042a1cba61f716c790eeadddcc3069dd834b3b9de9290835532ba030a7b7e7c8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
Size

1001KB
MD5

39f47908053cb475aff34772ca48e9f0
SHA1

18d244c800091f91f732c766e7fc28370326ff18
SHA256

042a1cba61f716c790eeadddcc3069dd834b3b9de9290835532ba030a7b7e7c8
SHA512

4ecd05ca942cc6cfbd2f7fb0e6fe3530cbb269821232abb7a5df755c03cbd212d0e984ae88dc81f9e57c5ec692512e99b260fa560d3c8ca8c6dd5b1721b6a406
SSDEEP

12288:Tdhjo4swrLzxAUMPa76huDeegxo8vo+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+Br:BDMS76huDyq4MdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2028	alg.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
2824	fxssvc.exe
1448	elevation_service.exe
972	elevation_service.exe
2560	maintenanceservice.exe
1660	msdtc.exe
2760	OSE.EXE
1256	PerceptionSimulationService.exe
3360	perfhost.exe
3812	locator.exe
4404	SensorDataService.exe
1700	snmptrap.exe
2696	spectrum.exe
1092	ssh-agent.exe
2676	TieringEngineService.exe
1272	AgentService.exe
1172	vds.exe
2160	vssvc.exe
4464	wbengine.exe
3780	WmiApSrv.exe
1992	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1918e240c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f37b93fb02aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d48fdfa02aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000785dd2fa02aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034a73dfb02aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6566dfb02aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010c0d4fa02aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc9249fb02aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4628	javaws.exe
4628	javaws.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe
1484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1416	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2824	fxssvc.exe
Token: SeRestorePrivilege	2676	TieringEngineService.exe
Token: SeManageVolumePrivilege	2676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1272	AgentService.exe
Token: SeBackupPrivilege	2160	vssvc.exe
Token: SeRestorePrivilege	2160	vssvc.exe
Token: SeAuditPrivilege	2160	vssvc.exe
Token: SeBackupPrivilege	4464	wbengine.exe
Token: SeRestorePrivilege	4464	wbengine.exe
Token: SeSecurityPrivilege	4464	wbengine.exe
Token: 33	1992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1992	SearchIndexer.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	1484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4628	1416	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe	88
PID 1416 wrote to memory of 4628	1416	39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe	88
PID 1992 wrote to memory of 5656	1992	SearchIndexer.exe	119
PID 1992 wrote to memory of 5656	1992	SearchIndexer.exe	119
PID 1992 wrote to memory of 5732	1992	SearchIndexer.exe	120
PID 1992 wrote to memory of 5732	1992	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\39f47908053cb475aff34772ca48e9f0_NeikiAnalytics.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4704

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
3e61676e35dc405f248dcb4b7bf2ab93

SHA1
9f296f2d7b60269c8967bb8f9e945a85bf91e6de

SHA256
e1d69d101dc95430ebc5dfb728cc023ee6403b917cde6cf07e10aeabbfa05a89

SHA512
7c1628fdb93ab37ddd625209f2477014257b8242cec266aab602beaedbad3fc83d616f044f292070e046983e07ef38ca1aa37014bb91ca534df9c88da81fc92a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b4f144f8d0e5617bd616cc32025c1c82

SHA1
802b5aa15d62e74cb77468f2b2dc7a402a9bfa43

SHA256
b59977b456e262dc2c42259946183c58bd563b141c175212d13f0a69f62d5314

SHA512
a4187d65c6209a617f0ea2a0102c8b7e60e48e6abdebdab9b6fa8b0c26696081077d0ba9ed281a56245c59bfe090a8465ebbfe2739a9a5ece21b85622ca6b957

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bf7ef7c8760ea3d476c21269f722f4d4

SHA1
0de2cb998d0eb1b180723ee97213328fffcffe56

SHA256
9b2599a4ded6b16de24dbccfc34b23f6a5c3e364674a61e61c2151c74a03e277

SHA512
0fa6cc1e4fa8493cb020f7cd5c1207b48346ff851a2f324bd24b9c9555b52d89ca7f2d4eb653324b8e0767c7882832378804646db77166c9676f3764ae0fc128

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
821f719503bd86df300d17c01b9a0232

SHA1
7fcf2d43819e45bd954837da98ebb4e069b02c6e

SHA256
67b16ad3fe2b494728c348fa856a65729d3a2a529e10ba420e5dfb871dd2b678

SHA512
dc5dbd7986ad8548c96aa4e1aeec1cb99f701e78d9df4e7e3e6eb85315727133fbc9ec77d7eb9e819f75c82c553f83cda4e47358121fbf37540f011c53ffc10b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eadd71bd957c5df887b85f36dd1d1c66

SHA1
f6dd4b1a41e4bb54f357f6f338bc385096f74407

SHA256
c04b03de2d475de86a55ffb6d00f69febd0d245f5aba4e2f54f828ad0e5207b0

SHA512
53475e380442faba72c5bb3f8baae341de077296687da6ceb149b2fe547720d11eea00f57b2f3929ec7d17d2b20d9d2f73660063f7a268286c5b82e87eeae38d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
76e63656591b7f4db633069fbe5983e3

SHA1
4cac7972c42f539290dfa0ff281687ecfa06a1d9

SHA256
bb7c659c5eda7c5f7c70083311876f7db0d6d89f8c7bb2be080b68f5d093e2d6

SHA512
38a6700c060c06ec2de7b2029a2829b996e684b107d201b12aa84cedc17aab69a60d5509b202bc788b6cfcb9722c51aa3560457535501ba0bff2ca854bb253be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7b0280768a2a6441217bc976981a8586

SHA1
6cdc8017b4a8749ca05739b95404877f710942dd

SHA256
626c79cfe1a47b44d47f7b3dca3929eee34e08dea6f1dd9113bb753d4424c6c5

SHA512
826a6782201a761870f6d99665c679d8a92fc2ab5415ff5c5eca90c4a3dcce4f7639fd2ca013871194e1c6d6cf6760fdd4fc23c79f11c04c502e1780788f1f6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d6783adb019eaaad39d329980f46e716

SHA1
35c2e2000621d004b68bf2478580b9e6652e2282

SHA256
99385886008529e84caf97454c828724ffa5b1ee6f0ffe5878ff5f1efcea788c

SHA512
654d13220730217c66752656876af0e75c8d43764515cab0982cca8d9a4de218fd9f3f84a00a80c3eb44a889b35f4ef9015d9b2b3f443dca2681ed447253b427

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8ae76b5317fb00f78e009d56e0aba8ec

SHA1
fd077dfbcb29de15a274b7ded54458953776edee

SHA256
a99d06363da24e3942d7a8c68948d1208422aeca7018bdd066ec5f1716508563

SHA512
a7f4c643a7b0021b2f34271c7c968415ce51defc6a9d70384c44e383d143f7a168154825d9f4ee68a43ad45f9b64b4bd8a5b8e3f0f397919ac886e1579c0ed30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e32660fad5fde87741c4faf26de1546

SHA1
47b5534d7c53171da97d42c41961ef46bcd69b38

SHA256
3d543175ff22e521b0f9f4260d6a5dbeba918b753e254f7a0e7bd44830b0d676

SHA512
631112fd541c8bbaa5d877f35d27bd81e8ab31a72bf14ce73e0a7c920a49a1155c308602b14d78ee7e62840654749c52daff1d6001a70b93d9cc4038db498b42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c461d7675b122df6ebef667983e1b068

SHA1
2f8f72aa9c9c0c2f23f36247f0b7a1e336a8ff39

SHA256
18b881938ff10ff716e744fe104ab705e22ec73e06024a16db4b7c3ddd2e3b9e

SHA512
15a0637cb86d0b0e13daaa36825b6b8c30068084053b82fb17397b90e9054516eb1788f0273a4279c9c38d023e58e1e8bb1a6a2f8dd7c34f4ab5979c87a1efb3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c74504106d3c3a2f5e333fe72d25213e

SHA1
095be4053485529f1e8614d01e297ed0bc9196fd

SHA256
f12865ee3704e0968200a260b6561aeb336fab0f5e6e8b146c07f5a6202c9eec

SHA512
a0089f45ea05690efbd738ae576b9b0a806e50dbc2c0103f3cdce08047151f434716081976d93bee86d3dc54da39100a6ec0103c1cc03a809ea7eea052bce543

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
519e92684a3369c4314b58fbdad7e20b

SHA1
6a332bb7dc698dfc5288c85f5698249382e5f3f6

SHA256
d49676a37f6716281edb255c3aab74ce475d700e37b4986e573adb4c2494bcbd

SHA512
b6bb4c179f29b3cf1db4c138b3b72d8570867e31a28cd86c97603ecaaae6899b5327691eb9e1fdbc53e98244140e8bf49fdd28633fd8d811ca7cb4a1d8a65aa1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bbd4c5a043c340f094e2262d1f9d83e0

SHA1
079d4bcc466ec92a2e2a5ab828f11c7d764031a2

SHA256
fce25ddb5beba7f8a56e7bf6fbdd27433445cfc5ec28bb1e7547bcebcd53d0d8

SHA512
1a9cd206c22c34a577668cb3906ed43d924d1d0a89b06d62869cbf28d28440afd26b026b8027f232e74c1da14ddd331c6244c513c2c045672120ad7f1ee6c51c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e96bd217976d8ecb59da778d2bbfde80

SHA1
88f886f8a45eb40b1b71ecf428389187904a4bd5

SHA256
cc7e3bb241385600ed8f45e0d4aababcf32d2976d89b40301309be17dfd8a2e8

SHA512
3d02f7b33a47fa796b67d8fc2db63bfd9ba502e5cd3a6f0c086578e8f7518d35456d47b643caed7725e6bbf005d07b8f5fb0fab1f0936fa2e247c75ed4ac4714

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d36f7e81b2281ad57b56bc45bcdebbca

SHA1
5c327d6fef3996a75bb5283be2b2a4c7bb64932a

SHA256
31eefa04f1c037834bd550fe7f9ffc8b587b5f494e7de10b77c2e4b07fff80ea

SHA512
888e5bae088e0a64ba05853ebc05c00d3bdf6c5e4ac1c0cc4f49fd1e62668c0e3438cb8f878bd20f4ad346af77acb327ee83b3af10ba8687396284e47594c063

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5c7688fe34837e5e771d15d3f694d91d

SHA1
cda3cfe8fefa724b45569bb2e9ccd7d64965b96b

SHA256
ac22a330a57f37641e15357d14adbeb6b6443aacba10d7c5e9662e622db76717

SHA512
bbe4fea8aadb6162cfef97ff1bb6843a75c65acf23f24ec643af6b3d3eeed2f54eae93c63a762efa8325cbe73737b1c79f15e3f4d568626dca93a293187dcee8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fc784056b62f5a188d9f4dfed8b3062e

SHA1
9ade98aaa0bcacec483b081148480820ad409a98

SHA256
61b6c87bd1a35ff3a67f7f12107b3662003425b4c5fec3e8928bf8cc2fcc09b7

SHA512
a18e002e9ee5fb60d2f439e29d7fc40bed9eaf9725467467f7bee3ae5b8b4c6a29de10764bbda6a6c50feba72e43a58a2c9446ebf9075a260e3cc865f4d1d9c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
15d0ef4abc47a866bf536c3fe8bf8987

SHA1
8545f2553447fc89c7598337dbadf52f5f9b1358

SHA256
975c44e6b364041daf7412d68dcb1bc1a62855fdcd16a964dd547676295c8dc7

SHA512
41597f91c34479dce89e6f714e8b5cbd44b99d2101a2bc33db05413af4ae0f950d4d7e0db2ad70c9c66f1dcc767a7ff0f722109afb4559d756e25afebc45b456

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ce58579ca2a978cd5ad12813108e99c1

SHA1
b4fb13acd0d0dd94c66ee3a7452eafeea099bdae

SHA256
f2bbdc10b40354195054f4147768c93a37642fc8bbca18c7647a9d3ddbf37f97

SHA512
d13234f3ba534e4c0873b888f7473bc10b6b419667957a85c72f01387ec9656286445e9585bc51bebcd00fccbb67520a9134732e90b97099b8aa9b58af9b1b5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ef317d07a43c977e6da2dfef951a6bbc

SHA1
0ed2c46e5794f52a3bc70f883a5a5863de006c0c

SHA256
36bb56c7c2365a21a695b50a2605b809a1ef3d29f3dca66d72c829f9f9924696

SHA512
5dd955f11cc4d056b36a3335dc3d76519f89068acba31c67d3fa9cca52b436650cc5c3b205139b0ec14fc2c2e4c130f76129244515812a51c0194b457d38e8eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9b0413c55571a36946b71663fe6f3aef

SHA1
84a62fb62e727e973f015fa573a5a354a993fd48

SHA256
a7a55c1fc40f66c4840f2fd100698cd6514995cd5cee7fc47aaa467df454c962

SHA512
95a4964704bc453d280dbb504b4af69d105428b87f9848d40c2753da2d04a1df11e49e468dcfe693cfd2e45bd267b4dcf21d8df82a4844fbfee809513a0e95e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ee1b5cc345060c3ec764b37e1d921111

SHA1
46d246621caf570ef1227aa4c321813f05f8eec5

SHA256
c91adc132d3799f6fb995f9a20730a76124c41e55e0ec3f91e56480e54827727

SHA512
7feb58d955b637683a974e6e5a12998872a683541f40a410ec49231a4d44cf9e1a41f09cc8ad4d50956b49ebfd08ddb6abd2ab59aced6a0e981550f557b0c385

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eeb686d98d7360e08151af24e613cfe7

SHA1
9c105b68f03477d48dec6ec7c1c493866f15f16c

SHA256
d87f537d299425ba7e27c7b40d9a0f669102ad6b5e67792a27e2891e2841087d

SHA512
d137cdaaa02ce9c4eeb3fd1a50752cbcd379dfb9fdc3a2785359865b99da1039aac803fe2b869e9efdf69bf63c05e61a918cca6c6aabd19756497f33b1448088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6c1d3dde82634dc386ffbe658bbb6771

SHA1
87ebfa23919da334857599044cb079289c397c71

SHA256
f41e25bb13314947f5d293135c8722f649e699a139f430991b6dc4e656a2cf1b

SHA512
ac78a1f2641e86b24412b55cf77eb7ba42d51189a4a7c921f299512d564c0def0f8433af5e5b3d0b8876a06b4139cf4d8138c5272b85cfb597e7dace3de00cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0e62d5f872cc6b99aedcb85a09d53378

SHA1
8227c60373998ccb0a36fc54d547be2cd8d64194

SHA256
91e1dd54b9616b026774c692834b2b52ea516d5dbb42073600e93e763bc3b902

SHA512
c0f9f4dbe477f3e071c25ca247b28b4b54543e4fb10ace6506737056a4eb637010f8866800d38e67ec3939aeb2a7b30da483a6395e2aeaabbabe61c127d75319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a864e2bbe0f5bc04eff4e5dd9141d150

SHA1
b6884c08fad4c1ec6aa3f10bce26477584a1944f

SHA256
2e1eed3f91c1a1c0abf7d6699c192f57cf44a6a0c41d1060709fd2354ac8a139

SHA512
4335ac7dbb59fe99b7ed5e67d0d316393d70f80fc4fe1dfed3f76e6bf95881e07617d665a39cad84e44f2326c1b2dae28e281d7136944bb3c359a10d3af33b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
dfb518ec091904c859a66c71d52d0a1c

SHA1
04d86dd18a1b8941a5a97c897d454a312ee94ef7

SHA256
258f1ad3944a8649678f1dc4e443006b4532d7c1c34ffc55d0ff3deb5d9ec69c

SHA512
bae5b206cb6035affa35d0509b8a06f429fe8d9d80a93a58a475586b8b1c3f18e2ffc56435d4cc6abb06e885e81817b8a2341a9e8f5dc1c74535fa25432de04e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c88bf177aa6baf02452984fe7e7184c9

SHA1
0a8fdf1309064a5cf492d098af593a4037b014c7

SHA256
f2f6aafb16109e8624343d412af2dab5c00fca13f1f6b693a40bd749ad40bbd1

SHA512
3858ec6cd9d6221d2050e28f19ea051c255e3930ac539416815156e772fae62b54301e9b9b0974ccac71d22ef7240ee782a49a1e86b9a3b3e1a8439953bc9e18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b85e17f37ff8bc447976966116288cb7

SHA1
490417510f6dee3df1d20b91ff34e21b59466df0

SHA256
8f01a6f74b249b67fc12f495968d974fbfb089f5ef1e1485c14382c483cf8c7c

SHA512
c92b11ee37e16c82fcc238bc8abf875ecede765326b7566d7518ef863cd868705258be7124a4137e4b50024bc112b33399dd8dcf2613c92876e14e1c57473a0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
83551706721b1b8b3450be87283e499d

SHA1
2eac68a8c8fffb7ffc4e381e5d2abefad6666696

SHA256
b8af8e735310794a7a3b85a33b6b697851e599d67d3094c238f509e219c37398

SHA512
a6d342d55ad0c7316d68fd0a785c4a2d2034cd510f397e99670bb5ac7b74c5b29d17ca091a99b52a90733a136568f07bd33cc2e7f2a484e63f8fbdf5cebee596

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1ff6f29a46144c3c4f65da706729dea5

SHA1
a5fdc51ee93d29c285cef736c3ccf9b9f2a3b671

SHA256
5e828309fc675a57ad81c730dc7b6352605d31703f3e21fb9aa3e3928e8b107a

SHA512
3c8bf0284431e0b107a5222f256d9f40811a1cf7b7818a112848fab5cb0fb976fb523ad920944f1e8639d6c17cf6311bb9bd396750f46cc0a24c376e17e0b4bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bcffbed37a9f8a8bdefa5b881ea7faf1

SHA1
9698364bfd31ccef8c1e55c9910dd904c182a6ae

SHA256
307014eddcc11f32deef386031ef3e06d17f38a9919687f93517964ab5381e62

SHA512
10c34ce5e80376cd6b27b8b5eb532322a25e246700af3a5f8a8e074877269549090118b4c3943cda6886d47b4fdb304a31a4573dd6851859f9586e7c0ed4e5c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
907c14b1300a5f967afc2e6c99dc220e

SHA1
b084dce5edf5df06443b20aca06b76e6e0a2a4d4

SHA256
1066feb664f56aaec43cfc1a92b5462e7dc30a96e55d3cb908d9a86461bb4500

SHA512
fbef077bc415610110a4c88e32b92fec0422b92720b9ce79c3840b4f4f88e8054cbbcb35db7fe7db7309679ffd3e17717bba109b2824fd328dd935ce02853596

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
15d2e82894416a7c94f57c13c652bad2

SHA1
8b7f697aa9553a26a22774d70efdfe94dc0b9ab1

SHA256
6a1824952de2c8c0f9cd6b6831b85a5a86cfdc24a34531af15661d62a10f1c70

SHA512
b8fd4e7ab84c9f0cf631a5d684b3783f6df3696c941f0d8d2f99e7e187a34251f56c3418ab1375377bd180251e555ab265c383821fca37a1dc3d90306dd38312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
493a3250ddbce36ab7935b90586a9ebf

SHA1
44d3dd81170490c58539e92afdb40b8a7d1c7df1

SHA256
5becf86908997dddfd72437422e7a2812d7a1e29081db659b9bcc16fe2adb90b

SHA512
1664f93b29672605af66d5eea3f7a1bf791cf41e2538846eba7d90b0357fcb081868dda8e0300e4b264d826a33d5b2080cbdd259bc5cd2e91f61bc28302c7231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b0273ef2bcc9e3560d8fa6df3a01c32c

SHA1
82ed42c92a199d4365697ca2787f1f45f4684203

SHA256
1bcc1e7a0628d2d42d4d7ef1bd6f558e18ce92069c6036acc292696ca6aaf901

SHA512
6a89248a811ae7083d23066afb99990c14829b27b223c05e8685ba8cc746eda7c337041a7a7a13257f4c2c36a0e8c45f643a1554a26079c4f43ccfe1f606c617

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ba35f64a86159c20c7c9a4283f913e48

SHA1
1de4f8ba8db2ffeb1f9b6a4c184e7f3cdf6cc271

SHA256
40f573a14c6e0b8c4b01d73ba60b62feb1e8f5969be2449190e3d89834b5204f

SHA512
54a7913b576dabdb3be78dee380c256e9cfa8ecf42058b051c737d047ed2f2be0cfbd46889b105256c131bee94d1224a38175fc7027fc4370162a259157158bb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6190dc31fd4f5192640e0b093f451cbd

SHA1
0f55640db13dda3fd33658b7bea4ea9bcf37a849

SHA256
a14ed68c5d7a8b70ebe4a0a0fb059dc21362bdfadbd8b86d250a862363d52e30

SHA512
6b86bd524e06380704fe367780b456d8288b26ccd8333bd952177321f587dc478c049e8a15cb2f6d0cb21030d900c6b6d3cedb9337e7ece7822231dd3d165b69

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6bec1b54fd9cf66b1d02eda6a3f0c5b6

SHA1
1fd7a331272d452e7d87fe3677ba197992ae9627

SHA256
2defd6694926443a1215864a1402caec561714bad3aa0eacfa2d9817eaad2ccf

SHA512
2cb66c4615223efca288cdf89ecfe44ce8fcb163974ea70e1c2862ed2079cc544f3466c31b5cb5ac36fadfc7077beb1fb96de7fbcad70367f776834f64164e18

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
04b5ab12df42c98c0bebc97ec5d801e0

SHA1
5e11688dc5b8c64a0d04d3ecfc54546ecdf6ed60

SHA256
8f30a8f256d01a82b3c8381390134ab3a7b39232edc7610d523706688eaa090e

SHA512
53d8d01b566e6ebdf612f67084855533c1af62603a390b5a76bbc51b0cd05d1adc37aef78c30da59f8caa1a1354f03d92e5a9ce62e5ab447b0a57a00a3a82c30

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5a484565ed43855ee776e3dd67aadc8d

SHA1
dde70382653bd9d4d484a40ea781f34deefeec41

SHA256
3302687e53bcbcf40847f332cccca73b5532a1c4f0054f6bce9637b778ace5e4

SHA512
b3f45403c5e154cd5e549d0f94e00826e68e55aea28166f606e72d1d2cc14f1421a9134fe8ce1026810a1edfcbdf15feaa241c17dcd023078af6e1957d834cee

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0c966a14dd9641eea159591c2f1c0834

SHA1
3509a4345b58666139d6ec60f42980fb3601f753

SHA256
9b09f24d76adab1c1d675a6064cf7a556c63f0ba11ce8586104b7fa4bba49cc8

SHA512
4a325fcc8aa0434a6a5a5ae7edb84cf598900d3bbc56567accc1834255ac68feb3d37750d21eaf3179088b57bd905742e5b390685d84ec3def2c74b4d102a1d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b604dff86690f21468c597a89f77ec82

SHA1
e59e2d852b069afcce38d4592898d7248a1b34a4

SHA256
e35ec7bdabc32c1407b513fc1a9e2a159cdebf76fdc88c9e3815bb791c61a79a

SHA512
65bf889f29afcd6dbfe65ba9739b4b8fcc00475d3ad1a1157ee6317499c9c38d10e0a46fa991e944575b41993fd52ab2070c4d5712c9f11821ee3fa218c6c8ed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e770708cb1348dce30d0d4d201a51bd

SHA1
824a8a9a1c387216689def20f5e583dce62bb52d

SHA256
ae1c901847d337d8b80c60ebf799b683b5b3c7ca084f3b77d2d55d9bb866bd70

SHA512
be7588fe396cc4ba87dd6646b5aed31d10d63f458b4b3aea18491e0e0b20d4f21a1589abf8c4d139d86536af3d3b2b43eb4671b828696d871cc6673ea8a7e152

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a193237bae12d6ce7d32c488b16384d7

SHA1
a2e421ea414bad54c50b27fdb41788076aa5a0e9

SHA256
6a9bff331d3c70e92dbef601449d4fd3725092545a7cdf167a32d34e9c853ca8

SHA512
94be38dc012c6f5479467f8e27a9c0eb53ee649ee0c5b99cb9e3f2a28f9e67a6a26c8b5dc7b4d627cc1a2a43b08d7b4b4475a48b9e586bf50b969cad3ae71921

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3135ca97dd1d4dc8ea836a42a43fc38b

SHA1
309cee49299335814d7bc5bd1bd70f62e859c261

SHA256
0663678d1bafde27408934f0fc5bdcbe0720adc796e49f237e857a6b3a4f9675

SHA512
f2550405e6ceedab8c6a0f0c5886154ce6f89dec20ec4f68cb5082b6cb1256af7959a4200b56ee4513a90a2ef89839ae60e3ea9784e483d470b291f3f040d37e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
db7f9f1a60a8fd4c27aeb11318495ba6

SHA1
e6bf1a6b2a2d4fd46ae1ec0320ca6148db2a22eb

SHA256
9604fe7a2b2d28c50361aa9db9b0b6ca1717ed2551b0a912b7a85b165e994801

SHA512
6574ff585234bef2e85fedebd4220d131cf5e0a9495acbe582618b4c45b12b301a473dfce8f617b45faf536f34c8438641d4c3ccb9bc80b6d12a0b8c89fc9a55

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5ffa922e3e6d827943ca27378d157bd3

SHA1
6f82d99534564f302d63ffd25ac3d55053c791e1

SHA256
c3b8f66e1ec600a80d73e2b7280fe4d3d9d2bd796519a92935ce7191fca5642f

SHA512
283274ac42190ee58f31c817ca0b3f2a07deb4acecdc08b4a9dfa4381c159ed3debc2bfc86135c145c2d9e47d293d4b2004ebccdaef97d806da246c858e10453

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2d9067186108997388fece455a12cae1

SHA1
ebb660103555c133bc561b450e6f7cf123b54341

SHA256
a7ac72fcfb2ad6083dbd388ba6decba310ecc41817a25cd271c9c58c8664e57f

SHA512
d5a79a7721839a1a08289a03c3411623698eed3570d36f20bd8848fb0093319c6a049e0dae02e0911edff50151c26aee2311d1df4365ca4f251abf4873d15a7a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4bd4e432404ca5208a72d925f4a93a81

SHA1
e4ef55cc71deac89f23561465d1e1650bca1c0b2

SHA256
a722fd9662e8e471d0b8061a9b76fe609f757613c349a1dc812c05648dbfe00e

SHA512
96abdbd962088e3d90178e7567692a44e9e7d7e83159ec863f5ddbc829a10bddfa1c6a7727142651d0559dccb4b84835427095aeef65b1cc65de3f37b2aa711f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0b7d4dc54cde4a91317ed89e5e393b7c

SHA1
e664bfc05eb898a886962dc5698b218329ea8ed4

SHA256
46d0f0d764d0e138df556742c4068b3ec318b20d3bd66d25b51f49f77409a973

SHA512
86dbcd3f415dedbc64f629fe0b3fe9fb09c4a1c6f4502cf484e8508aef0fab44e8bb7e98a546e711d43a8b3b61dcdb0a7f8d309fd24c9e0993f80726da0d1804

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
186a6d837ab9c88d702200b9598c780c

SHA1
84b6c78f19ba6a5bbf5116d77716c54d6aa53a34

SHA256
1f6baa76ad2cd36009c8847becd9e8db61e50e6ad9db1897419d160e2cc83895

SHA512
4e97a94d2ba7366da188c63667925b4f89fef677cc22916a8d7ce05787cb57d54a5bca79befead4a58a5786d09d0fe7e37e09edf1d582de57744dd5cdb3c75a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
50c99efe1c0ec1edf293a30c518e74ac

SHA1
a6d866de62b0bcb57276deb8ca24b166e1bb0177

SHA256
70bf661d94e185ab192cae2750ff06200e6acd3fc5f78844da2e8e3bca1d0293

SHA512
bc9942e8276bdbcbc7969fb8f4b49cf85e6d95dc2b09eeb2426628bab841c863f94aa2c83d56aafc2e92bc6b9d01de6529cbb5e5f8f755ba9b6834339212c901

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ed974fa12b6fb45afe7bdeaf93d2f492

SHA1
3d217d4c1a423e380e5e8feb5a7c04c835a1e76f

SHA256
b8b6ead9e6118afd40c45fe040f73452915241f925ced6530968a975bb82d9e4

SHA512
350679ad92a8e26934cade97d296ea36a1e81dd29b1559ea1491e1c8d7fc1cd630a7dde04fcf7063e69133dec13702a0ca28e7787a71ed352a1f504359208935

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8138a09fee5f6aa95072c8f5ecd470ce

SHA1
6e6596e7c9451e757b9fb4955c5734e85f6fb5d5

SHA256
c3c2f745cc8456fa2333bbe02f246f6c043067a0dea6e81223b3cf37168f25fd

SHA512
8085f0e35c8e4de1f5fa54f17b70c787eacc37c837caf6d1dfa5c7738b6681b47c182a4c0cde9faba923b4e95e487720debb7246928f52b895740058a4ebc839

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
65066cb7d51ac2377c42363f9e05687e

SHA1
daa6be583217460b0c2fd6a6e09bdef7579c2e1f

SHA256
fada8a43e02e9684d7009c8e015798dd1f67ffa5bc337d6e475358f9b078ac6a

SHA512
bea01f60c66113743844fd52a6352d358c007295b7afa16a6ad039b50a0a151a80276b8cad50149b8025bb16df9a9ac4ba746b6024324d4b73b1688602b056f7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eff6d4f0ef68a4e525d35012ecb40a05

SHA1
75601f9030673ce1521b352a788da89788d077e9

SHA256
41f1ff6eed0b93cf60d744874a42d33bcc715d0c271f6504151335cbc54cf359

SHA512
fc88f1122d607634f313b45a0a99d06ae2e5227813e1766ad5bf5a119e62f1770420581ed29a28b7422de121c7e9614b50e10624c52a4032ac7b84f3d8b3ccc1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f27de0444dbf0e152d42480ff5a86215

SHA1
e1884d8b02a7d51021d5720af9ea80cfa5a23339

SHA256
7e25e0d174df298567597b6a8f3065bec74a998f5806f976a21894991455fd39

SHA512
61105b7f7a3f78076bd9ba9719a8c97eeb14c5340115547c8bab6ef88c299acd9f183ee5d77b3319f84444a18dff21aeec4abf6105743bf487b03d281df043f1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c754df9bcf1af553e5fdce20cdaf722c

SHA1
0089613087675554d8fc76f8d8dafd4ca2f20554

SHA256
97e1c54133c276463b2187c137fdf53654d601697dbfc7748e2eca3534dac26d

SHA512
5766b5f00404eb13d8499c268dfb6e3510d9d671ee85d78e4385ae1f1c55a11c438a21456ba6d48490935551f814fe3109300e4cd68cef5bbdbc2b258243a18b

Download Submit
memory/972-222-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/972-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/972-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/972-72-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1092-630-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1092-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1172-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1172-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1256-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1272-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1272-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1416-8-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/1416-137-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/1416-470-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1416-473-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/1416-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1416-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1448-59-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1448-207-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1448-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1448-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1484-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1484-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1484-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1660-123-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1660-89-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1700-459-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1700-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1992-263-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1992-638-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2028-164-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2028-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2028-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2028-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2160-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2160-635-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2560-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2560-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2560-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2560-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2560-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2676-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2676-631-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2696-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2696-562-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2760-124-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-39-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2824-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2824-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2824-49-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2824-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3360-237-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3360-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3780-637-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3780-256-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3812-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3812-249-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4404-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4404-262-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4404-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4464-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4464-636-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download