bbfe8b9c25b4

SHA1
b8273d350a6f611170dc4532d0a08302143851af

SHA256
304d75f95a7cf312c1018b19d6d55e28199db0fc74ccc8f41582fcda9e9dcfc7

SHA512
166d9597784f98ce3ad3519880ca793618d7fba3d63641efb79aa880d7affae9fed55c13e3811b55632949fd58f96ed115da38579fc4406ac794ae7d88f51e91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
1b27a893057c32654e3eff022c08a008

SHA1
252611fde25b6a8d615ac9311baecaa943162824

SHA256
532cb24f9bdd1c9aaa9dbcb46cfeb2d03d7877dbc62e19cadc602d0d25efe3f7

SHA512
58e3a5b002dc108dc2d3644ca7fc34b8d5abaedf10dba66185854715829484902b54240d2b9bf0ecf21c6a16615fbd8dafa07aed05810de5a2f0c866b6f06012

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
5e894e684933907e5ccba617b88a625c

SHA1
a581a8418b09c51a131ea63195cec256373559c9

SHA256
7d2634280fae61a66cb9e02db26182a5b75f89b416e4e16ab8016c8213c85adf

SHA512
ac3ad166c2872ab393cce2abbfaaac3a68433878d83689970b9d76f1b2a1612d182ef653991008a690bce1606d37833438d5e1a5fa86835933aa3ce26587a124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
cfacd9ac050127be89b121d47d66bf31

SHA1
b440542d250aab4dba61ea9c2a9acc4b93b8819d

SHA256
960e014c76ad7256a526c1882b0e73d95d57803ceaf0c6de79a5e9ff1e8605eb

SHA512
6110bddadfa964e4c97c48f0186205aefd20c4f124815f41249f76396a6402bb1296a0aca5ec3992a704b96efa78d64545ea8ff8e5718daff38c35cf4914bb7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
b0dcb0b83e3ae706fc9971e15d7d6c09

SHA1
2172988090e3682d2d371339a310b2866647eca0

SHA256
ed70eaff00dc76ac8d0fa39d1db3dc6ed58584dadc791a41da910c33317d3ce1

SHA512
0d5d90d1454a177a07c5193a937b909a5b4fba70b3c954c033e5ae2692cc7332033c2fdaad5fa627db78637fbcca17888064d1682b4d42d9128be87a6949886b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
df16b4d49154121b1f3d81871b90f544

SHA1
08999ae1f22cb2a9c4e81747ef1ce48984eae804

SHA256
66c09baeb8939e5e864812f7e5710829bb170e1f244457f772407ab259bc7fed

SHA512
9b80f1fc7774e984fe286ccaaef92935a422be2ffa3e406c48704610ef0c48ef45f7d3136a9115b12ae933cd4483ac81415d41d3a704991f084e61ea9c12c6a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b09b0e0cafb3cffe82ea9010a04954f5

SHA1
f36b855a803ac3d7cbe69c9aa13a24d748d3e0aa

SHA256
ad303197621dd00b95bc7dfd90f72b901584db3bd0a1701de96d66bb388b9809

SHA512
e22194381ac820e77694006160a34a13a57fb27e9002317eded93d979da1c6337aebf43c5dcfbfe90c0fba6f5f9f71b66ccac2fb3fa473e22244ef5dac14f491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
b7c332387fce4ba37d64f8e47bc66220

SHA1
e6d6c2db3a7614b86f473c5433f3ab9dd62b0fab

SHA256
a23de615a0c087bc2af7932145cb77185b5f139f25de258749147df5f4db2ce3

SHA512
c583dc9d1184b7103151579d45e83f7d196b4581c09b129a7960ab4e667978770746530027ee4d08e9c616eb1dd709cf8b9a36eec918a11e9c9362805bcac374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
a040d4dfd6e2a9e0a4c8035b76731922

SHA1
10d959eb3d0305924bcc62d2faf9459cd0f70085

SHA256
c49d07fcacd988cc93e565f4b5538006aace5824538b4109799a068ec25405d9

SHA512
c9b1fa8b0022758a3d3cca2d2bc6fcf642b9d53e1260c6adcc661f16ec1f58d73464b7538fdc8312db42c1c7ec74702bdc2052c8b45a6aaa4df137056b557884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
072d34f6b8da39d6639431d9e4ee8013

SHA1
dbc178dc40ce364aa5b0e0fed5cc43674fb5c33f

SHA256
9bda367de3c230b38d8fa527098cf1819bc9df7bf33820341dff4f3811d65a46

SHA512
3ed5910659a30f3ae065f067b801d7bad87d75179793559facac48c3f4f631958275647c25e833d56ebb1ea89cc7509b73141b87f1501674678e192553ff4191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
014bba8827b12f40b989674e61ea19f7

SHA1
695558237d6d18da4d7cf71713f319fba75f33f9

SHA256
1de1f40ba7ae291af0ffd508e56a547cb5c8d258089cfb05062894c382c0bb69

SHA512
f9d6e88449c7516760926b0f9f1d654ca48967fdf29ece365f64ecbd3cfd506ecfcbb3b18855d9b620213f2a4bfd7b0c8977fdea3b9a1c6a4f2c5fb14d522f96

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
92df84798713444781cca51557790ffd

SHA1
9ca7d736e071bc45b676305b15b71979f58c15af

SHA256
a7ed2696e4f7bbd7c0d3b72a98e34dee4104eda1706935b4333733681324661f

SHA512
817bd371321c38e2d6fd3a11e14c47d1afe0635a6846a98d31b4a11429064051c6065e2019f30b651df6049f536b33c36e8c3287de6f1973a1f76a3a05e4b5b1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
64aefac9ea8968988db39286656f7939

SHA1
31d654066f18bc04b05a87c27bcf39749f7f93fb

SHA256
c52eea56417cf513a1d766b56a49f95ac020e6f18d76becb3adc8eb415ec5276

SHA512
2dbe774ac36ba02cd3bfb56ec32dead9e8bf4b2ed7af866bfc44d565f955f8e859821cce5dca022226976fdac6b6b788bc76605a2c2a6fb6b04e83ae591a094c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
afe000a58474a33589224376b1082bcc

SHA1
3a47db50c5aaa2c79908d6f8b25a24229d897a52

SHA256
64554f68a94de827fe835f0389588d4e9a1c133ae0e39b4ec9bedf5339ba551c

SHA512
f5fff3ce59ea55910d513d37f8bbf81ae0d50a4d6fe63118c6476214da4cc909d7f0591bb48cb6eedd24647aae7a18c6c0562896d8e14fcba8deeafd7028e45a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
929505d5fcb5545e2afb79f92c41e374

SHA1
f15212643020350b7893b90474777e5946ef5c3e

SHA256
8dbd1bbced62a797c64c4bccc9d6f288634ee7dc95899f625b4d80fa9818dfaa

SHA512
ebee547aeaa2cc3755063dbe6c76c663c98b27a372014a07b6673c601bf5c60b58cd5fbe18f1074a1814bd4c6cbe535bff3904e269f696ba51b631d4b9d65880

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
3c2fa8450074f28a80777e4431b88b1d

SHA1
5de94dc8e8bc2dbe1fa4c8f61fb49087e570736c

SHA256
683b0ca7d87081759e85da1f70d5829deee71d4bea1fd37e1281e90beebb60fe

SHA512
ba3f2fa39065d47029889c0a8d0bf53bfee22b26367c17014a2ef032f3ee741d9688f14da2d7c1dcbba04b96150d9f4f79709b2f6d3228212853381d36ee0453

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
957712016c43a91d500cf2b7a325bff6

SHA1
91180e573e2d0e73847e02466f3839913c5c4287

SHA256
2ae4368ddd63af164f79cf3b77de92eb59656a989da3d901fcf8661ffd54a2f1

SHA512
e1b656de29f9564b70e626d7f442430f11c9a9e2058f72d989f432f2797964d381a24919450a4790cfb6ebd23ae7fd19450060483499ef9a169dc7b7460786eb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f29042b1209592e4620f10e9bca0d96b

SHA1
c402dc59e5852e7815831440b8430a540136ff03

SHA256
e5d24bbe2b210f6bc548e01140432db8005b3956944c611c8c3bb9fdedc27e08

SHA512
692b49879222b08545d3c73e598b87e58de4177eba8087c0390e204c4397c031773c34a5ebb28191f27fa3e8a0edf0ed61262052976c0ca20d8e29d7fdede59b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b6b937495133c76d918d894988b92eeb

SHA1
c62c8f65129cfc42fab36225588cfa023ebe67ff

SHA256
8d3c12f6019927a48144c60726197c68e725419f94e27160413023c02a93faf8

SHA512
defb34fc75fae12adaaf851265c0097b37ceaaabc74d1851128a005387409c1fa17eeb45afeac3d2742458003f2d578618625e2d3688b223a3d8c997c4756032

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5ef477a60549a8c86e2c1f58164e72bc

SHA1
14c594c3f558d1756d86e656bd0d3512883d4ea1

SHA256
68a8febdb5c0ccc691dbb8415af247858b6ab0047ad4100b08280c0c8a60d6b4

SHA512
a6a9d90fcd577fd0a7d5d31e1800291e7abe92b86f82066e340eb7c0bb628e5e0d404ffc3cc700bbf2233034942302c13581dd99bfb11cc3d3f45e2f6ee065da

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
972842d6584de6d972c8ce222e4c6383

SHA1
0f5c654bf4c2b337c4b7511bd8e8f9a0fdd77b8f

SHA256
0a7d7b068a17b25dd4d273f771e2f160a8abe3b64bdb75c85eca2af8a9ad80c8

SHA512
e564d56347dd138f2604360454a557694c250bee9be2553cec8ac12410d865a32ce4da368baa9aaabc88ca72696d7493bfc5a34690cca8c560ab907835be806d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
205dc33e5c3220d5159b4002ebe7e852

SHA1
54e471d5bbe05157d7a3815a90b70f8b018a9021

SHA256
d531399ef765233ade52db6a0f5a9464c5d4b45751bf8951e3c46708efc18408

SHA512
cbd7b18957bc13ae63ac760be15464dbfe9e09d2b1d00c8363ef0859c847655ffe01ae1968c0f6fbdfd7ee08bbc04ef387d6ef0c5d1c05f3c4e1dcc7e2ec6231

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0717fbcd57494a47365db5e2c8f0d3d3

SHA1
04ecd55a1f42832388942ef61c5ea741ec2e3e56

SHA256
a7aabf31db6c3894901199c78564489c5cca275ccc9152cf411aa1aa784d89d3

SHA512
06c8c5cafba47816f3bf11c5b6e951427276e02f63fa02807bdf728160c958b032d6e3e8efdd72ce6321da626f0b1732d2eda11aa0b550788002856823b66656

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
72a21d37ac5a38331d373576b20a959c

SHA1
50c6761c747e6a5cc715f1da758607b159114a5d

SHA256
b725cad35ef39ac61369950502b00dfd30cc3cc728c6c20de4fe8fe96b4b9747

SHA512
29565a00f931f900991dfabe59e6f89356737479a34e05cdfdf14c62e59b5d5f28f0e6383470c980e3c2b541292213c339b16f2b89baca0d35917ef82ffb6748

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c34b44392fd000069d80675ecb625762

SHA1
98ca6c47c27e9d0ebba75ca41728518b276650bc

SHA256
0f6ea48b8bc472fb70a8836a80d8a8fedefd728e38a433cb854523f9b15fe5aa

SHA512
5eeec1676d2462ca8b2b2bf927cee71bcd624fe7b30d8a7b4466707ef3217b7c2030ec3d608a29db99875faef004ff666b5928fd98a491e87a74fd54f3b21082

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
b402271f1e54f883dfc73259ba874c99

SHA1
dfe5235d8a0486a4c9b4523a135246d957425baf

SHA256
fdb0357705b1e748f954dd813ce0c178d8e6d78612e13ede1bf84e7bc3f70497

SHA512
82099b0b97306070b60d73b41755290b90a9e43da4eb06b93ed86a77fd6e287a6fe26ee768c26f778952c697337d9bcef9259396bcd38805a10848cd3dc341ff

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
fc85219432e22218730f7e423e21ebc1

SHA1
011a6d2374ac3fc681ab47c47bb4c79ce64cd136

SHA256
1b0f0c9d799800b51b685cdd03e7cf94ab2e4e78a64eb57842f6cc447f59ff77

SHA512
392a1c7bd425f2db81b98d7b0e4b1b4d303b4771612e337a0d80aecf8cd3e760a71317315f2bb94b37173150aa1ef47b092dd24e767d519fddbcc24eb8924f46

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
d50ff10a7e2ba4e249cb36b34e7134a9

SHA1
10ce1f631fb7b26fda0678a067826994f6b50143

SHA256
ae9b23c58adeefd3e759ecf6844d1e22544c98931722ee9edb3111da3cc3b8c0

SHA512
defcb77bdd90156f003116c3678135775830e4e186dd5e2a1ea5b80798c6b64f15da49aa4fba3664e876c0f910d80c104131b3e7297dcc74d6652430a736e8f0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e2e990c0a5a0064307151fe3e643f9dd

SHA1
15f7c59cb762032d31f32dde3c0e6e77e0b0af99

SHA256
ad8b35462b09f42df466e543fbfe15a901e86a3f973954c8ac960bb7522ce609

SHA512
455b742d06dff9761564b4aa964201aeb11805c0a2f7c03a7e8e9703d050efe6c19a3439238f03b23797eeec159dfc9db18f983eb09b188ce7e19b3269667702

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
951eda76eb1e274cf7bf2295d49a955e

SHA1
ffa7cdca686e21c2f05af8fddcba5f34e31a4f09

SHA256
f551ad324c3800e0fd78221a25013b3146eeb843d39d0a28e79590a78e1f5944

SHA512
0d7d55c60f74ff5b58ae7eef6576d0394d5f49bee0991b155de5fad978ff6eebaad135173e2c57031dc38fc942d95b593368a36291ab3f964ae3aa3d981ac60a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8a24ae2d4aad5575713666f7e35b0653

SHA1
c0ab3764b49523238d430b08ff1e5401b083bf4d

SHA256
df1795890400c1e97a04ce230ce04263f95c92c6c524cf4cac19c832ee3e07ea

SHA512
d630a27239a69ce7e3b819b86fa5e079f5cc624bc17f7ff9e16d255837ce69626a08c27cbb86a177bdc3dbcf1d90bb72c9d816afb24659d9f9518174cc5d09e2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
cba0080ecad5d75d071de30c55f2bb85

SHA1
cd8250ea7edf0169dbc659d6cba9c1e3e58d5d22

SHA256
f09fba4df1cdf6278065c2f62879fccbe7d56a7c397ac9c01b45d812926edd6d

SHA512
10e263110a10414023873f6d94ac54e04f2c7a6cf584dd0425804992e41d8fc74d55b288f402c6ff9e09c6f8e6a88e4e4ced1153a3281548254ad25d2f14bbd8

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d5153db3d797f63959fc3cd78391a5c7

SHA1
c8d39f609037c6efb13ce40827e593f36b3cb641

SHA256
344bff4512b905876f33794f530dfbec67f280e6881a388e5eee83116570bb4e

SHA512
e9c8dee02dead2cb0b2b6b12716c6459d29dd4f03b7a3894bc842a3858681d2b5ddace6a67b23528801d89fcb120faa25669ee2a4c1058a9a0fd840bd2f6543c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
a4e1656c057780d9af8a2e6a8d316975

SHA1
436b86de08bfb8ee17407bd382c7cbda4fd0ffa3

SHA256
593a1817649933ab74c53fbf23df56a350fc1260959ca99c778382f31e78d096

SHA512
cd23ce9b382e91379fdf9a9c988344680d53c01c297188971cda6459f2aebf8ae416cd487ff3b5170e2e148fcf1ddd6d507e5c6ef3299a9a2f97a8fd8ba34fce

Download Submit
memory/368-238-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/368-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/740-152-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/740-225-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/740-162-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/740-156-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/844-98-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/844-196-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/844-104-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/844-106-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1416-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1416-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1800-79-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1800-166-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2036-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2036-107-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2328-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2328-554-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2608-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2608-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2792-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2792-122-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2792-128-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2792-132-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2792-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-83-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3664-84-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3664-177-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3988-178-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4284-110-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4284-111-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4284-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4360-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4360-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4388-148-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4388-141-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-142-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4520-2-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4520-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4520-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4520-140-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4520-482-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4564-185-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4564-408-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4580-600-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4580-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4664-599-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4664-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4692-610-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4692-234-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4796-168-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4796-167-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4796-173-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/4796-229-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4820-598-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4820-181-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4820-237-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-216-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4976-136-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5024-607-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5024-230-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download