874fb5f9f6ed43f07cef07c4824e82cb4c6b0b490a6adaaae57a64e1de33491d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
Size

1.2MB
MD5

5ca64eae76ba2befca3069f6a8012880
SHA1

269a02785fcd14fcd8d281511175b08220b37d23
SHA256

874fb5f9f6ed43f07cef07c4824e82cb4c6b0b490a6adaaae57a64e1de33491d
SHA512

062487de651eb39e5ea0b1f12f145d830dd62ed7b791c3ae52aca0a92852d70b1beca97e635a4f955df0fb9ba6b75d4f9377dcb796525df46a7e4178019ad4c1
SSDEEP

24576:1yhYW6oivxbvbVSLKCdFB2YuEWB/3wgQZlYatr0zAiX90z/F0jsFB3SQkg:18YlbvbaNFwYG93wg7aB0zj0yjoB2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
464	alg.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
4548	fxssvc.exe
864	elevation_service.exe
4644	elevation_service.exe
4304	maintenanceservice.exe
4764	msdtc.exe
5096	OSE.EXE
1616	PerceptionSimulationService.exe
1360	perfhost.exe
4384	locator.exe
2088	SensorDataService.exe
1760	snmptrap.exe
4688	spectrum.exe
4760	ssh-agent.exe
4840	TieringEngineService.exe
3372	AgentService.exe
1864	vds.exe
4324	vssvc.exe
4288	wbengine.exe
1012	WmiApSrv.exe
2368	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c00344c6c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ca808b524aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be4506b524aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e122b524aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000407f20b524aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adeeb1b524aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003aa0c2b524aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000473112b524aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe
2572	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4824	5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
Token: SeAuditPrivilege	4548	fxssvc.exe
Token: SeRestorePrivilege	4840	TieringEngineService.exe
Token: SeManageVolumePrivilege	4840	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3372	AgentService.exe
Token: SeBackupPrivilege	4324	vssvc.exe
Token: SeRestorePrivilege	4324	vssvc.exe
Token: SeAuditPrivilege	4324	vssvc.exe
Token: SeBackupPrivilege	4288	wbengine.exe
Token: SeRestorePrivilege	4288	wbengine.exe
Token: SeSecurityPrivilege	4288	wbengine.exe
Token: 33	2368	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2368	SearchIndexer.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeDebugPrivilege	2572	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2368 wrote to memory of 5628	2368	SearchIndexer.exe	SearchProtocolHost.exe
PID 2368 wrote to memory of 5628	2368	SearchIndexer.exe	SearchProtocolHost.exe
PID 2368 wrote to memory of 5692	2368	SearchIndexer.exe	SearchFilterHost.exe
PID 2368 wrote to memory of 5692	2368	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ca64eae76ba2befca3069f6a8012880_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5628

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:8
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
0dc107fbe1ae36d9adae77ab0c3e3853

SHA1
7bce7a1f0a32087253fcf299d2fea1372b1450e9

SHA256
b281f9877a8b2d0cde0f27d8728c61091a6c7c67711b7cecbc1f9867e64d0261

SHA512
251805b7c3d4aaef96b36fd3404f12af81c021dd42e9365b34d236c52de600740657c31c7c67cda4d50e4667feefa39fcff4049c4931b66b7b1637e82abd843d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
6472f40bb9b88ec43f78e203f219a7a9

SHA1
07e367f903f14214ef2fb8a496a0a332ed38aee2

SHA256
504c0fbbd113af4117fccfa5feed1d966bcc5a3a1fbc1bfe554d17cda8c1319e

SHA512
c9dd5814e40a032c810a6c40fa996fae46ed03047fa7fac90a3001637a1a3a17a6e69a15c2fc947490f1262703117dfdb7c8a11d59f6b95f44c027c2133d7a83

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
f82affbd7ccb09b29482b80cba399c02

SHA1
f57e27560d3f3e44d92fae05e7c0a6f7e9ad6a22

SHA256
ef5da0addf0685a784eecf389e47d07b03a70fafed11e4ae691ed9a63c9e404e

SHA512
b24e19968be1e8cbf3484fd90b17a2a2d89da3d7fd16c61c636c9d70b574712f6f40d3d50f1ed3d7053f4f9e07457bd21c374a260661c82e41e4b51f78dd7617

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
bb86e2074421b1e0ac409a1197429eda

SHA1
2eb0d681239c5273c4dbd3f0eac35b10f959c1c4

SHA256
288d2ef6ebad4e2cecf6f2003766a9e90923a5bc904bf44025b78c8c7a2c1ec7

SHA512
1048b67fbca98e262948eccd218d7422a72f84ce911cdbc7af901e087b9a660f07ccd764c6fcd723bc3b1022202ccb467fec27961fc4bcba16558821cbd9d1eb

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ca0e51dda51910096fd3486e286f4776

SHA1
e2d270e8506eb27c914a9d67d0871effe09b10cd

SHA256
18bffca2808f93358d1cb88fbd9d81da241f599162bbcea00949f5357e331c96

SHA512
b4cd7ea6c3326d39c6204006c38a58708eb25e14fbc365871cde02746e3a39849acc5e6513974efb1809ce6f3a930fc9ada1c9e9f5b8048473db6f512c70f1b7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
142cec59ba0005e6db8f4fef9db6977a

SHA1
5476217a191c79d7cbcdd4a1fdaa533051696881

SHA256
255d84f56c52f037428868252d826767af50c4379bf38668582d0917cb669dec

SHA512
c268516d1dc843af49da313cd3da660fb4986489daa63efc7476e4a62895a1b08d923ad62ba94aa8864c5df6d5d439f8ea1bae0fcddba8f863fa3cd301732416

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
d54338b17ab75aefa0b9f1f8cd7a3162

SHA1
af5fa25c167b6ffe0b4766057936c4ceec9ebe7d

SHA256
4fee34ead35de67c60ea076c0629bba70a0d45db88b19be919626b171eba1b0f

SHA512
c96dbe7557348062df2a22ed7d0d45afe4d26223508a71ab41aed2af64025fe628f75910078e435318c2227feadee9c45a70b80f9e77d1bfaebc1dd56ce41fc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
731a255f14753c6062c17d1fd5a6adba

SHA1
ae13a4f03de282437695a25e303bff18b7d0e80f

SHA256
0a4fd5d29151f73d1dea541920759dc475d6954736f2a4660441a171baa01f6f

SHA512
330bb003c13ae04656670db9ad98b5513953983dd8424215e4d9ef801a3f12e57aa6747360839857d449fe2e7ac6e111d918a1e045cc6607e2ffb81330f1326f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
4bb2cf0764fe39e8e2eb84f5b5ce190f

SHA1
9f380556e261112f1616f9d26a04c15fbc5ed69c

SHA256
d3bd5e24ef12a0c4088c389bdca7ee8ec865909f526178c3b98bcb3e34c596ef

SHA512
b84c3c2d7fdabd17b0eb1d9e0aa705ace39f6452a55662e9c1dd04d1539e02bc2d17498b9ad4a03fd057201458e2f1ba5c6d56cdc0a8a0e0a1ef93c63c45cfc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4fb42368255a593050a47c3fc825744b

SHA1
bd74c6ff7e5a24b4c154c1402a19f5e46644b6fa

SHA256
9accefd8acd79a4f1ab1c508eaa31a4d82fcd8b587123ffd436ce3e13dc6b00f

SHA512
0a7c19a36352b4dc950a2c20d57b74ab1a72e2c9f654705bb0e0905747ece43ddb000886b1af60358afe7baeb8a8b142a7e3fd28aa831d61f01b71cd1105ea2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
feb64df007083f82f574561491ba5b7c

SHA1
7987e15d8b0fd9e1c2e6b8c3c60f8c1f21c1980f

SHA256
cdd0ecdf7827bbbf9cdfe5018d653ba34fec6b168456ae988264fe2e263ed0c3

SHA512
31bb04ce7973b704f8ba715fc0ef617f2a2a614c47430deca2d173f9a391868cba023c8408018e83faec044547e1fdd52a0b67308591b14765f6d3395cb2f9dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
4582e0d9de7c1b375fc16bc0e3a37b06

SHA1
6c0ebf3632cc4bbeebb2917624e7fae0245912a2

SHA256
2ab346a8138ecbf90bbc1815c5eafb6028d00b8a6fccfad14702d3882b2e62ab

SHA512
3c556c9266d75f7a418e0b530db6513b914e190df16466987ff259b364718b3daa2f69e56b8af9e66896a98bf8f5efccb46596fdc472d6535d0d77e31f5866d0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
753bc61f941576528f612fc3e4cfcb0d

SHA1
025a7bf70dff2b60c529359333918b377dc647ec

SHA256
1f480154f76c73c50feb0dc45cf85d2ca8285638d95ad1c0ad81b8431d682c94

SHA512
4bec2efa0e165a9fbe9c73028919eaee73d5d1357f61e941434ea711dc3cb6cca52ced2ecb09eece08f3cc5e21a3a5b8e664bb9a87bcab664843a370583960b3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
82d6a861c8cb2312da89ea9f8fa63ac4

SHA1
b8c5e6639d0f210d0aba6b6cfc1d512031df97b2

SHA256
8a03b95283ad69dc48409a06332ccc1e6373e58013553244e41302c9013a5bb0

SHA512
abb7542f940939abb66ad30924a8a9d10e6bf07d78a5b1c6c0a626e5018be1cecc0e6232cb340a805b858cd71852ecb51a8ded20a94cf61509b115754cb9d266

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4c12c946a14b7c6926e4b9bb13524964

SHA1
270ff5b87b316febe99abb629c245b7ec938b757

SHA256
f10a6e153018be2eb0b6e6b0aca221224c27f1c3842e8bfbbd0505a091a2530f

SHA512
51c9eb2b373db2173301202d7ec226c300639cb658d5ec2f16a8dfae2dc6fe5b0620730fd5b2f93645c52ed7341f88f4d0c3422c68367c68128a37bb743f71b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
a04e261e744ada33d3fda0bc61d18b83

SHA1
65394a6161717ff7a99e33450ef0cb6ca3adc587

SHA256
f087bf7ed5e30e81c9f0210ea4e660806cd159773025fabb584f00733ef0f05b

SHA512
ec533fa0c306111de6ec067ce498593bc6ab27588577ecefcb27a351511470c5141a45c9a8b40ed6b94b60718412a155a73a5dee19ddafca5291899ec56deebb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
03a2a7f6a713785fd48941bf1ea70238

SHA1
2486cfba6d95c5d24cfa2bb647a2a02f397f1e8f

SHA256
e33a4583895151f67e69ddc7061f2721ce61a566f8b0a31f31be9f08c65f0361

SHA512
5a142e0951795abb72fab94fdbe23171d23affff9b14bf78dcfe2953ea1b3be4ea47384159d755de79544d8b4b2cefbc819b45d4a4261690720f3684d4401877

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3c32d8baf1d7732122c31b3f32aba6a8

SHA1
a80c27407550f9d7321bead9bdc3781158cf4842

SHA256
6265f35704e0bd465412db762ce8a51af37db7783aab5e2bce874c5bc39f4433

SHA512
f33095b4b64dd0ea2b99e65bb0f05677f4740fe355a563f859814374e04f3bd21ca32ba3e2e4c52b32d7a5acbcb15588814e63fe9492fb954097f8f0af9b7808

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
9a35a776cd0c61ee02e4468861723632

SHA1
90f6bdbd9d8e023709a6f658fe8e0e4176deab34

SHA256
eb5eceb7f956916be73a783b3256d1e697a7ff4a27b6d5308ac2ce0dea5fe4e3

SHA512
5b8e6403887f71c5a70e7922513a68a03c923762fd89763dba71ecc7021b63bef624a6a51e84118ac2628aff520cc8455e24ac3acee9a933a16810227aff3618

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
89e7f758ad89177a3d01ab0552a07cbb

SHA1
3eff3ed64e2aea120bbd8452d6b51cc2c91ab5ec

SHA256
7ea53e3c7c0a4f315dd9583bdc3eec3f62f98f59d4b9866d4785ec0be4df2a18

SHA512
5797ea91b956f59a901aa280328c9a1179e5988ee37b0d0c2de9b028a9087dad5aed5ee3158aad0789a70de219b5bed7c7d2664e29c4c89b5f1fe7f2a18517bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
6d7b065745869eedbc13eea59bb34d1a

SHA1
088a29d467dc081a94fd84c03c552b2b405b0f67

SHA256
6f3ed6f5b915ddc35de0160c99bc0c535e4495467b1506fe8adbd43eca3d8eba

SHA512
5c14377a58ddcaa8e26db7beb184d0fdc264cc06cc6d51fdada9ff366423e796665c905441238231e818870e4bd9c28d3d210480ac5961d819793651adcd0441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
ed95a9e5a4c27b9d32a113af112195c4

SHA1
58457bacbd9cbf11518fb1397063c11f965392d3

SHA256
ab472014718a43266df81347ada9fd09818ec6748ec6bade53cac0b28676f1e5

SHA512
6f7768318530e2fa9d9de5339ad9d095ea1ac02288af7551a83640e1774e1fab0d8fb321d91ec2e872458bc55a5bda5f7ac86cdabbd6e6ab91dcaddb14a452e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
30a1445105158670dc2eb66410c2832f

SHA1
49072e2f05a7fcc9a15517cb81120a62390740e8

SHA256
65d860c067194205d464f3070bcfa477002cbac5e0afb9fb6bd623ca93183b8b

SHA512
8423c4febfe05f47cef5cbe031f7ecfd49eab322029c17ecfa8880c39c47ca6a6823412e4ed8b68844a39c070f72debb43fc5ebec214b3ecd558534d387689dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c93ae4721ad844555d2fb696f9f77f64

SHA1
b4186a4f8ba8889e4f262ff797e0b747fb31ca3a

SHA256
a8289e81f94330fc6b1483c17b80c086dc3c35b9aa130dbd056c94a51594f3c2

SHA512
ab51d434f06016b170bc81047095f4e812438b9e2c4b998211318d34df247b47f9e1489a460d6244cd926ddee87864d7477f636fc5a613589419818dcd106aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
4e39a917f65a9172e75842a3c674b59c

SHA1
829ef35c5471dce129eac84971ace58140368a23

SHA256
af902ed84550d2bcd84102679a8343d749c173b6f66618a899b4d5990303acc8

SHA512
3dbf13aa7699e88e6082000e33a3169c8d61b8bf4e81a78785f54dc2df5d5e3f5b0dbf0a81dfedbb35da94cef88fdafffdfcda18eafd1128a6fd290d247c1bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
d8aac0569026bf11eff879597161fbf5

SHA1
154768911058531a083f5676680cb348cd77376d

SHA256
2b59f6be17031b637ff2daea022f95f03c8b6534c0a5f92180623d0e78f3e055

SHA512
3096c86683337644a06839098f851de4112a91f983500aec58dc84dec0c555853cb2a8c6cee67cb186af657dded308f48610145853adbadbda0d5cd5dc89cd81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
582cc3b9fd658ee1e9902fb5790ca196

SHA1
923762a733907753d18b8e7ca40df3ee0c7416ad

SHA256
3228a380da7e54e177c36c8b35e9d0f89efbce90dbcc3b9f296684ada29809c6

SHA512
85ee815636faca7ab0ece0ef909018764ac223c5ddcd00125d6590ab5ab69531c6a55a24aacfb0afda84e1bda5a94055b967cfc10b9b35a4dc0a196e06f24778

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
929f6f379baab79c49250eb990f0e975

SHA1
de5661d4bb03ad3e91674baab3cd33b1ab446533

SHA256
01837492e83f42e2d96c00fb96e8429689e98ff2a40cf1dcf3b5752f0495127c

SHA512
1cd576b54faeb271d1818e8924ab4cc0246011ed4486b56408ee5ffc97be61d4fdcb947a7b3e88508dfa2cd8f035afff20bad5733826452db74d5f752b5bf8de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
534b46f859d6cc9cfca8196dd98f781c

SHA1
cc134db1053225220d838530a086aa8fcd670ccc

SHA256
d1d3cd395b64cf639f8b185f044030e71fca51bf6d6edd9f2c8ddd7ce20c121a

SHA512
70f539b8e3cac83638fcac5f0f937cfa94facd74a6c233ef75490783c27f70edeace279b146152d501e4b502f6dd61879e47e1dd3606d9e27063dfb54e78014f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
41464ec94169f8bcfced6906b25011b2

SHA1
c384420f6a1733a2e36a126d4a26ae66f8c9aa64

SHA256
26d9b7010e9ad8aacea67a41b431158b56e79bc75c37b113dd25a6c8eca7fa4e

SHA512
8681ccfe98d08a1e30634961b284aa0db0ffc5a05ffd5056a490117db1d02d86a766bf7f801d8367578f05231fb5b0465efe06c3c2a48a110d86f4fc498435b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
c4fc8b220b7863ade1e327c9ca0626d6

SHA1
c2feca75e006e63003ab06c30c58472500a91e4a

SHA256
51e5f4a6eaabccf359a0384a9c81881bf13b948b56608c374d1f04a905ed0de8

SHA512
42817c10665ca321e7babd65abb713c6ca71814449d1ad51a755efaddbfb1141a2f12887fa8093e449ad2bf970bb51a820823ac98f107138229089b802e87ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
b19df7016dfe4ae455e7dc9e4e018c55

SHA1
76f76b168137f95d0a461c8867413cab6fd57160

SHA256
d973bd4d6558c491b3c32e1b0e50a25b1f8baa7a2fc3b47dfd095c6962b153c2

SHA512
2eb81247583a7b598d9e71594f561d90cf098fd06a87e94f66f503376e1246337b0d3f9a1b77098f5b8c3040fc9a798c7a91849a1e5095cb7aac636949ded60d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b3950f55814b70da3a0822995ea23f6c

SHA1
634abd7dc12a841d1afa4508f49ccabe6d265750

SHA256
05e6f8bd8f0527d5e5205beca1282aa90d43644431b7cdcaba9a342076d90d02

SHA512
8850aa7173fae5f30739077f2dede011518c76d82872cd4daffb527074bae2bd92a7e21cd693bb4e72b831ab08cba744559430a56ac9fd81cce7085961801271

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a8536141cc4ba800159c1f82e0e541c2

SHA1
6356eb5737fcdf7b62dc4e65eb41e0b6db442e00

SHA256
9648250c2ea52e9eb4b21b5911822678d1bd0db07683aec04657ee8b0f0e9545

SHA512
3a561d9c6efe8d3b44e300e041db8f29fd2e383f898aa56a9c43bf5552b03c7de60c0a71a4ebd0c26918f80af9390ee87ed99c4de853c19c43caed5f5598af68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c719083bd42a37ecfeaa37d07254442a

SHA1
a77cf30321d7f361b6444812e488f300adc54e4d

SHA256
714f6efa4b27a6a6a921354b6b6bc132ed4ef467938e64832c038da6e93d6177

SHA512
32df9e28ac4e467f83f272260d68e9c03bc92dc9f5ec6735f1ec45c5094dd30a228947d37a45e130a1a766f6627bb7c1f92c50811355d253cb0774d64d413818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
a16a3976aec1a0f77c028f0a5b23d06d

SHA1
224ae21fbc3244248810e465fa53c4422d97886d

SHA256
8948511883f9c038a467f74dadca58b2f818028cc3e80d9019a9ea10f5acf3c9

SHA512
a1357c04d310ecc566ff7c4753f0f41e24dc171d632462aed1b248f573114c721d98afe82d37bb63fe062cf211c24972f6d44ed5d532f9d2dc492508840b568f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
6196391d93aaeeb3c5501b22203d0023

SHA1
34b3a180d8deafbce7a2695c2bbdec7bc6a0655c

SHA256
bf96f01454810d49396b76dde56a6b57d2ae2df34b9f7518484c88c3d2bbe452

SHA512
a73c278e83e953a624dd676b01ecfed669f29547781df02fb460cacc6a2a9e6f9677e6af22aca83b477540170c832900be4209c0a6d066efee47815567fa9dc9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e3cc00bd0730cac804fac91fa3217e67

SHA1
45bf7b0158a67a4601506a394a9122518c020772

SHA256
211b0fefd3f70d46dc0a8f95627ef9b34965115357ebb5581e49c3d3f45e8599

SHA512
ffaf35942ba466ea89d95d4b390a8b7916a4babb76d73948de140fc81080d969b8867a2efe726828484487c23f2aa3be933bc64c8bf955c0f615fd533b4768af

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
388eabe1ea1a19a6ae39d27262f03897

SHA1
8bbda601a44326528b20a9c244de797b8114cd49

SHA256
97dfe56af3999bf94c0e6c458c71f8721131c9d48a74f88f3be9f3af3d37f2ae

SHA512
881ac91c4b5efb01b8a26780382bc721edd71f593cbe93cb92d0459a5c61b8c2d5be62810ffc3c4572f04b40ffac64955041d31ea3169b16f28be65cfc53bb56

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
584394b91d37adb1c0ccd58978d67411

SHA1
971e88f6fe0331d45e10ca3407f771997ed4f141

SHA256
b5b1ced87efdc638da4b73ca81713f57e469abc169d4d1c9c2a6bb703ca1c8be

SHA512
c3928ae7784257dfe4b88831e7964c17e37f003945913cb75734a8e577f2186125acf71f6905c3f765eacf120c1c1a679567d252380249986a24604f1a43d2e2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4a7c963495e5bdc170cf0914cdd0a48d

SHA1
cbc3a5e5d1376f60ba92d595a2c2db4619969eae

SHA256
f0332d6957f6a6a08c404164a746c2f7ebede7b353e0f9473d85bab0fa2ec89b

SHA512
bb349a72ba0585cb5f875f926190d6253ba827cde43d42df1751d7709287702bfc636c68d94d0fbfcc538ac54ac732be2d7b5ad7d041510dbcf8884d958ef264

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5652015ad8b8c4a4e3c4599d38719776

SHA1
2b439a6f6dabf47b30f7f9840322a145bdb7a346

SHA256
da1dc789cb9abbf444d648e829971949f5de291a463ad4b7dcc163473ae163d3

SHA512
baa26452b4b0da9afd88bd6310de533a83822c888a8e42d2894ccc7940b585cd89cfd58cd5ef09b019da4fb693db13afaa2789bee182418c64736d2ace89f8d9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
344bbc29c4a4720dd92cd82fd752dc7b

SHA1
d078627e471e4e8fcc1b49fc2e328f78be7c4d26

SHA256
8f5047eb666bf4ca0aba32db2a41fe2643b225aa4dc765902e9d4859119f82d4

SHA512
4be4a6bb6590838bc6f8cd7be890b905601f8387bf0f4e3ab3cfd0494068d6e75dcee22f57926647ecbc139ae80e59dbd2750a2188550bd055af3b957deb6509

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
cff1c000151b2af9f5cf6ae4483fda80

SHA1
00a3b6394cf0e9f1acc59d29e415dce7ae6bcab6

SHA256
83711781eb2cc09496f05fcac7f54b77264821310b1a0bbaf68fbe8df75fa748

SHA512
995d4b3126d6afbdcbaa72add5cb658e9bbb182a21834730d99d5ac165674414fca2706a87807a5fb9db609528efeb72f0637a5992c5573378b49282676d2eef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e71f286f735b36f28f5e6f2cf2b64019

SHA1
6f0210cb83c44846c74a8b66f5ae707613357c71

SHA256
b80f57774fc1229bb87523d45d2a91f73aeb018d4258f9d25063f10b062a06f7

SHA512
77dc63f764bdda907aa50e9d185ed3cb15f7c539a76bd2a525232f9b3f5ec0888afebe166223e951c1ea55a54065b9ea5b26744ec232fc1461db654482dd17bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7318ad86ccc9328c4b34d52124cc8d1a

SHA1
a28a23a6fc7b27dd3ec41622154fda12f06eb9d4

SHA256
63f89109bd800d8254812222f016cc4d52d0110f0a8d64e0dcc27b8a4c33f299

SHA512
a0b39b65037013c5629f49c2f6cff36999cc4a4ad60bb76da58ae840b4ee11ebbcec89461a0e0c6941a9972a02ae7b1b6e6ffc4c29f0d29fed0781ba2b7b7eaf

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
056e79d5193c17e8fef81a55f00965d6

SHA1
4a63c2aa58610d9876412872e48581024f036d4d

SHA256
b3508d87c543e1d1913871808825125f7f02bca042f296ee98cbe1b769f70392

SHA512
06d9316897936c279a659442c9f9c14ab2e312fe121dd184802380d53fcc3be823ca8a44bc2e5383c482237f71ffbb72751f672ac6425e7b6dc456033d8373e8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3989d309fc8c1e9ceb3996c29fff5df4

SHA1
a964ec35648906b48b17f86c3780702eecdb43bd

SHA256
b11ffb0ef0c0ed65cb9515cbf6164015ec60deafc4fd9469477a0a2b7a39d418

SHA512
03239495d4f8e24fa317f3c67c7ec8ebd2d3436a670f6cbb1b1216e954f30a83c72ae220e8e3fd532a28abc75c0923b714a511b24db61827caa9120c2e3fc824

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a89c13fef08d8641e3c63c214110bd92

SHA1
ae0da98aaf15e349c1419e24b481dcf6f1e61df8

SHA256
8ce5f2f14318e9fd9cd816f5438a649466f11b5c7a4c39aa8ad8d2ba6d25fd96

SHA512
ff65de202b3a8cedd5416ce0936273cd1621457b4f917b2cabb9306f7d0e0268efd2ff9d8c69d3b6ce8486797a6dfe09c355b425ae4cdbb997189a70748d5c27

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
6dc61acd571d161bb18f4a8c4c2df2e0

SHA1
587a15a659ac996ff49bd28c205a0945a65e7478

SHA256
c9e74b13ae2d1b42e8d1f393d31b418e7e32c86b57d2b533c38ca601fcf146bb

SHA512
4aa1fdf3347e947edfb390886c7bd721373cfd58fa1cc9706b37d746dacafbe80e9d277c391800f1dbaa6a11b73f2a8023d057fa0b1ffee16e8d30831c1d3f7f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
05e23e8fb3b9a5c3c34d6b27b26d22f2

SHA1
6c6096fc0349542ca951689e2e25a675097d8516

SHA256
ffae23508f0741507923d1b9be224e94a796d4a54a193ac8ad06752a32d7b303

SHA512
7322bdd18842cbe0214b01cbe284757ec83f106984e861cc879dd1bc6e44722ab862ca978c3dacaae06c84dad776f2b296444a07e9e16e7572b211ab7f14d3e7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2b2712271198a16df45b50c1d1eda84c

SHA1
808c59aa3c07231df2bdd4991ab86e715c8c3c13

SHA256
9a929c3b9d28d8ee0a6cea2e83a68a9314cfaf7af5b5d2565c8e2b8168d63a88

SHA512
9da8da0f9f3911e605819026d1501eb7d8c161f6a8abac6838cfc83b7365123e2f21b9473f45808a63687fe2828b441bdcef07583bc499ceda67860564985b49

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3d9fb54f1214c7e62de615854d2451d7

SHA1
809bf75ac1bd30f8feb10ad20d2bc836cd9e093f

SHA256
2e212bc94c096f7776e3e2f78d43c4713fc19a0b41cfdec3ac9f14815421559b

SHA512
ae05a45401f0054cf3dd98bc9725dabd120550dc11368fa41b1470576c2ef0c36f02dcde5791467f834ad9588d44efbad9a17359f78a6d7c1c93c91492e59648

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
54ffd73cc7e512d0ce9da6db4185c6ef

SHA1
6e2b0a0cb265b084c3a88293a31d7fe5091a1a77

SHA256
bd90a1f6718193ea87a7e0d7d41a05ae0c1d9f6faecbf91b49acf3404d8876c8

SHA512
78eb69c383b361175dc58511dab4cb7892625e1aa976254a4db7ca630af988780f961a556e1e148e2ad1cf0fb626e7c93551555dd76602030215748e8cdf783b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b020592374de813a013246e9e86da712

SHA1
32dc212423ca8b064b25019cb9b99bbf4b738c94

SHA256
b50906438b8652133652a17788af29ffbabfa525870a4cbb8934fb129899b6c2

SHA512
7562513a55a09530d4f163dadbc1b79df9df743559f6378f8d59cfb3a7917ad0e76866e31d3342e432bf7906a11515912203b461f222c148acaa106a362338bd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
9503865ef507e8a109c90ad3a57a8287

SHA1
2a386a6d3a91f2026c0de5f553c15144841db377

SHA256
4ecff1d205bfafb67115ff2b3d00dc8570aac8a61750a7a89d2f472f272966c8

SHA512
bf6b4999579b53cfde026544c009efd6eec981ad37a215258cdb23e397af471d7f59aa20de707991b3d63da0c53bc97ad3fc7acde422927a04e3c964f5e4ef48

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7b53f9b4f34d6f5bc48a04dacddfe576

SHA1
9d315cd95f599693ce51eaa8aebbf429c13e195b

SHA256
6cb377cb82a4ca6422530a484910642fdfb008b8b8b973ea37f86b19d506ab82

SHA512
739ebdf199d69afd96024972e1675e2ea886d1e0e614682270c4d377feeeaf727e30a8de953c072263670b9ad7143ed7a28ba0b754dedb632a25f0bd485261e9

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
199db30670f1b3bdb1ce9a08be7f93b5

SHA1
5676c0ccce3383f3f21f267238d812fabff41cd3

SHA256
8d8492592bb92b75e8b2c7456ed283aeef2af2fcb6a30bc408a09fabeb9c32f8

SHA512
251b2bd21a1687752941f02272b1d69b44eec88f02afd54cbe7cffd975faf47d145868bbaa20cd81453475c039859173ada4507e6ded2dd08ea7901f9676a1f7

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7e3f315d9e9b0a548dff25ad2de7cea1

SHA1
80d48793e1531c7f5f7e7b739caf0705b4181f87

SHA256
a5144fe6722cafa0647684a711bd0b4b6838125b12e4f959aa2aeb2c713c6755

SHA512
14dff98014340c92368af76754af482c89d01149f0576d55b9afa5a6aa3599564208e50057fe672d65502c19f85574d3c6f162943929cf3e28998efa0750a175

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
769e3758c0761766a6b6955ba8ac9125

SHA1
4fd4d15f0123f930ec8b1ca3f59b6fdcc7dc3d7c

SHA256
e1ac5cae798aa8a6394957615f509eaa7c05e66e3a2613d1a1a735e399dc9347

SHA512
e2e116a25f3c1ef9e9de450c87ea3554a2c5584894fe5a3697e6cfbd18a1d1ab5d825a13b2b584dee0c07b676189ebbe502eac7d258b5a2a3f1b27c3e956ba0a

Download Submit
memory/464-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/464-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/464-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/464-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/864-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/864-51-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/864-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/864-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1012-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1012-590-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1360-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1360-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1616-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1616-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1760-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1760-440-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1864-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1864-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2088-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2088-581-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2088-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2368-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2368-591-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2572-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2572-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2572-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2572-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3372-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3372-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4288-589-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4304-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4304-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4304-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4304-85-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4304-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4324-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4324-586-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4384-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4384-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4548-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4548-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-44-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4548-47-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4644-178-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4644-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4644-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4644-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4688-577-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4688-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4760-583-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4760-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4764-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4764-90-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4764-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4824-458-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/4824-73-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/4824-0-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/4824-6-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/4824-1-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/4840-584-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5096-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5096-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download