aabf79eb1341ee34e2f5483fd24d63d288b6501a36a5018c008915fd1e865238

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Size

1.3MB
MD5

95e907e43b3f458f757a1e692f968c60
SHA1

6e61388f9c28f47765ae015f78e1cc1c3b967a14
SHA256

aabf79eb1341ee34e2f5483fd24d63d288b6501a36a5018c008915fd1e865238
SHA512

bad6ab34836c9edcb4fd6b217b7f412a7dc5eca4869c9fc7863e09096cf586c160daf1be7d62298577dda0b15ba729643805ff2102d3df42901163594b8e073a
SSDEEP

12288:roBCbwOSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:roBDnbl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
852	alg.exe
720	DiagnosticsHub.StandardCollector.Service.exe
4704	fxssvc.exe
4236	elevation_service.exe
3528	elevation_service.exe
4380	maintenanceservice.exe
4408	msdtc.exe
4088	OSE.EXE
4520	PerceptionSimulationService.exe
4628	perfhost.exe
1544	locator.exe
1504	SensorDataService.exe
3032	snmptrap.exe
3928	spectrum.exe
4788	ssh-agent.exe
2308	TieringEngineService.exe
3444	AgentService.exe
3004	vds.exe
3448	vssvc.exe
4196	wbengine.exe
1228	WmiApSrv.exe
220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b98847fbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a14cc98fdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eba61b98fdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6ce0398fdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8880099fdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074b48b98fdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe

pid	process
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeAuditPrivilege	4704	fxssvc.exe
Token: SeRestorePrivilege	2308	TieringEngineService.exe
Token: SeManageVolumePrivilege	2308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3444	AgentService.exe
Token: SeBackupPrivilege	3448	vssvc.exe
Token: SeRestorePrivilege	3448	vssvc.exe
Token: SeAuditPrivilege	3448	vssvc.exe
Token: SeBackupPrivilege	4196	wbengine.exe
Token: SeRestorePrivilege	4196	wbengine.exe
Token: SeSecurityPrivilege	4196	wbengine.exe
Token: 33	220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	220	SearchIndexer.exe
Token: SeDebugPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	1160	95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	852	alg.exe
Token: SeDebugPrivilege	852	alg.exe
Token: SeDebugPrivilege	852	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 220 wrote to memory of 3408	220	SearchIndexer.exe	SearchProtocolHost.exe
PID 220 wrote to memory of 3408	220	SearchIndexer.exe	SearchProtocolHost.exe
PID 220 wrote to memory of 4692	220	SearchIndexer.exe	SearchFilterHost.exe
PID 220 wrote to memory of 4692	220	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\95e907e43b3f458f757a1e692f968c60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3408

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
17aec0ec8bf90f02b11f8001ebe36a7a

SHA1
898f0666be8599ea94fdc1bd379926cf0d62e058

SHA256
58eec4c5277a0df3304304ea3b5d75b750d1c45937983116f9b99f02beb9fe70

SHA512
a7714f1a2950335b302b817be9ceb8d5e198fc0f75f363f59e1b54eb1e6d2c0c8804c9a6185432d046c5051b03c27fe9a8cef14831b771905423c93b700f4219

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
92e53816d17ff6aae5f4f775998b4694

SHA1
cd94aa2c3f024de1d74dcf91b02c68ea6f5102a2

SHA256
42bb339fc40306e83c462f2dfc761678cd9741e19266de83b52f615345ac9c71

SHA512
aada7a658b01d9e73debd7028b30291cbcb5d4c2cdf6cb9326c9eb1a0c0469cb0a08ee4228839b03cc0982b807be3857df416d36c1405ce65eb465feba5d8b5c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
dfdbb92c2625e9bb9d01cd95456afab4

SHA1
d73cb2632e15dcd80db7b69c4bec086f6f575d5d

SHA256
2fa0b1956ccc21866c57ece0739245a0f531454b2582cae3d0237ebcaf62ebce

SHA512
3d5ac0f851a38db9914b3ad7abd7b33e3aadd829ed4211b9f36734ed988a7197977c758fb3d78c40a17ac01bc1e266f7ac5015ce0fc65a0850365e1cb36ab628

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4aa97ead675db7464082d8e482c75a72

SHA1
bfc0886f4671eb71ab57ed503edab3d8ac16098e

SHA256
cffc61336fd732d39ded224ce9a858e80143bbf8af385d90716c5981eec76242

SHA512
6797f531bddeb297672f99380626afab58a7b4a55501a5889e5b2412d06203fb78b7f14f19805601b4097ece6770e82a7ca500755d67d1c82bb4689b3a44936b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2e402adab025132f670cab86a2986f17

SHA1
385d7d73f3393cde15481a8e3b72d82b5539dcfc

SHA256
6190e66766235efa4fe61f2d3c107ecb543cd2bb79128a0b5a9f849b1fadc0b7

SHA512
7c296fd633aeb02611c0c07f71edcb30e8509151793e7fe5e39f44d8bdbb2bb64750e7df36f3d896390d48ee2aaae1615b03f59c8f3e640d796e76c79d071940

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
9d329791e20518c2ace4beeef5c02b09

SHA1
a38d31245ba3e11e778151a1467d8e5e87e157fd

SHA256
b3f0b379aac583c1f3445fbd4a5837e5be679eabba52c04352973742135bc464

SHA512
436bb04bc6cec170348d9daf66b83ca7319e9a887ecca74b72bc28e16f245e5f0186db42ee71eae493fe9e8cb9702fa2213181b19cad622e7520397c30ebb87b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
b50095ea37ff413b5167596ee68eef1d

SHA1
909b6359fdc1c2691fafde832f47c2ae9bbb6f63

SHA256
441884c34954136abb2f933ee338b2acdfea0b02d31de7b1ef9097fe8dbf5e07

SHA512
33fcf1debf7e25d92eb85b7c8226235c41060c5767e77fe2b493fa1ddef9b783521cd995bf461e0fffdf76051dc44107d21047da6f6afc3dd74dea4d01071246

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
931fedb8ba4f2725f207dddc1fd04369

SHA1
0d8dc4ec8b5d062fe9cc08b394c735209c124a61

SHA256
2e047c664b5b60a8437464fd54336082c23d535c1e1aa069297f13b6bd486cdf

SHA512
4792ddb54f96ebfc04ffd6ca59c2bf65c17ec13d370726958d40fbb42c6f9956f36e968924cfc915f8f59cad47c2f14bbd3700727b10816576ecdda3ca766275

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
e3ea0a341288ae2d562ef1a8ea3c817c

SHA1
fec3d68516737de79171c87d1c929a7c4a2d7540

SHA256
85a95b039dfd31f054054d7c3c5019699c9a11f77d71c60af2dbbc5d4336de89

SHA512
8eb34ce6c5cb20b1eddcfaedf9489fe98ab9b6334dc4a7fa1a2a28d54159690719c90bcfb30a838259bb2c3f14aadc3d85412f5d083f237482482dd05449ec55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e48342b2d04b157b07268f9c948f45f8

SHA1
9ec0a279b559afb6bc8b5ba5d920abe1d9770415

SHA256
66c3729eb18b1b253085281acf272eb990d1f07704522a9dc88c92452d026cc3

SHA512
51b0f732502a6b1f537f5243056cfd6092fc711a81b8628b85997fc237fe8115dabb3bf373f518038e3b22a7b8942249927ba30d2e9149de44fd205855c44500

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
d2c2b01192468ef3652519e304963160

SHA1
e09ef70100d5fdb5a61d3568eeb13c8ae5c2ba66

SHA256
75a71de48ce90e0bcbf9b9f5ced46e892a142ce5a5528a450a71d1c2c41deb01

SHA512
4751bfd5ad2e7836dc6690d78bf337a5ace0b205cef36ce44c4b94fd17c2c0b998b0c9272fdcdbc5e8f156b51462981955d9c5bd6e18ddcfc7a71c21fdb1ba08

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
8096a9d0d348455b5c987fc2958b0cde

SHA1
3d90960aa34cc46f554cf2db48bd17918a4a2586

SHA256
e3efd5b510d11a2a46c131df9d1460c9760ef133ddc74063fae3fcabe6c23fb1

SHA512
6b14b6e5db35a400b92dc796fb6769bc8b0c46b9c9bbf85cca27efaec3b730ef12ab2b30d38d2381868dd4966f26cc43d8445502c5e674256e705a4aad13f171

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
319e4be774016abd8fb048d170cdc012

SHA1
baa2705a442df36931c83f16be995b793dcde8e1

SHA256
08ca50872ffa26cd3666e4d8795d2473ecabd125cfd3d7ac39dffff641fcc42c

SHA512
64d0993bfad41c3b56126f54a54df6978df0405ac3367b8a2e604d5a4fb7675bd17a278ca1c7a9dad91a048b70619be12d83df929a706181e674294b611745ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
490b43024fd939e4a21ba8b35047659e

SHA1
406ab145ad63b45952975f02103dcf94269ac6b1

SHA256
02604fd150ac901f323bf04a4d6df5ba2929db92c5dca3758dafe524aab3adc8

SHA512
136d9d85558ff3d01cb311fb5df2cf09175abe0a5b3418decff9770c3e9042fb996ef4038cecf8c990823ee0ca4d8d9b76ae8284d6973354a5dc438bcb061752

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9cb286e091e521866a7ecdb5e5237d29

SHA1
edcd9a29e4a89fc10828691b832afff993066c3c

SHA256
f754abf33a069a916943a6603fe2675600dee4cb4cd80c25212e510be0231310

SHA512
8fa85513afe796cca083c3d2bd1a58219dd8985b99bfeecbf324f663ce291c78dba7ebdb9339631ed4d854fa39e6697470f3bb99049304d7d626bd520f508665

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
e96036bfc5a7564845fddbee606afab7

SHA1
40c0e60594b0b07f8ba7bed34432b08c41e14b6f

SHA256
101f3e677f3ee050bc85717eaa1998d85c3b96bf7a24d2c0c80c102ccf715075

SHA512
e008caae21db89dbff5eb7211aa79df50ef1a9588c57c6a193b184bdc7e80f45d8ebcb3a4da05c7ee47a8f9248440a3d0bf7573260d1bc57aee7b41141a85252

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
30b9b6baa9cbdec9825f62b764da7ecb

SHA1
1c35e55405fb628e3fdbbc17a270f5014e63f513

SHA256
ee167decd7cd3a485cd06f880c8e4565b4c96716715468c5d1b40fbda2fbb742

SHA512
83c0e88675584c6df8caf7013a1bb04cf0574502a48a409b94062ab4e8b2dbb79dea9aa24aa340ee8219961f3e4d0f7eac6526cb32f783b6f9eebb156195d250

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
03887a0273607e165b3e1d01e77fe737

SHA1
4e6ea9994e181b66fb85fc8015c945e2789d5d09

SHA256
e7e9ce49d42b927843f04ef283123744ceac031451150e479153c7d107bf424d

SHA512
97e93414913ae87b89e4aabf6ba55c83011f76a5886d2c664594162abe7fca15ad201c7acb010579b6d605a650235282af9bc5ffe2206d423a7f770eb1d4cff1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
73a0dddf357eaca98453b0421ea994b2

SHA1
7b7cbb40777ef1894043baec448139b1a85aa116

SHA256
630c67c82f5826564a7816d69c32429e8257b0113a693ce4ede1687ca2e5790f

SHA512
061ded602cd9e9c88e9769dd543ec8656065eb388bae9c02f6d41abe6014cca3b49f6b4ad719e1c89eb57d320b427eb570cbaabd5c3e6e89866c889952c9f01a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
40a72bdaa9238737d0c38a81e0aea053

SHA1
e71be8a4355023e9e6c36dabba6860eb64c61985

SHA256
ade7af1533ff5a842aae43fd973d27d4600209e2458077563de99a64bfd1f44f

SHA512
3965d116d19f6feae4023ee7cd5cb9d517aca5000c31aed1b1440586ad1e16d28b652da1a17b02f384a9ea7cd7d4ec57d212c7a9f337bfd103f8a65e5d32d0a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
4f08bca993a3e7c3cfb1de7b97173f8d

SHA1
4cd20144143f9406d4820411340f08b6e93d096f

SHA256
576e6026387f959fffd0b03a44711a4ba2e007e6290f67c7d9104791a0350589

SHA512
e2c54f99b94d218113063d9210de617c234104c56eccbde038e22b71d4a7712aeeb1c855554bad42778caba35b23bd20b97bbc5281d5fb9cd018dbf2d419a66b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
51544aed7ab1d4492469d2be702d634a

SHA1
a58f635ddf138bd2855cc1efb959792dfcc610ac

SHA256
6e7ab769e92722edaaac0a784fc0459594156caad9c94868851863377b0df41c

SHA512
8f7de03217f5052e12376f195d409b4c283575f73eacf031513304c0b41c4c105305b51a488ad5518f487bb1720f6ba23faa8914cb864a915f6dcb9707980ce7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
33178da01fbd1f44f00fcea50f0c880e

SHA1
09464bfdbf8e0c504fe8616911a476b6288ecb13

SHA256
12849befc513f9cbea4a32e141b7790343ddcdc420e7fa906fffba28f46613ff

SHA512
70c1c403ba42c8c79d9804f3608f4944b8cb4ac04680f11337ad03d21db11a934e7d8a6bde1baca77cef04e18a435a4d8f0ec3e926b9a3e3ef2e3c194963fc52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
34ba840d476d3a90d547e73e586e06c2

SHA1
7db9fe8521d76b7627e9955edb432e5e1dc43e56

SHA256
8c4a812e07a012638bdc41d5ee7f554d9497a40984bf73d5da8275fb182b0861

SHA512
1ed5a3aaed54ebaaf940fa44bfe2e0c3261414e3e21ae999904fe51e78c3662e3e1422213affa9ea8ef1f8e2c878f6fc2ef7ff7ed1e3fe61cf6236ea720cf2d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
f1087c918e3e20f33467d669c01ec8bc

SHA1
b8634ba478a6b6a868d798c978111df6f5ebff37

SHA256
d59e388c784280b12d4cc00c024aa069f65bfbfe8ff1cd78168590e4f0131b46

SHA512
0ec62a28daca3f42aab4baf3127f52530067aa599fc3aa767bee64ccf67927dc26adb75c87e242c0eceac9fbfff9afdaf08441112bbd85376fe1def43285a4ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
4d210b8f63de14ec0601831f6a7850b7

SHA1
877c7addb75d42af8d4cdc43a1bcddb188f4d316

SHA256
68fb0b6bfa7841df3b8084fb1d1c5faef0e78583ad8464f3aacbdd1fd41114e2

SHA512
31541fa546802e3d5f21fa2f1a25ee8fd6980174a9d205aaa689d09f685026a31dc5900070fc078169468a93014f3aeeed692b42182a4e53fa38bc3c49273095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
947682957500452a571ef67274447fd0

SHA1
39f9b93eed6efffdedb047c7eb8c02e2630ec0cc

SHA256
d3dd04addb3f23160ebcbcc514d44e15a531c5c8128112ee761f6878a7462f6c

SHA512
7893de39b9e02f37799235b04b3630c58b4ed8168719dd7a5dafc6546980e4cfece8bd9481bbef9d090315b8c1c1ea19116abd302ef010b309057f39aef73b95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
ec1021b58145998a3d0ca50f05870f41

SHA1
1c2bb63aa631b7a6b60085edd11cd761822a0302

SHA256
4fed6f51ae08689ba19fa954180caba260f10f74a06c06b422a9e95d596e6b53

SHA512
813aad4bd42bba03dc3fe3fe313c6a7d95bf3fb485fd0cb12ed3c416d1ca48d70ef99c39f10238853ffa8f21835f2d5c60a31e158a17fbc94b3659a52b0b20a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
e95355414e090b36a517fbf8b1f17f58

SHA1
a72653423c126ed15c2a0d8ed30bc40f7b7ed6ae

SHA256
d4529b260ec492497268a5586a53c08a52b207bad1d8ff632e7540be4d3200c5

SHA512
fc51401ae00fe9056b1ce8333556df04664cb24ad71326272195bef00ceccb7c3302df70120c1c9c52cec6bab24c08ad4b2ed0d472ac504d8fa883f61017de9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
d1228b610cb481bd1bd252828fc19c4c

SHA1
ec93af3608519448884634c165f69b9c77f5ec2b

SHA256
ccdb5aff6106a7e7afed5c2fdbe026ebea1d51e8f34ad4a382e5751508d1ab6d

SHA512
dde66ba8b5ec7bf5b657b82ea17cebc330e4e506151276d826301d27e8f7c247ff4650324927bab3bee370a7d26e4c234bbde6c6de9853784e4f787dac507cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
a63583558111653c47fc5a9527928dcd

SHA1
8a8f2c1debac66049a512cfdc19a1b0bf19f00b6

SHA256
9bede96df10fddae04e10f4908c03ba800dfd7f68ce96c13baaa88390003a374

SHA512
3453123c25a7bd70afe0874956ae33673438c1cf39806f21eb57f4b76d3356329f1f2ef4acf12a54a8fda03ee5ee028db139898b20f2347ac4263feb31897296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
d68858aeaf610e23042a3aec847a2403

SHA1
6146754adbbcb4942fc83701437218918e171140

SHA256
6cc87131ebfeae49c6220c8c375976a7f78b4c35c62dbf6b36f636ceb6dddb93

SHA512
cd1a65a4440b2e7de1571a2eea207b3eca3f2ad0bdcb775a9fd82883b3fa1498589b552ae2dc68dc03868bd2e1da37bb19b4c768132fe0419b0c96bf1117c99d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
4f645a13afc63a43d4e2e05ed55eb29d

SHA1
01ce7b68c65e113cd127cd6030b9b470fdf10948

SHA256
c87a29dc2b6d8df591afde158f5066010cc699ee978522177a971d52836e8205

SHA512
0910ea22173b658f8bc60d6c040315635f6b6a497d73a8dae4de0f1044dde50d2a8f6dc67898797b3b396da86df4be9f5f5cf0f1f9a6b864764446ab1a4ab2af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
0b800731d12a191700e667d1be75e8b0

SHA1
59c3cb45dbf6e3fe61d3bc6c1e709cbc0618f20b

SHA256
aee4c4b92dd83c1cef70de5b1c9684271839880c3ae349b68afaa733f28a5968

SHA512
7584b6f70a34e151f7bbcaf1e780bd6a44fee36cb3147cecc4ab68f45f0629259b9e17af950bcedc451c2cce12b6aa7af2c96695dcf2d4230bfe1fa3bd24f5ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
aaefd06c46c8e73f7c202616007db4ad

SHA1
2f93251f194f2e95b2b77f8db9d873be7ddaf790

SHA256
1b6918fe9ad17a0ae5ce383d0d7bfb4731960e27c8a5769a89409ed53deaa59c

SHA512
25964ed59909b1e8c70e864f5efc2a20a4dc2035d3e472f682e59ea6f3ee3e7da341390f354ed440435a237b40c80f4119a8eb04ba42cff5529253cd8c322143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
36ffcfd9b74a9cc481e2fba96bb6d742

SHA1
e257ff6bd0fe1786e6bb13b291785fff54059f34

SHA256
629cd8029c687a83f07c03184dc88f45106f99ebeb6cb433bd5fb23c5cf62c9b

SHA512
20f6f449694e61988856f87272080d6c6d5b07c6bc605bc68626bfec605662f61fbb807d09a28d1991bea525b901182ad7e828a1964415c8de4ae5d702321821

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
737a415b501e1700ff99fd28441a0771

SHA1
0e4a865529b1047a330c9d1ea96b55f8cce7f430

SHA256
c34ad379bba46d0c24d9eb33c006be8eb4833f512429a9ba7d03b041fe9b4baf

SHA512
f8a168f93e594bdb8856d572de6d2b1b205dab25dbba9608cba98b9960fd8e977f8d03001804ab0c086e17ef89253d7f97ddefbb5e1ed158c300040c9a2b9db0

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
cb5c7ca606a2411adb22512f5660d22f

SHA1
53f182eadd870d11e8a4d57db4f799d3cdd4ebf8

SHA256
83bcfcb68a3267bd651f233ec54b749fb5860aa94f255f1a7fa514ff07208dc6

SHA512
f08313e1c9eb0d58492116390aaf385749c381d498a6fc10df4494e99cc719bda202dd2c343be7f292b29dd444a288db35091ea1f9f16a9668c96fbc064a8f65

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
a47995c40b07e7e3e7b59e9c7a9fc37b

SHA1
0fc9822061a30f5c673cb600e0bd366be1388edf

SHA256
f956c7b7da8885a8e57be88173afbd35c194158c07e2b49499e9cdcea316eccc

SHA512
544ca7a7ee27e88f0ecf46a8ab5b80ed7153dcbc506310efb511a0a931d6205681410a4a1553630768f3f0a316bd826b8a1ef56b4aea2cc0527e5e97326dff6f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2b6e51ee9e9fa4034bc02eadcab6c3e0

SHA1
3f6ac4f037c1814de1959b0a34d8bb8e8eb81bdb

SHA256
a32711b033a5dab515377e064ec9b802bc8533f5a86dd9ac65c72ad79d32e9bc

SHA512
8071f2bae0b2aae18a8fe28ae82f0df508fb1b791d7046b9b7d0af00a2531cca1b6e48be5e096e0133ecf9a4dfebbd73f6f00a81a8c06e39d38dbb8c7d834217

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
ff4ba1e1b64aa37504da9bb37a24e17f

SHA1
fb3fc654f443baaed3dedc35fc69034bf4416b03

SHA256
d003d518032200fc1f46ee80072dfff5c6139f906ad10d096ac65c78d57e2e57

SHA512
23e03fea5d2897c2da91f48ee205f401f63e3dfdb39a53222c935302ee295ba3498540b3c33414b49c2d651a68e43f4fc9c61d524f1f4b8c11cefcd3cc25427d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
32a09a9787c60675a6796a75254d207b

SHA1
3dfe5c244d7c55777aa114f78da06c2d6d8d6aec

SHA256
18da6ba031ff247271c3ed49f2c5cafac5895ef80e69eb9ba946994f164877e4

SHA512
f65c205955d7b5a8bc9d7c31ebb1376af162fdf9b9923faa2c8ba030205aeb87475e629c7b58d4512b2f3863efd524b9f34050bfcf6d54393c45c900211e06d3

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
7e5fb2e438561a3078b662e648da17dc

SHA1
e2a0511de739d9277f78c98cfc9c657b547d0b70

SHA256
2ab430c4522eb23846c0252db288e07443579f3b2d52fc815dd90c616c2cbe0c

SHA512
0384fe41ce1404df8b8afd049dd75cfe7186cacf9a5246a691fe22a8a755d36547ebb9c89fd5d5dc21d6996e2420e341229400cf9aebda4a7df42a38e06da5ae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
2d32159fd79c176c5b5cec9d4615cea8

SHA1
1469f5e6e7cdc7beb1369a35287fdbb9e5dde56a

SHA256
15521f84762ea2ad2c61a7f9daa3bf73b5c57ef1fad74b61ba23906e7d221834

SHA512
0981253c2761589d6b8a7c67625cbdf972796fd3c9b14f38d4a80b2b9d803c07088ed1f0bc009b5334c19891e5618289de70222315a61e6195a582db091cd592

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
abe4c10aa88ceeacdacdc05087ef60c2

SHA1
50c3919512eee7c9a3cf7b98b2a5334c47dbf4d3

SHA256
21fc361afcbc7dada5db36f1c0c2b3c64d762ce4823d437e13e9d5245441d822

SHA512
6d610ca77d46350ee24314ad3e593564c2ce8c0052a0594cf3ad50ca7667040025541d8f5f7116a39a2ecad9089a674fb3e75abafa6e56f22c4a5f19572a669a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
206c0d27b976a8282d9f92b07d6f130b

SHA1
49af284b62650fc0945341d94e49cc93d7717cd2

SHA256
92031b97b2fdd252db9271c215514edc40e793770904a5f25dfb380a24d5539a

SHA512
47bf3e231f508ed5b84f4813dc61e586ef424da265ddb7f32a86581e46353208a3224de8163bdfbb451bec9711cb08d770fc882ff33396beba9c434d49212b93

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
730f3086e36ebec240ecd512a9a36828

SHA1
1f9a0315a10d9f690bf6d94494f004d7912565a3

SHA256
35fc0ad45174cf344b8bccd79428c3a2ef89f01be6068fd849558a83a6c38033

SHA512
5acbdd899aec8d8be81e8c93bdfd76f0c4a0913ea0565fc9bbbdeca72dcd66a30c44c2805e742629b37affee9ebd1a2532664b084966289612913521162c550e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f2ac185735e60e42e4a4bd58149ddcd3

SHA1
d56d6d10ceb06de40f5cbff73a245a4765ee97a5

SHA256
8e1b8bf78b6793344f79b91b4e9bc7048208fbf0882c207cb95c4edcdfb9f524

SHA512
04399062cff91027066d0d277e7573744b3b1a4fb4e18ec103a9f77ed6f39f3523f5981f7e71203aaf63617504877a438c0bbc44488fac35b7ae03a4a8b2b7bc

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
54fa16007698910f8573c67fca3448d7

SHA1
61f4ee32b1b9ba564771d37b9ce2f1830b36c4cb

SHA256
f016922dd9ddfc97c857a2ed27dbb1c8830a08dbcc710aa0a2b4d309fcbceddb

SHA512
623d5bdb751d1c8d0f4b9dd9730f469d5ccb57c74a5a66b683f5a9657630e1f899f18a3614e9bc4e6000ffc0d81b0ee7692f190587f55932f9b822c7e2393785

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
cfa5c3c98dace01639b3a986efd44ca4

SHA1
400317d8c351d001fa90388cc3f6c0fabd312ed5

SHA256
48f83acbab566094261e42322f9e07508f35c72641dc3164dd789a6e45c2a8a8

SHA512
8522e6dd807c4b8c06cec8219fa03eb706be4d20b40b4a497aeaadfd8b008c4af41926b051c7079b824ede12e59d9a291aab87dd0c40d0cc1644842769f4b02f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
1b940ea91e8f1df59d30d7a6fcef7533

SHA1
3863338d520cba41437b84169dd2e24862a47525

SHA256
47b8d1ff5fffdb5b3cb85b14ff6d95db9af8ac303e03dd1f002a39640e3eec16

SHA512
6d92cabb550457c9b1fc778a4e6f18853b322a91853fe6aaded0d9a532bb016b538c9af7bdc5478abf29361f573b2aca5d134eacabd3ae906532f349727c614d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
0f206367a255a0c5dad04d1af83530df

SHA1
035733611b8fd4836f5df1ab0bc63ae2f79d5730

SHA256
08c60b9183ec41870f1e58ceed6095a0afb71e658700d909f8f8816ace33d90b

SHA512
1f5c4d6ed05bacdcca02ac3d90690a6bbb59fa1c5c7bfb5fff3352b36e82d4d5c837a0be047b1023f2bb95828636933ccbb8f2c61e41ebe9f612a69bf424f3c5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
aa13f47198ce1bcc368aaead2dd92362

SHA1
5abe8404b29403d3d8efd86eee5708d99d9df8af

SHA256
831d316cbb381e4f8d5f084cdef85d43f453de5119b8745a2968ae0c10c350cb

SHA512
7b0329e7225ca9c0e376b15e2967188d035850685836aaa06cca382b41148f3ccf53e13ba5fb0e5c12ec2016099de28dfe4cbc57c29899024faaebfca4afde40

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
54ff04a8801d7d4d5bc62a377e0e25d6

SHA1
3e7b2c656e69c1eb346c8d3b856c49ed67ff5eb1

SHA256
70c04e96b6ea4c93840ae7fce04e08e0c21c374d05dbbd78874ef3fb13887311

SHA512
78433d04da394930c4ab9a62c26bc28818a4911cbdfab7152add542457fa1feb2225ac2d467ad8cb8199643c7025b2bc73a3f3d004e640b2b074f5b25c6af12e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
1b6d0ca2793eaafb80c9c99875d06426

SHA1
83d907bd0f7e2b6c2c1a0424eeff8223ff37e231

SHA256
0548000befd4912ea302d87fe8f3e4339187399be85ff43f321834b93bddb364

SHA512
6adc5dfc20af30da7ec0024de42d7d9eaedbc52e1d54714a9d3a2f02a618655d7ed576e59e45be6f2f2506ef033963585a48de745a630f2dde9955bcc9560ff9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7201f6bd77666b38494f088258261746

SHA1
6c67cdf5722e7e39413959ec197e35f9f24279f8

SHA256
a3c787842f2eebdd34c15d34708000d1ab7938f7bc2b01324d6ec10939898e61

SHA512
dd5937185b021c1f948478a82c13154860327df3a4908c851fed393dff3e99c32e497b4f8a3b17f4739c6387bd7333379705433304d6d6a3767a30abe6e9dd26

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
89588d883e7c7cf3aa03f0052b5aca79

SHA1
4e18719df9694e56c45ad2ea4faf95f850c0d80f

SHA256
797541ff5b37c316cbfec7a55cec26412dc45e62403e0fef8948d1a64702b3e2

SHA512
fea631a6d757e5f3712cf893c4224cbc184ad4366bcdaaaba578e8b594279bf9f1a4b0d6c5362073e1d53a222b68ff4639cdd64bf4ab6e726d1d62ae3200ede3

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
ccb582d2038fd9188347b3416fcba7f1

SHA1
a856aa1d9c01f9277bb548eb88aadf5c1b57b317

SHA256
c88fa325b13b7a6f5e84bf3c7a2008468f5879f67908e14eb8a597a35dc736f8

SHA512
4e74a1ccb704fe099d621cc235e1433edf75f6d9a732f48ba6578b07316f4d6ea0910a2033792cee799f6569d55283595fa64950444eab75b1cf85bbe60cbb91

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
06cc4165ec9ba9715028cdb3ab9448c1

SHA1
ca32e743e2f5d67b3c2bd41b83af8d731f982669

SHA256
a207b55f4c6f849929385fe75087fd923c5bc50c7b8cf04b9b237f67b6ffb8ed

SHA512
223178300b4647a57a13d3eb8dcbb8889b6d6d60a04d5b4f6d4f1873d685a81593219a216d29fc612f689adcd08527d0e179033fc43d451b158d3f97acb64185

Download Submit
memory/220-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/220-556-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/720-33-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/720-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/720-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/720-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/720-144-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/852-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/852-13-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/852-22-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/852-129-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1160-73-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/1160-9-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1160-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1160-8-0x0000000140000000-0x00000001402CB000-memory.dmp

Filesize
2.8MB

Download
memory/1228-263-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1228-555-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1504-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1504-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1504-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1544-141-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/1544-259-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/2308-201-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2308-477-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/3004-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3004-478-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3032-446-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3032-157-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3444-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3444-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3448-514-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3528-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3528-192-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3528-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3528-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3928-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-104-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4088-223-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4196-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4196-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4236-51-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4236-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4236-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4236-56-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4380-83-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4380-88-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4380-90-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4380-85-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4380-77-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4408-92-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4408-103-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4520-230-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/4520-127-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/4628-132-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4704-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4704-63-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4704-40-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4704-47-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4704-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4788-181-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4788-476-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download