f2c796fde840f497b3ffdcc48b2267eaf053a8d5ed218d759156967643f07cc7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
Size

1.7MB
MD5

088c66bf328fda8088595e92c2c16b90
SHA1

a1e5e35f018f7513e73264484fa161b416efcba3
SHA256

f2c796fde840f497b3ffdcc48b2267eaf053a8d5ed218d759156967643f07cc7
SHA512

e6d278ac2a280b73ce0e2a1d307acdae526efe2051e7fd41e2176c9a5d63b438fbf2faf413c87703783a366128e5d3995902885cd7c0c856cdf1791981c41de0
SSDEEP

24576:0uiNM+OMu4NlH2wv5eRQf5SaYUwrZyV7NgH:jN+OtOlPvYRQpKV6E

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4536	alg.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
3496	fxssvc.exe
4472	elevation_service.exe
3020	elevation_service.exe
4880	maintenanceservice.exe
1348	msdtc.exe
3800	OSE.EXE
1012	PerceptionSimulationService.exe
2156	perfhost.exe
2932	locator.exe
5000	SensorDataService.exe
1676	snmptrap.exe
912	spectrum.exe
3260	ssh-agent.exe
4420	TieringEngineService.exe
1620	AgentService.exe
5024	vds.exe
5028	vssvc.exe
4832	wbengine.exe
4556	WmiApSrv.exe
3044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\acd37e70293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b4bd5bc19aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f7f6b919aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e9d2bc19aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081aaccc319aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057646cbc19aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cad8ec319aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e08b73bc19aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4136	088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
Token: SeAuditPrivilege	3496	fxssvc.exe
Token: SeRestorePrivilege	4420	TieringEngineService.exe
Token: SeManageVolumePrivilege	4420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1620	AgentService.exe
Token: SeBackupPrivilege	5028	vssvc.exe
Token: SeRestorePrivilege	5028	vssvc.exe
Token: SeAuditPrivilege	5028	vssvc.exe
Token: SeBackupPrivilege	4832	wbengine.exe
Token: SeRestorePrivilege	4832	wbengine.exe
Token: SeSecurityPrivilege	4832	wbengine.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeDebugPrivilege	4536	alg.exe
Token: SeDebugPrivilege	4012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3044 wrote to memory of 3004	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 3004	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 4496	3044	SearchIndexer.exe	SearchFilterHost.exe
PID 3044 wrote to memory of 4496	3044	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\088c66bf328fda8088595e92c2c16b90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:912

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3004

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3e0535aeb20943eb3cae2524fa18e57f

SHA1
5993fda254ab2ade21ec34430375814c8f6fe737

SHA256
e766480a0c2c84a89b9fd4458f6160bbde45eef1ce5f84b91cdbd62ded84bd1a

SHA512
bbfecf1c6e18cb9609b215772bdbcacd06bcfc3ed7a8d5cee39d111afb9c9562256d3a11eeae1da08097533bc6c1f45b8ec628c3a82559d386365aa98d80eea4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
c414b7dc43c010f358cbf85285d3356a

SHA1
0a46fe3d9097ecf029b353ae0eb325ab10089870

SHA256
fd0934360b945f93dc980b17f4bd06e8e9d50e7c21348d3d6773a86d0bd8428d

SHA512
10d22a3de4b52e02fc14f1fa4a44568f032f3e63bd239549b03f9fb775144364ea128ff89121629d69b1c67e2da70f48b9d4409b5db69266b807ca2a17059e31

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
0a29fdd6cb7fa12cb72071272b01af37

SHA1
b7816cccd2e96b651e22d3ac78f3d66b96883cda

SHA256
43fea43f0ca19ee8dba2f74438dafd44b5efc50c2f020819b49939ff5e6681d3

SHA512
9037b1c08cd8fc7dc85439c7763eb79d03643466bafd8b6bf958df58dda7f67d8ffb0d1ef58468ba2902988a84c3699dfa4b7b93ac0cffaaec223d508e82e929

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
61b60df6f7713401c0c74bf8597b7c4d

SHA1
db2f487599ea43471a3758b6212dbb74cb85334b

SHA256
c68dbc5831e145d45f7d06c9b174561072f4ecf59d17c43c3ab4bd3c7db5d06a

SHA512
49f6bf6fab489142024bcad916b621dba00dbeb4dc41230205fcc30667e46929ac71a3c5f8c5a8a4fd907a980429dc1d4222968c040bf8a7a44ef860b6a2bb86

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
90c2d14751ab584efb583dbc004d4a42

SHA1
969b052f1db2f4d311f1771bcdec987038ec1902

SHA256
d78b64c35d377c5c1348bf1bcac885c36b1fb8e592b27330b84e1a817de04f8c

SHA512
693694561695b38ebae93eacea2dc84c038a19a30691702f5a8529f0ec0f2d7ebc553d95f2873d882a09bf3eaa38e95743271a9727ab3c59feaab80a965cc9ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
76e90091483adba6595c78d79ae0ef8d

SHA1
ced5add17ef86c1aeef76ffd7964c670a02c0417

SHA256
5f869981b13ba65c60318f271d0eb4272b56fbec1e25917d7e538e01e4948be6

SHA512
5fd8aedb81f931dad257c6b50893e05f4243b6f6273c11a6986b02f481c2ff14fac86a05528ac43077ced1c60ea8d2218ea22942b01f76315b77e1d5900146d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.8MB

MD5
2a8b114ba86fecab032ce5983d54096f

SHA1
8ef2a8b8184da4b1b404b87fd2e08da1c186f8e7

SHA256
c4d2a6ba17f87e9101dd8b032cf6222af15065640b5c4e5ce62465a6a3db85e8

SHA512
b04c1aedf72f65650dcd5264403b65fdc64d3d6804526be7ad5ea29f382ee8592be9ae1e951cb911988063d15ebd3e208be87f7a11d25173a1530d065002d469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e2e7036e3dd55cb4fca156cfa35910cb

SHA1
5a4d88fe83cec41eeb6249642ea80f64a8638cc0

SHA256
ffc7bf2aa463104517062b63125f9d3d273f0c383f5e4b0e81e1b5bf346fa359

SHA512
005ece0760e057af76851801a8f6ae4f5747ab1be8d689e959771c123382984d36b9f4ee5514243e788e47fc60148aa36d2ff341a36e1157a4f2f20257ac18b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
605504deed26c30f9521f3480c09ce41

SHA1
4b9ed52c40ed4733a72045d8ac5b7043092964b4

SHA256
6130914ff427d0a4e8aacca798846518cc25b3139dc8703441b9a00acf6b743e

SHA512
1479ccc50ecae0e122ec196ae8508c61bb19771396564e11b4744d68eea9b6a4f118b68c3672085664697eec1a29d1aff8e1a9dd8f40685d58ffb7a6798a30e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
78e9745e551f34951338552f716098db

SHA1
5270aac111f13018ea8db4e424b1c1801a20bd56

SHA256
ea0e9e4a68ab54989d4e942d022ff489c7f4ca8dd440890e6aa99e467422a6d6

SHA512
0e9e451988fdd1203309f434dd406ada6118c486383cfdf1c02cc1f59c833056218ae1e9a03a1a1b1829480b9adda8addc913f6898495a46028bc78df05cc32d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e09268c3fda96c388902d6a632df661c

SHA1
afd7e110f692920e2e9882dee05571487f30f502

SHA256
8f1d6af424da83b1fbea95dd6701a7e52b5820947f9c659befaa38a4088566ec

SHA512
121d0fecd99f9a47ab4f86929abfb026be0b31b790ff86cbbae91df56680a6b7f8c4f22bd7229da230f27907cac1afd0b55d0418c284881f4c9724ed7897d252

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1f0ddf1af37fb53a295f7cf7c1529ed5

SHA1
4706a76549d7082f824fa2caacdfaf63e1e73a80

SHA256
15cd262436b000f11746ae8dacd581d958ac883e589cec604ad9c5f194698b02

SHA512
292df94499ba533e6e71246bd9d3495c35d58bc2271ca4bc89ec894231e98098e6c12fe50453423a8087f15bd7b9e81d0c40a0ca7e9e65fea1b80f816e87a324

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
1262b6121d7964f453b08c728bffbc59

SHA1
fb98e83e21be0f8c695aa06014aa94359a9373e3

SHA256
7ff9d2ef2224ed4bb4fb587d7f95353cef84fb52fd7b197d608ed1b34d6a46b2

SHA512
03da4105338a7ce555363764bc64aa0b01e6b12a988e736aed2c5393459f9c934c0febe2f44365c66349a7efadd95751383fe452e29521003f90892b6e6efe86

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.6MB

MD5
045233d2cb8f65f597afbe5e467b24f6

SHA1
903ac7248ce0c40c9a5f0761f3681e560f91878b

SHA256
7abeb74dc1c6cb52d4bee293ac906dbd65c95a881723b41e8fa6fb119c7c309a

SHA512
976df2cf565e0951810c79959fcd3594517ef62f91b5078a69837e763917387d27e422c5c4dcdd06bf8b5e3b42e11e76972ef08e924d386f65017f830a87c3e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f84b719c0b26314ccfdff450eff9d682

SHA1
db53cd4087f610303e10ca67374bae4953534f0b

SHA256
08a538010dd5610d27d52a5076867cfb026b1603b5f2af5bb72b5d71ba550d3d

SHA512
66b6f0418973d02e488fc3f4f15036f3e840ecedfa70694330c3cef0eb938b12dcf8c118ee208821aa00850fcfa5d10ad137b20a50571697b3fa14136f90edfe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
d857167ae6d06fc5badc313fb9bc392a

SHA1
21076bb7e90ce6dc2792ce76d3e8820152d1c374

SHA256
71697eb5f6d901e0c85e3d6ec41de53f6b0f26c296d4a7ea423b188aadb575dc

SHA512
4262053c73c7cceadf01e7294af15ddb5c76a5232c0a02ea94536516a56a80738c8c080bdf7c5bd1e133be91f5ca1d66dd15129ded2b0172d562f6a60adb0d82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0e5ac3fbd9ccb152e93ca51dbbbaec8f

SHA1
c48407f79507d67d1593064033b4f7e8ede0c3be

SHA256
936a51157d8c255edc85748b2b8551ff7820974078fbb9afa41d70ad87e5abb8

SHA512
23b18659ae121e52d5e0712da77506c7bc8ea45dc6b531e6a7083c17fde1ba3a60fab6369523863389df802c0e1aae77c8b5fba4e1d8fa2dcabd744d71ae602d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
50e875bc38cfec62383f6292f8e219a4

SHA1
2b3c66ca0d798ecc9f87b690d2e690421f342554

SHA256
171dd4102243aaa3bf040f6cb58a0cda0bd57578903dc23bf4adcbdd07393d04

SHA512
f2275c3177a2c9ec1d5d3dd6612894b2f942d02c07ae1f044723384ee057e49bfb1e6fb6c6887ddcfc250523ca0ce8ae9dc14ee7cd5650778cdbc819126799a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
3966fae38c0535cf9a335c10f63f24e4

SHA1
f9e13c7ced631d1033cf1bcf1e224f7aaed2ae53

SHA256
c5a681115daea21e0eae8f111cad9bdb4c5c198e720d693bf15fb92b769a9408

SHA512
3080a834cce8655239c6ab85d3ee787c980461fcad6d2cc658d8c34cfaa0346e355d3a22a81cf5f90fa3da976ed4ea7afaddab5dcf2ce639dfdb26a54a4d1933

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
92629d265cf2db0bddb95418fe8378bd

SHA1
5ddb73bf75599dd0e7656dca23558faa935cb8bf

SHA256
8e11c7a46cfc9f92a5601e902ede408421a85c76450aa7ed054e7822a80c2579

SHA512
3cd19763a4df4528c2e8ace991ce8402ac0af7a59396aaf93b15363db5ec747577482881ece1e9cd7de3784ff2f1db3c91a15dfd2cadf671d196b9b55aa1c36f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
d57ff66fd9cafde0569c327d32cf39ff

SHA1
55e24f8c40f53eb08cc66995c218eea822f310db

SHA256
5f9127073234b9686d0b386208c0a0cb5facbf0b6f6d0872f4aaff458b3a6c43

SHA512
e9b236742ec68ef9ca00e28e597242769c07e0edde9dd747fc78b37c5a85f25d514c5faa5f527109c731d39f39264af73f7056480eb45b9c9855455507747583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
a78bf2e942bf4f88ad903226fe0ceff3

SHA1
7ad33e9ea1ed4438c8165e10d58a8e0ed4fe8fd1

SHA256
c08dcc6090560c30b95d37a65d3eec66931cc848b89a2035ba915f6c9b2375c2

SHA512
b1d39c876d4d5e5fd40484f74b3aeb6185e0b808394df4567061992491bd1dfc82197aee8f13974cd274dbb7a2a0a5416fc219ede5fab7448745215943f3a6e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
93fdc306021f5ef89a6f61c729dd92d8

SHA1
7c44638740083f3ea9fb612f93f0500a85276f58

SHA256
5d22b41f83854d21e48823c10011961f61a2c1ebedf1351d4850ccc94d5dfeef

SHA512
eb9a96b2c3a4d480f8e2b84e48ea42036af06f88f44bbae2d6d5059c7da3cfeb5a3a4532038ca65c4cdfac1f95dedc01c54b59f844acd288bda20dc8d674431d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
31b5d10b03624e1fbc8236257e73ed2f

SHA1
337ade00a80e770f3f05f18e16d8e4e37f39e224

SHA256
52e10f4fcfc1f938b6e5f70700374b73fcd04e403926db7ac63871093f476fad

SHA512
737d0721db1b636c67404c696c38e149e25e38a58b99fee966a3dd261a475cfd19d69bb94838f456623651c8bc29d9622fa7a1ca0920eafefba8081fe756e83c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
564c67b8601006b3c9e7ba4c030b64bc

SHA1
aa04ce670d36a14ae0671f79c56d77896b3a5173

SHA256
199f6ab501cd2e996277e1353b75b59096d503d2f45a222761fc7e31a0d6f837

SHA512
2a3cbf50c5e7c699702b2fd8f15070075d96a51d3ee4c49048e0953a8faf4e514cbf08f31d877310284a8743766e5b6ae6ecc4a59519466a9aca76ad20cc95e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
05970f7219c0bf466b1fe4b9f7aa326e

SHA1
1a59590619c0d59b49aa8df3d49437b0b1ad120b

SHA256
f24ba32950c5a8cbbd7815159093aae00375594777ca8f2cc2624441f6012e7d

SHA512
49c08c76e7643b6b45e6d107ab3acc317fc440fd6a19a3ac883ce7703ce26e38d0fc209945064198d809b31a8e9894a8dc55b22a0055dbb5a80c6c704a422200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
412d189ac56376542068615bb12cb0dd

SHA1
0fa35f5bb274c983e2aee77123965ebc66cc9507

SHA256
b44cbd9d06835907d0f406382545b8769f4d9ead50c70bd28e97e217edd22aeb

SHA512
0305f9b704b34dc3d90a923392e371b3dd69287dce2f7cdf7572a6146d24b7cbc8db274f588de4ff8a2051f09eeeb5f30583a1e0893d4a525ff85b90ae6a9179

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.8MB

MD5
a900ec1e403ef61593e9b6fb4f6f7aee

SHA1
8dc68afafd85318ff21323b21089498652e474ac

SHA256
694e148d11a63e52704a6dfba88cb973887d52b507d4d555008dd67a57ad5ef0

SHA512
26e19ae089c0b4eee72e3a20cba3ecc259347a2f67e81b830b592a66a0d0a4b49aac8dc1e5c7796039bf1a1c1de94a8a3af59886452956f581de1952966cc33d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
c145b3d0b4faf65fdb1a755ec2983657

SHA1
a18bc305ca9f790188526882e53bbbf44567bb28

SHA256
13c45962230f0cb94515165bd8b53d7a4c68167bbe3c1f4e389e0fc72a3e4887

SHA512
c0a5d3136b1c191396115cea0f6e24c15144930a4015dbc061e36e907be95d789a9e5f237d8a976974a64dbd87b59cf15dea7a6b51eda280cda843eb504232ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
b3fdb770f9d5027477c2fa67a6c08b7f

SHA1
27f60bc7c227ae681e42e104c94085e3bb9ab85a

SHA256
89856eb9995379fa70a745ebae7c0396ce63b70eb7ffa802b3468c119859e515

SHA512
5785cad833d83a67aa748bd77f228c0754325b0cf65c77de4e0cedb5da4ce9180182a2f1c6b25bee6d6c72287285ab854a42f35ab0d5c8c30f0564cde2ef1a8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
39b9887c7e57d12bb5ace0cc8259e322

SHA1
60a1a5d081076c577756c40706f52a0f9135202c

SHA256
495713b0071630378381af9497c6ed6feff3b40626cb377a60e9c6ba9fd4b095

SHA512
512ca6d986352605d084c27e380624fc5b906d9db1d36356bb6762528edea5abf6749f5005615118d23dedcbe61a912f61df5c718963cfe619f653a1be178006

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
0c869db98549076e3559c5050386523e

SHA1
8f87a1316ea15f50dce01bcbc9b43f1fa3709da9

SHA256
f069ba1df7beea701b40c202bccf16b04532626268f5ea896b7a957862b81d56

SHA512
b62e65aba35851fa88a960288b5022678d4b718bfb36a3bbf657af1f5313f10e80020a2adf1d8723c754b5582d6a753550ee694bef85daaa28fad933761e8f5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
958016c9eacf0637895cdec94142ea34

SHA1
65163ddad6b54da4d0711614807e9664c42f6bf9

SHA256
64e70d9789f38eb1a5b02f139ddaf2604e56bfcc9708d578e5ac0decc2b1e62b

SHA512
6698458da41e67f501334715088b7483962ac7a179d39f80142749c018d1e999df5372fc2fc4a04ab0a0f29e6557c567461ee94666495272defcb2a23bb0f8f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
6f231713bc3c1cba8a801ae632ffefd8

SHA1
3edc132a6f9fb9412284e5518531d3f78d935795

SHA256
39a99df063eb28dfc7260756709a248f227729ebc802f1c1a4013c4c22d5d8aa

SHA512
a8da1b5df53eae0918ed2158f0c051b5c1cec4e29e908a0dd0d035ffefc78702264a143317a2b4b1727754e0b0e4ba0ff106a0bf50ef055eb7260ae0f3bfe424

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.8MB

MD5
af63059cfd46df435b92de4fcce0fc52

SHA1
b16d94f1e22d1bc500a046644ed4497c8ebda91c

SHA256
1d10fd3811de7edf5b942f9140e9c0dbbcd23559f5480065ab30874bc0f419cc

SHA512
73dc35d48d52c50c1ac2915637b036f28cc9c4648595c529057313e83c097ef86c56d2c15d5fbf034c357bf65b87582fef609c725163d7418776c445030b9b3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
4aba8637bb405b7bf98900befb24c3aa

SHA1
5fd391d5dbafe12a53a7bd2fa8161cd496610200

SHA256
280ef3d74c5d429a0e6204b5d1f6b3cab863084d4fe6508e46b075922e225ac0

SHA512
f86f43f9a2b1fd889e85cbdcf099fdc17da885f35e770afd75ae2d4fb8c571c0e51e85775ccb88446c160ab6e322994bfd735486be477f8767fc7539d0242910

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.5MB

MD5
b0947f24f0c19a418298ea2a015f3658

SHA1
a3efdcf2f36a62614d157a407cb4de6d9b51dfbb

SHA256
fa9fb961bfa059c55be8d97d52c681d5decb3ae6382ffa44e3aa5a5d8e0c5086

SHA512
40c5680fc551daae5b89c335e48b24832d66692eaeb45d28c01d11e955c250ee62ce6ffeb2c155c710ab980bc18fdbd1aa57a36eab38f895277df3bcc9ac3900

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
a3e37a85ce7d100b317d75228f37cb42

SHA1
d004577d990ac3bc9f251f094d822f72e5c9a201

SHA256
185704f2d9256ea4366ea4287d3c30cf732598ed1ef9b31a452b5beebfb12723

SHA512
b3780f1379ce53d7f47dbb46277ec21e41dbb7f2ee839d113540fbe778d07bc250ce455be6f71edd5d67138370241eef4f76b9a6882d33b6932170d993a6907e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
a4f8fb72c7639ffee0537c18c7ed731e

SHA1
ca1fd760bb4a8593f7de10d995fc0e1de344d583

SHA256
9411b21fe6d72e60c120266561595c3c8505b2c2cf694377308bbd73f21b169b

SHA512
e89ccced147d035498c4803702883c04fd3d92728fe1bf460d18942ccbc2a3204bcf48875435e4f7cd51ff6f405a04f5ebed5dc8522736822ff6bde226a761e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
3778d24d4d50ee89f590c212fafc65b9

SHA1
a24e1e023d72516c905c14e0270b8d179f7b9f3a

SHA256
453a118dd3dcee408537d7ba3cd9ed445a714d8e6317bce2d2312d5449258874

SHA512
754be08b70f19259cdb1b9b0c790a51c44159859e66475b1f372556e96cbd971619967b05f068846ce72a686b4e6fd3fec3c5d9ca416c97e134e4fae618db0f5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
69e72619d122aef9c330e5d573e8678b

SHA1
552769e720f22817bd4079f7e29e9c3294cf6116

SHA256
5d32ffe9ebc8c7d32b5c2455a7b71a82fd3ea31ea982d0b2abb9769ae890d7a7

SHA512
d9b29b11f60064cafd9a2d5ad137f9d5166e75fa39cccf08bfb1d4cd9cd52e5b0ef3c2ae8b8df59c6432a6b3c643ef6f2d2f6cfe7f21e3b74e6386a484e6f5a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.6MB

MD5
bc61b4911d07a1a9678d3caf301e99c9

SHA1
f5b2b5076c41e04d3bc09ba6f5dfa10acbaffdcb

SHA256
130448c6116fa1fe96ec78521693dd0f4110c585f0e311c3f42a7a1f5c4e0bec

SHA512
e8ab310c0e4b7d5bfcb73c4967702607dd003509157042be0eb6e50ba985cbc688f3a16b4b2b1371bbe1401d2d1358f368a8fc31eb43a124619a3117a57217b9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
246a638c2db36488d146b239c5539aa7

SHA1
5b9c7556087d05838dc4f50c35429c676506aa8f

SHA256
791331b470ed468a6a25affadc23629e999c010810379dc3fe689d56d0c657a9

SHA512
61a4975440ae7296b87e6eff3e1e66cf742ee6af29cbc7c70f126ea76b534f98518525539569d4114764f2b48c1d0beaed4f0e9f3f6394291bd96f6dda6bc817

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
3775af6bc8262618db3a0afa7062745e

SHA1
d9c18af3d6b5f7ab4b1ed6ca9a63334c1ef0041e

SHA256
a40508968d01a1c22f1c873e4a5d22da878eb54e966ffc2a8aa6d7ddb0f92196

SHA512
fca2893a4aa2d8221329320232ceda7bac4c8eff3e4357766f6c56d55fff6f61458b2925ad55ba8e0b7c231165e1d7a71f23c50ea24d93a1a698256c2d408ff2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.9MB

MD5
0774f57e628656eed113ad8c0a6bb65e

SHA1
78c47c646750bd1fab8a69dd5cd337fbc0c847e1

SHA256
bd09636e69a7413ffe337b045ce064932034cc3cb41640383d0f1e1a6f20f2f1

SHA512
10a1dd8a9922bbdace507144ea7e541ee44f0fcfe81ad5bce13a7e98147eecff959dbe014e2d68410df97c7e0948986b7e8c62f954289351f78eccac62c9dcb6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
2abd983b39cdb7be1be8e11734a9559b

SHA1
2e9de4bdf6785c53868593c20bbf1c6123f84d28

SHA256
8dc6cecf21a26511f92f2914c8f4dca52fd2a875d60069a3f7a4523a93b4fef4

SHA512
965c2a9d5ea53ed953ba24e6ae4ed7f8934f901fa9ba952723c7c5550395cf3b631a47a42308be5843c1ea4e55be3b5dca327fcf9abb7759d575c8e640f7ace4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
687ab6627b9afae290fba236ea195f1f

SHA1
c892e48a981d29da1f3784baafdf0ef8ae561606

SHA256
ead14cbb05b0d85a054f9a31ee4448d3851544fdf1b7cce639a6ae2ce36d13ba

SHA512
b45594c2cb350b5c25330d7f64f6287c420e055998cd80eee791df2aa00be7f16310c3459269b164d4aba3d38bfc97bbba2556fc0c3741677a80d684e80cc953

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1ef416c00c22ffd43b2c58bcf438d03a

SHA1
e0a72f0913f3aefe5a6e51dadb7b599338fed88b

SHA256
13c6e8ea64f854b3e5df0418682da389e7619b09d73134331bfb2b3c2ae434aa

SHA512
5df4d431f4dea96283daf1c0415f9f12272c15e89a7423217ab62710f196d43ea238c6332b8a08d54c4a8a29848fbdbe02f195b4ff045fd6ac12a7f122d78175

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
71ca879e83e74d7aadc27defc6b6dd25

SHA1
13c8cbb0ea65604d1b71039882bbdaa181c7e3d8

SHA256
00c5b4d3b495a056ff5f67a816465f771d830661549b114b89b7ec67a245bb99

SHA512
b02656f682ea7197227e27a57f99402470aa3c2f37fa4b126f2524666e06947048312571033dc3230ff3ef92e8044cf7168e60ff1ca13cb56bc3415348f08b2f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
0f29cdff748dfe8ab1e9e026a64f92a6

SHA1
d68d53b7124b827fc9a8fd6bbee3c588fc6df091

SHA256
89c462153dc892c44311bd4aa59a56fea42491aacb67b433893068eb51eaf7c7

SHA512
6cf1d3dc061b9b9f493214663becc3c965673747ecf45fce0bb2bbb4dbcdc5f80b5867d584996230c7d0515655115a5aaff292eae68cadf0a014d7bb4075c4a4

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
57d0f15898eb4f560680f2b0e2b69d21

SHA1
a2f91257cee9cd46e07a31d0cea7a36ae1e3ac58

SHA256
ff207e60ca50e4ce8ba41e2c523ae4160090e8b63aebb022ee2ff3a58c9c5730

SHA512
266d6436b4d2dfebb3583119626b7aa0c0114e60db1febd4890af99348775600a4bd625b04fb55cebfc2ce63b97e1bc6765cceb341d49347b59bbf617b41ce4c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.6MB

MD5
eef35e39b20054f476b8cec044ec9e9d

SHA1
518861e3794923c69873fa43c7d3ea01a4001410

SHA256
bb61e1159916b123cc8072add4f13fbed1305fa2b70bc74121255b02650636dd

SHA512
7838301d890dcf900c4034e8cfb350dbeabde54d030c72c89e0080697172f00f0f5f1f6e8a600daffb435d8c66c76854d084f2e4816ed0f3d6bfc8176cb9c68c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
0e7ddc389280679d18f99a32b4540d18

SHA1
e2d7d88d07168ac06abdcd1e8399dd361f3924b1

SHA256
5135d7fb43d2dbcaee303e2799875ae2c0f5c2ae0c3094f03e8b9111d75a7c70

SHA512
c4a7ac359ca1ff0794e50c341b4f6b715dc6559f982073a9742bbf9a27a27a2c9582392f70d06a317dfc7db70e2abeaf71ab640103f8b242c0e946fa9f9bac08

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
f11adca449e86f7e461e3965a91a3235

SHA1
de5c29b78f62db67d930d728fadd70e077f83640

SHA256
873a361519fdf09cc2a19bc0d8c510a29a91380107b4a62aea49ce97bf62926d

SHA512
246c16d662a471fbe024e3403457045a550aac28f659d3d3a2dfa32649702154bcee0756fef5c9e3e79049927693bdabc3be5280f0a23574c2705013cf776a6e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2ba2358fccfb1dbf98dcd4ac6aee9f19

SHA1
78cc34bda20abb54658212d465c15b635d7431b0

SHA256
8ef143f4cb6469b50e3d73a5fdafa50e3142eba3b94b477b33821f4e8e93d88b

SHA512
71c2c11de0b9256eedb24299d15b8f9559f608d4e9eba33dbe3b62451c61553e7d6fa4202e5670d3267fa0cbf4813b6476e1c468efef8695fffd1eee213d13bf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
47a95f8c13bb08c63ca979a1a2a2a4b8

SHA1
03273005fdc4e438c6b890847b704695a50d4047

SHA256
9ed86cb9cbb6f5469b3f631668b7e23fb2f1b2c9f73e0aa6159f63a492c408af

SHA512
2a4dfecd99a28ce667dd8b7ecffe5ef3b01683073ef65df4026a59d068d3009538275fe7f2407946d139561f4c375c11cd77267bc3c163467c5c8f740fa9626c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
eb0f2ee17c797055e01ee710d8fd6dbe

SHA1
589c1acd1a1046c04f8e6bb359f3eace1bb62f50

SHA256
a0e2a18ae0d51e7fa9880a348420d88bab0841c5d05ffcfb2176866aa72d8aa9

SHA512
80a374d558834b7c8469814ff41a0b4a5cb275a34b93c50c66feda03356b464f8dededf552c7946de8af4e129945f8ee2f21fbe6de31ca9ed1bb9c7011bce147

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
723bfef02bea0ee69b3d1c4aacaf3fab

SHA1
20ebd718ef6dd734d3ccab1ca987be4b4796ee2f

SHA256
6dfc59d0ae408659f4982ff04b24f14f3de87852d98ae35b4194855b57b0c785

SHA512
7127e2640c03ba6275c214f505b90bac51f79bdaa58b9a028ad49abbdebedf4b88609579c0565b6e84e7b39308396cf686eae9849cbff6db88955f8c66c8b92a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
3b268b542f19e67c97562dcce67583ec

SHA1
2ab6c65a95d1b126b92d57c6f806d5f4f8d2b051

SHA256
53e45d619061027ec4cb6cbb4493eb7d5f778c782953fecd2559c3ab4e1a29b6

SHA512
0880ba9aec8c176a1a93119484fc386251f806f2a2cf7cbbf781dce2289af9dddb03eba0d13117015380ed646b5081924e6d392f25eb6f33558a6164ffbd96b3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.6MB

MD5
88d2982477dd3acc43601d9b0d3b6cdb

SHA1
b091ba03dd95a837986cd83ac00bfb14524ff812

SHA256
215bda31371a1de6c6918effe7a777284dc9185fed271c9f1497420cb8e99ef0

SHA512
58e2bd2db660bc8f6a717290d28d88f621bea65dd24bf121319e245e2547c7ff5c6e08fc20bd28bcea083a495b71264e881c086c1f3c35e46329be5355b237a3

Download Submit
memory/912-272-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1012-133-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/1348-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1348-98-0x0000000140000000-0x0000000140298000-memory.dmp

Filesize
2.6MB

Download
memory/1620-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1676-169-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/1676-647-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/2156-644-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2156-134-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2932-157-0x0000000140000000-0x0000000140274000-memory.dmp

Filesize
2.5MB

Download
memory/3020-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3020-593-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3020-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3044-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3260-273-0x0000000140000000-0x00000001402E1000-memory.dmp

Filesize
2.9MB

Download
memory/3496-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3496-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3496-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3496-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3496-56-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3800-132-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/4012-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4012-34-0x0000000140000000-0x0000000140288000-memory.dmp

Filesize
2.5MB

Download
memory/4012-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4136-468-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4136-1-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4136-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4136-467-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/4136-10-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/4420-274-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4472-592-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4472-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4472-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4472-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4536-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4536-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4536-156-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4536-18-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4556-278-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4556-648-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4832-277-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-74-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/4880-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4880-87-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/4880-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4880-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5000-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-508-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5024-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5028-276-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download