1cdc8a236824b5a70cdd5638ee36070d78955502cca62abc48313b7eb516d9a0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Size

1.3MB
MD5

7ef904212f4a769742146ac84eaca240
SHA1

adb34545c1b1ed9fc631af12af1e1ca886f90c93
SHA256

1cdc8a236824b5a70cdd5638ee36070d78955502cca62abc48313b7eb516d9a0
SHA512

990136bc1052deeecdd02b6d17af1df1c0a5c1ea80cb3105506390f8d28ffdb47ab8c542bc3865b11f515342cfc4dc6aa7b72a7e9b0984b77d88f031b7b9da46
SSDEEP

12288:3QCB0rchmvqOoixs3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:3D0UOnsV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2516	alg.exe
4884	DiagnosticsHub.StandardCollector.Service.exe
3208	fxssvc.exe
5068	elevation_service.exe
1816	elevation_service.exe
2340	maintenanceservice.exe
1720	msdtc.exe
2336	OSE.EXE
3564	PerceptionSimulationService.exe
3572	perfhost.exe
1936	locator.exe
1728	SensorDataService.exe
4540	snmptrap.exe
4220	spectrum.exe
4328	ssh-agent.exe
4208	TieringEngineService.exe
3704	AgentService.exe
3176	vds.exe
1140	vssvc.exe
3204	wbengine.exe
3984	WmiApSrv.exe
2712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\331307dfe703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4aa350a9bb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4c76f099bb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad47520a9bb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009345e0a9bb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f646170c9bb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b158a30a9bb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1881d0d9bb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeAuditPrivilege	3208	fxssvc.exe
Token: SeRestorePrivilege	4208	TieringEngineService.exe
Token: SeManageVolumePrivilege	4208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3704	AgentService.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeBackupPrivilege	3204	wbengine.exe
Token: SeRestorePrivilege	3204	wbengine.exe
Token: SeSecurityPrivilege	3204	wbengine.exe
Token: 33	2712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeDebugPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeDebugPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeDebugPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeDebugPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeDebugPrivilege	4804	7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeDebugPrivilege	2516	alg.exe
Token: SeDebugPrivilege	2516	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 400	2712	SearchIndexer.exe	112
PID 2712 wrote to memory of 400	2712	SearchIndexer.exe	112
PID 2712 wrote to memory of 2432	2712	SearchIndexer.exe	113
PID 2712 wrote to memory of 2432	2712	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ef904212f4a769742146ac84eaca240_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4f6b462a62c51f5bb883960083304234

SHA1
f4436323fa0a21142d4a4b1af9ee07ddd3bd7dae

SHA256
7b513a67eeecb60ad1064fefd404a60acdeab50a3890a4c7eae30529cc6b63ca

SHA512
b9cdec347f052745ed9f025a1fd00fc3e9ff04f0da65771f7825718b229e653e4716357bb0d578e56a1efc739e47b19ae521a511a2952f02e8e11cec1e09617e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d02d73bdd315c2d365a3cdf718e6df70

SHA1
5bc0485fb29d1be8c538d125e9c14e6c97717aa2

SHA256
c5f6a7c00c833e0d4fbc4481f9a0a573cd67de9dfe83452639a0829a0cfc9131

SHA512
9e82ec2b09e83c84406b1d884389f2afa6c7ff8fd1ab62e5d2cd015d09e62071999c9cfacc4b7f218cb3a1fe1fb3a9b962cdea8711cee58ec063af36fb6850f4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
15aa151c0b10da5cc20fb478cccffa7e

SHA1
6d2a96e24b9eb97af32f797523296a0c55c5a6f7

SHA256
cfc60337173743a6f79ecfb69fd274b8fb7d09518b87dc8caff1aed2a2f4dadc

SHA512
c32b4b32718b2fb53b213fc54a9f47ccc82d71243e4dcfc9e047eac5835a42126f267e89c6f7bc475b163e9787836da03dd54ddd80dd7ead67ce26d4c7fd0507

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c68520f128c4670ce34e91e87c514204

SHA1
902b90a69cd2e8e84296470a30ee493349c4d837

SHA256
1ba9205f8fd4e6836ff51e3de48b490b29fba5ffca5c5eda734f9a52da4a8711

SHA512
ea6e6caa67e61a8bb035c613d9741f9a1e4a134712a30f7d900e95ca1565025931da07d38ca4615699b73defcca1cb9e8cddd7258f578f1ad5e515d710092360

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1c823170655d4b318df9553c70b650c5

SHA1
815c43e3e19ecd27970f09295fca66a648beac0d

SHA256
1b7ee3686bf108f4bfccbfeb7850a59fea7ae734ad050cdac18c6b76cb53990e

SHA512
3f001c0cb07dac0195afbdf122fd0881fe08f02bd579207663140ab44300e698fc85079bb97a8eee737a69dd09db9844953809e6c6ebf5036b5d6b57e3e7ac67

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4ab8a64c04311d9b8c3dfcb71052ead1

SHA1
91d2de652c7ad8eb36e3478a661daf125aaa1eac

SHA256
f214142bb2ac246445c6f77c7c0ae12023ca1e55fe747c4017b65920db8062be

SHA512
d9057cbefd5eee1debf0553837aa00964ddcda64650c7dc13093f882be5a46f0b8b442c491b4d1b7aea8f6f9f2ef7e4228609d21e5f98361b6760ce863fba11d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e3bbc02e3e0e4366c23f7ec9ed7d31d2

SHA1
b0e29d32b0c00c8c43386ed1db085dc59e26d621

SHA256
c4eee73a249f3d44d7a02d3f6be763cde57108af3b27ae2adcb04d8fd3941c65

SHA512
3063ff84372771d9c3122898b70733d8456f204e14e928636514439df8e3f020f1f3cead8f851cbbe4e2e725a8e67c9162c2985085f036c7fec5b8f680b4db50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b60554987a294b963e3248791210bc92

SHA1
4dba1275c6295174e2d4f83387dfa4ef69e08caf

SHA256
24b63fb0b31bae86142087b0ebeb1544726f7cdd418e103deffe5b494e13ad05

SHA512
d50ea1b782bf2b0e345e1019463bcc2cb0aa82d71201f0abcd12713de43fa9aa4ae181380ff6f34d6118e6b2793a71ba286ec2848bdf744d42e5373fb86885ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d49f4b50cf2e4f44c85517b9ddf9d855

SHA1
0c06141c38804046d77ae442d8c8d0a57fe3e87a

SHA256
a65d4d67f6f541b6d88af1d0f7ccf7841cd5663e3dc641b6fbd899d0419fe773

SHA512
d2e68c9f6837f17c95d873c5b785e402989cf7ad1ee70dfb701462131c78b56d5e03f213a71aeb7c5484e56f77f14bcc92a664872e03bd03d2daeac085381ced

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
313c9b2a34a6826665934641f84602e2

SHA1
a2486dcb2a20006e811221be9137d4665a9312b9

SHA256
37c8517a5a42305352979e55fec16ce6074e7ddc00fbe65204424da3a3f4ef19

SHA512
70a506e4b4db2f4718b40a84f9d10f6495420b500b80e36e67469122c8bba8b5822e138e99b98204e44b157fdcd902e5ce88231b6614021bba37eebe143a208c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c798dbc571fa3fa638ce1f859cd01bf3

SHA1
41847d95cd6e70ef179177278beb0d8a58ef8208

SHA256
622bd9e82a842b04427badfa0aede599263f9a8247510c29f82da38ee54a457d

SHA512
efe40b02ab08cac437a0cd3ec7105b54f9b587e782bcc8cf141d16d19808127086258247b3b8e02155e1c21a521bbd35e01c7e27a1981da8e5675a6ede3d8b18

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e32e71e968a16db60eb230694d9e3010

SHA1
6319a7688dd33b576bae3e7168314cf96229c9bf

SHA256
17ad3780a2700fa41885e315c50da9d8d2e21e4088c0ef445cc6c111d6faa115

SHA512
674e23b673b4cca03f187154118d296219e5d1e21fa148dfdc3ede581573b2da75b488cb6831aa655654ed924e68fb888c4900161ec402fc40edf59a97ca790f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b77ce41e66a2b14c223e63f0337de48c

SHA1
a8eaffa5e50f9dd3311f288a2696da9349de1b55

SHA256
4ec2a4ac6ee1a700e3a83f970d6fc023841f1cd015db5c0d4ad9833d9b1d2961

SHA512
3de13b1ef307de1e3b627dac437e33d05878edf2d6bcf35e3938b0abbd7b5ea670ed738ef208c46e9ede9458677043ddb6c4d722224a4ee4a35ef4788d9f3e0e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0168d0514666dc31122c743d342684d2

SHA1
3c45259b078d2747fefcad671c796e256bba754b

SHA256
8027f237634cd51bf838a07408aea40befaf916993c1246421dbdf9ed0cf23e9

SHA512
9b246a2f8b86b7c9d2cc7ac74b8ff493786839ffccd6f8513adc0760e618f1f877c43cbda7851cd98a16a3fbdf629f75effc4588a7178d6800ae355c96a59666

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e193ca5719302803e0b3db0ec514ea01

SHA1
aa86cdb0799004073e6c133bcf8be188e02c7587

SHA256
f5369e7c10957c1886c51beccef1bbf2c033f4bb5e7a62befd96f957c51f79b4

SHA512
420ca97edad2b2e066fd17c75c42945943093fb6cee8871a78ed5b88a7d4a160626dee3a93e394030fe47104bf44898ad10c158f3b1e8d61f1930bffb9997c9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
478cd7bd88e93bf183665ff389c86147

SHA1
6f1be0bcfa841b9fac1e6151e3fddb2c6776984f

SHA256
3bc2e3350816bf03b3f21cb6a451e4a6f6f2ee41222daff3b4397469d5b56a35

SHA512
10de5c28295e5ceb3ca269c3dcf093bd849b06b982312af10abcc9d31c75f38930ddab19ededbae502e3291e717e8793ca7c192a8e982f9f1c1298be0b77a63f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ae259ceb2f9b49928c31c50d6beae27f

SHA1
3f7a5af5ef48dc4e1c7b8c6d76e18b981ee0e473

SHA256
4bfedd978901369abf005cd02d411ef9fed9d75f5a1c390a779fbbd88b88c99e

SHA512
ac6f82cb3d1e14c9a2f56f85c9017d0ffc2d072a903e2886a1d785c02c814493d1a96d17537d806470785975420de0cf4e7095f3343a7a0c19ee9de6dbf7a5a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3632b28f56648396057d23d8a15d6fed

SHA1
ccfb17748196276d5edb3cade1e0f89ec685d8b8

SHA256
f95e649202d5e70698ecaac849e7f9ac9d4683b280eb8b68ea3ed18bfd80494d

SHA512
03d49619e64e440d1de29cef3f3730d1eebf57dc32b4000f2c6ba9516ff48e8fa93fb34a38d5dcf114c1dc623cc63e2eb5270302d5d06745035c2586f1ee614f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
22f07a44393f0d6d399e70354986c9af

SHA1
86f6437b5cc00e5c106f8da21fabafcf574c891d

SHA256
64155f10046bbf1fda3c2fef2c17270cf2c166dd18be5d02802c85a8aedde3ec

SHA512
7635e4774bec383d47dd19c43568e4a08c490150e62e7d916ed3dbae6c429eadeab4f3de099acaa0ef426abb29a9039d1edfb41b19068df8252d780a59062220

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
71720d6a82c4ddd91d329565a6d8d5a3

SHA1
22eccd581102577d5b8c05597d7b80cb5997da1b

SHA256
20b338e6f9dbb7c8fc1f3eb5ee8e432356e492391946ca136690bc7a1a8bf656

SHA512
df040f3f4d3439ab91b5a4299c36adf7ccfdb65b0ecc3bfd607050c811a0fe852e2efc611e8f5efb78493acc5b82ea34d129ea0253ddf2623428af754773a1d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e6c683f3fd6158fc84e7078d045aee65

SHA1
6f5a1e578fb55241e17dbcaca1356133b3ba7def

SHA256
082faf064fcc9ca5d49e1fe75d1f8f5dd5e271b9b222d8e52ca0c483c749fa98

SHA512
f2343c4ac4444c10f27951d0dc4b69b4f8ec930d4f7028c1a1a4742a250ed796e204d00cc4170dba710069a9ce9263c4408c200ebb5284b30aec1f543a9df266

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9f2c9efcac66cc2ff2f4e44f1811af27

SHA1
080b1ca6dc31fcfcd81b2b1eb3dfa09a12cd5b48

SHA256
ed6fa5c84706e75ce8fffb65bb499a48dc69320c646eb1f123e3a1301584cf23

SHA512
be547ab42e8228be6292ec526a27af1c3aabadd694330ca31fa5c04a492b30e0ec1a3c659a11bc9ec6c1cae7c0e5e9f565dc64a3306561abf26d66f77f15efe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9bc1e5bfe212a5360c94604df7845546

SHA1
154fa9b4e630a0afc099b3993ca52477adb12696

SHA256
2133e3abb5b125e9982f6d19e41937ec92a9d73c2e51dc960027614fa89e30a5

SHA512
400fb72cf0d5fbf98bd7e731b53b78f3f6e050be86dc14c2b219e2e6ed8a5fac00119adcee4ee6fc797cac9229affe0f551813899c5cfeeed39eaea88c126dff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5c931dda1679e692cab4c51a6b04083d

SHA1
7860d7069fbb8499cece97cddfd9115771a8c5a8

SHA256
7db5953ddd53464c6a851a6635ddf7a370286a33d6b615942c21ebc04d06fced

SHA512
9275c2940c1920f45b72ea35cf6ba8aae6474d290b1e186578b198e40a1e71bb11c4dd3ac84bacafb8f0469e3138662470849de9eb21dea2fae090bbfc14ae83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e89a25454c748e11039c9af637e0fe8a

SHA1
86c6ac5730bc88b860c64d7f6554beada203c36b

SHA256
11f3a2adb4542d3b4fbe61295ae3e33795fb6b66134664ec9f84c20733e5d9b0

SHA512
edf257437318c041364249a83ce6b8ba2e36ac757a35819e1c2aa1c2fa5827d54d99389c54042392086b89747b66e3f487cedae18939e816b153105b05e0a9ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
069932a9a3168058c4705ecca48571e1

SHA1
2e137f858ccaa6d52a36cab38054d2f7a3392933

SHA256
08812719d066f40b825052b59a914fb30c6c49af0a59bd0cc1d2795554a437d7

SHA512
bc7eafebb489b384cd1bdf81d3fad34a41aa8bd91ab8bb7c5600845af21fe701ca906302a3c59fb99981ed8fdd4c3968cc2463e9d0f5520068fdbead84f17594

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e388725d0d53d36bc9952196bf7bad73

SHA1
03c932f1c0ca92291ab5390c63120556bb79ed72

SHA256
735bfe9b90709d4036c999088899ebf7a14d84e77f55b22bade0d184b9017406

SHA512
ff188d6295770aa27221fbe2ce4ce599cf39146764563ed3ff50f8aa5ec249d78bb571ce4347c77beebe313a45559c37508abb36ee3b1e64f5f0f9459a582658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
d413b5740c1c95894710fd3c75816e04

SHA1
8d67ebefb3871b414c8f21d7f9b34c08b40bd7b8

SHA256
2e8823c7580eb20db9eb5b96ccde263d0df8608e5858a48d848074319b9d6185

SHA512
3e440d7e73f8b7ec0ea6dad051fc7b1f5acfad34cbd28c748cc4ee31c9867b1fe8e4d70edf0ffc5b54952442b427760d1f5efa5ad2d307d9d83862603d69ec12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
430874a18c81bcc67209da72084a6ba3

SHA1
66940b9954c8f89acd376c2817913b00a55323f0

SHA256
0d69b0e15ea43852568c6387485a7acae7537a6c28a9697506573b856690b928

SHA512
cae9535cb49195929724b5b80eb8a85dc83d31118a448bca9423babeb4f5191dfaff6e0f3194ee3edb274d4f91915ba28d5eecd105660444c834b6c413eb5886

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d072c143b2896fd4d13aedd46a2db282

SHA1
ef33af4b24b99e09c7bf3d74dc54929f19b34a9a

SHA256
220411f939022d0f37f4fca99fd89e9b08050ab287704a79570436540ee7197a

SHA512
a1ca95a31f047b3ff642b3c756ce13889ca9fcd475dcd5603d1d8164b92bd2e9865602796fd51f108ed0d995d3514db3250e4f2d1ad23c8d899ff5c5104013be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6fb7638f73d07bb1431ce1f4fc193f9b

SHA1
855d1513eed5d8cb07e86a6b084bb87a0b097b56

SHA256
c27678ec9e5f10eaa9c015011af10a21796bdbda3ea5753eda1fcbea3450a3b0

SHA512
53a980b20645b378d36406197b775e2344398314b356eff9ded79e8d68de4522b8b90f24d5f5ef0fb02748cb11f9677befa9037ac1d983e56f7ac25448f5a548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4787896bf228071d1151b6babc7eaece

SHA1
f6953ea1ac1b45d1d0d37728ff35b5beea883993

SHA256
54b1549f1b410319bb8a15566302a0b9d2c16dfadb41d86a27c2e7df13277053

SHA512
5001424fba688a58e2d4ef836da84b78a8eaab1e47e31227bcd35280c17ac6bb8634538c98f4aab88ebd8e7bfa1bb7999dba0fe092f2aa903bff12bb6a968d14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
cac4e51319e1d3ced849801835d949ec

SHA1
972116b5616992070dc54541aa0f2ccf2b0120bb

SHA256
9971e8d85d19e657b84048962dad02785105d520e59c591f3d0d21c3e46ed69c

SHA512
5b40af3060a2b6b6690d6f66895dd186201d83cf6be2c3088e2fb554b8afe245a3ee8676ea70668770a383eef9d3664c3049a3475d590693a6f1e052832de52c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
b55d332807acc78af165a53373211746

SHA1
2d58a5f4c932d750ed197ea6fab32b9f8b4d0814

SHA256
0045be7ca8987d1866bd0eed5f84b6e249c246923e121a3aedfef2627b621827

SHA512
72ef3c61ca769901db001909fed81b7024d55fa6707b8d1c2eb7f3b5c9396370f0ec4bcc75941d668c212f6b30d05162c91475fc79768e4a77b3561642aa6e73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
3da7bc691ea8f60eca5b4d5104633620

SHA1
3c320ed65b80615cbce92f8e297be426137697ed

SHA256
a6e8ae77dc984edd99cdfc9cc511514683e4c8eb0a8ba3c0fa1b421f3925907a

SHA512
fc2170ec18a8f87547b5c684ac92b704ed0063009e29ce88d1bb7753b669d42063b006d2d5ed2e9956b69b36b854a19cb6e17975d88b78e6bd96db1988f821af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1cf07cd2eb18957fe80bfcd6c96d86cf

SHA1
48f559d0531a90d40fa5e2f5a6adecf96ad8a9f8

SHA256
2930192b17ca3122246706f9e1373ecc5cdd5a3ca0a18ca501e51ab68857451e

SHA512
0e0b49952eafe372020d4bdd99a599d4194e6f9eedf877a7308754c69ce96de18e72a1d63ec006ebd0995e7ee4031d49f7409e7d52bb6a915bc59a7856f8bc62

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1ba9c81a3e2020164a3795215d580cd5

SHA1
08e472c6e9db30269484522179133498f2c2e068

SHA256
db1c3ee7174bc5fa1dd1235d85213915482bff667a8cef7413ddb3770cb34ba3

SHA512
1d5efe7796675bcb8cedd645dc27f53e63cecd9e847b3ce7029ed5868a1b995b34617874e3825f42378c1148150f0bf442706a7f91f0d608a327a05f1a7d5180

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
117844f461b65fcac4905e4b3cc4d46e

SHA1
70f552d4b9f09096505711dfbf4da77cddd9b37e

SHA256
8c92fca5e6ebf9b2f011e8118cc34e26afbf7911edf83cf7e4b2a29f4e4af1ac

SHA512
1c71f660726357efb15b4da783c16e2b3f9b9e7eb07cfe9d7f3a7410e09cb79319e3ea03b108165a235f854525ad6d65c7f95af61610320d301c95fc0cd392db

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8b4deddc96423fc757f06970dcabfda0

SHA1
1732fe5f3b482dcbe3547842f4eb6e676e25522c

SHA256
8e74c66e7e7e720fbe20850bd8d1ea209dece7b947ae44bd61414c176bbdfb50

SHA512
9fa64fd8841c231e81fa8b803fe7d99b19a2ac3dc47130f41218a87a5d4340703b8f9b53673d910ec06f535ff79083139c379f821a70e690aa91cb08d80cd072

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8d449cfb438db243009ca395420f96c9

SHA1
5248d5813a5b20b0a18540ba61806cf648b7a3bc

SHA256
9f3d002e161be14aac0ad66349d7b7c42e3a0b426e46c94cbbe9ded2d4bbf807

SHA512
5ab26daec74bbbf92431f3c94417d9caeaf20eae91285474582ed707050996d0ebe148f9448dbfcb480a68f0401485bda719bf7259d9b872677e5bdb65455a61

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9d484480afefa42268653537237b492b

SHA1
30552c018390fd8ecba263979d746e56cd8be219

SHA256
e2d0c93609657de30953d635f40afaa732581d6b839670680587808c959ab906

SHA512
c368b2428435c9505c0496717201153d17b1609ae06bf161f59ea8575dbe478d8946098a459a1292c3c6dbfc871b64d993335cefbc3336f94cece6617207a65a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92a7ab1a9087ef5c2524a64384014f7c

SHA1
c7b892a38f167d363ded75b2115f428368ec1fbd

SHA256
0777cfea5da3c81bf94814bde55b4f4cda3b5010ad97eb561db31994c1067ec9

SHA512
b2368e2081696f27fce8b92e12c5901e738e210137e096b622bec77b516cb7ad095500437a370f853e4e7ac5a950295e39b4a747a5b44ceabeec0fad0fb9d1f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d265b370880b1150eb62ac30ee54b5f6

SHA1
554dca190ea44de4d229d94742e2375c27483e83

SHA256
f7b44e600ddb661e94c8d924d856b34c4c737e527ad7c61db4a238f897bd274c

SHA512
8fa87dfac591b94106558c80952a7ca56f90f3f53afd465761690dcab04fc823ac339c60f0943309a953fbf93d5aa1bfb81732d8fcc055cc174a9fa26d089de8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f2148e1af8203c56f92a73ff1b4b2a93

SHA1
3adc6d5ec40680647b5c1ff80b0b70c18fae6eb8

SHA256
0691c90a9af0db330c6b4a5ecf0509ac3f48769771f9c7058b4e021c12db18f0

SHA512
4a4dc2d880bf01572667cb0baec99a76d54a1c50ee8de9c19fb2c4ef77ef7b501a94445a4a26fa7474fcec8e81d92daadd09861e692f8bf16fd9dd351678c9b8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
96166313d2bf646ad42c1ed36c11ed68

SHA1
a63740753fcb1d04df25e5e8dfce0fbe9899d303

SHA256
09bddbf1c178a3f08c3a5db920d44e585495af7806d450119c8f8d90191b9ef5

SHA512
b6fca4c7f188b585f522f67e3c54a65f42acfd958c696a91abf8602dfc4164264c90b6602b51eae19aa5cb2552baeaff0881ff3b1b20d59d78fa48279392028e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e2478e076455353984858fc5d8b3e7bb

SHA1
d4f57fe46c684c02741d5086140b89e107f0247c

SHA256
6cac0b013f16842f99e51d3374c40182c25980ab208f12cd5d780e1e5092de7d

SHA512
0ce3f392b54f80ec734be2845ab13ba2a231aecf9ecd4331b153709186e2f330a9ff440174e024e11fba9eddc4a6451862d89e461b1a3c66ccaa3c10dfbaad9e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
70524b1ad2d3c54923f25ec3ecdc1cfc

SHA1
8a74c03f13982f7debb261ff7401fe25b6ba6563

SHA256
517b6f2d16b69b62d15db40de756f7de113daf2880568960c24bc6b4bdaf3c0f

SHA512
72a3a6bb1d2f991bde572ce2f0648437611ab5a59229b1ae33ac5b69a66b3ad9bbcb991c146f7b3eb02852573a4abb9776e02fb14a5467dc7bd72c1331535dd8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ea53d21741255af524638e037cd143bb

SHA1
d60a026c26cfd7a512a6239d8542211ed5f36990

SHA256
d0b4c90c01a76701b35c05a2f86c3d3bef76484da61969e6c8bc09d1d4d029f7

SHA512
3a78219032a6947e879ec9945a21dde707c526828ab2bae3347b6f41cca78705786539e2f145aa9fd45132d2a896ccbbe7e8d80b4ecabb5a8536124ad98c28dd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2a18ce0e61cb2bac5d4c6f6f1b70b7fb

SHA1
cdf01cf0c7ec777c69a5f018b909cbb449e57f05

SHA256
0d0292cb158e7c10f21fa4cafd0903c58893bf14a73036cb318c0b276c6d7679

SHA512
6456679850b163ab141f26fa1b625155c5cd9f14b5c71623f32d175f686dd37bf0cfe1133583b8b5f96231a566320e753874e44dc14fa3b7b5d747a449603c5e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6b4dfebe9d9bbcae72357140f27ca86b

SHA1
94f2e1d8b6533d36ba278f2b330ba96cfb3d077f

SHA256
ed93bf00d52700899547d3da4518c943f0efc7ac988255a2704f0e70c3a2e1e5

SHA512
329e7d5a92f834e4c7edb2d4b301ed8e43a2122d974c381d5ac2e7630771ddf4c770bf80b504a5ae86e1f18ec194c4e604b85129fc4972b05e5457aac18007d5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f06e699c5031b5fe67222e9e3740b7a0

SHA1
9200c0978a36e4b757b95660be90d591be70fde1

SHA256
c1363ddd41ac9bb72f8a99582e441c6c4be3ed44201b3b26d4fe92a4e69bd16e

SHA512
0e532f55ef564df1c638d780aba4d28efddb53799af0bd5a01090d6852b48722f8a76db24b8dbc2d188b0530d8b584c8871f8b14e2381a86aa47a30ca0ec3475

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0ca88fcf06ca370a9cf855902c2b0f6e

SHA1
540dbc89a7121840f18e7a6f5c272f9294ba18e5

SHA256
338a495128ebce48c2b249b16dd2b30dd2d67a4ff1cbf64ce83bed82716a5672

SHA512
98f85b374690f46b7134d3b8ebc5a6cba4b0767c3a29a55e837177413f0b1adaf819de3790975eb28a20c8cd52222af12fc618e1a59e5dc3da77abd071c2adae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dc3d6d18c715319511fd062a02783ac5

SHA1
d06c199c872be025764ee14228d6c8652790cd65

SHA256
1697d4fd10e13f4e30540048a371a3733141e5b6339666a815d7cb5ccba9da9c

SHA512
a343556b3c99f78cd80d8a7e77a49f850cbe709d1d5563a2fbdcc4c3e0eef46347e6fff6078795e9a1ccdbd454fb143095e3c842299c008dfd0644b9524aebb3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1341b5782e6f85ef1be8f08a12b321ea

SHA1
03021180dc6bc2f65dffaa60602b8d19dc04572d

SHA256
6a6b0f9470a08bcd7037bb3bb959091bcf9d3a91b9e4c94917c0edf97c9b1258

SHA512
80a51392f0f6fbb27f72c810ee40509d29cd8e97aad1913007e5cfb24d3b9fb6c0ff52d67dd8f77d4c4e520acd2867e58ba77b8a4380f2acca510302fcf2d55f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9868b662e8cbade65fb7be7369576502

SHA1
6743569915783ee8bcfd7daa0f4f0d503fa4ff31

SHA256
eb11d656aeaba730eebcd80f97c84a1230d4c911d5f2e4d0658c0a8f069b4452

SHA512
ccdb3c2a09e6db78f0673b5c828b73fe3b7199ec107950bee076b94d127dc7dcc18d8c6f9f8a0c84a5ca0a097d41672ac3c27f31413ec2a2e796948499dd0a97

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8fd6decd983bf2a1342ccc15e09e7df

SHA1
66770e7e0626a3d89509b51301900e36d1f8e1e3

SHA256
6bf7b3a97a72ed36a3870e6861c46dc29121c604aa7f2e2601154e1fdde54f87

SHA512
5f8c4ed5a16798a511eef112843572121d66b5c63de161f52d0cffeeb297a96e33d3d61f6db6a7476674839c5ccc625130d116fb5d1ed2a14d95f87812cc3fda

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
504310e4f27cf324270a9c02c08b4302

SHA1
89cad8f952035640ac4bb9f01e6f0a4c3f4381b6

SHA256
7b9449fcc64a6f4a087bc71538592634070ea1d8234b5232d390364264e688a6

SHA512
bdd03ff28dac1cdcc06ee82231ed0c78e115955e1de8e6e576bdad21a9a181585adc9b902ed021692e08fe949ee57b337b321a70f3987b6bf95f451afdd6816a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
30edb00e709e902d79acba461fce44cb

SHA1
d16fb3ee48867d5e027c1d844f6d06e922d076fe

SHA256
e25db3c47062a8378904457c3bef3ab8e82a2e6f8bbedbde8a696ac286be2365

SHA512
568cf1df7a6b3e2a9c6e2cdac86d39194a207314b3da611f594edfc9ce2956a47b2cf4257e6c01d2f1db54c9041b478376f63a2b7167a0b9994cc18390bb669c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
40724d321bd11b3458f37826f3fe8015

SHA1
db97809f0f347806c78a571336333a976a8d9f56

SHA256
0a5c9f55c60b8c04cb4610a11afc9d680d88c461c84d9b0f698c54fa6374e49e

SHA512
22ec23659a9d4f2ab79f9435fb892be53c6bc0431b5cfcbbacc5c0a9c4d09005f9adbff76e7ab0386d11754d7d42b401ab49b2af823e85bbd2d40acca512ea1a

Download Submit
memory/1140-274-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1720-98-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1720-88-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1728-243-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1728-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1816-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1816-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1816-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1816-507-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1936-146-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2336-142-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2340-80-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2340-83-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2340-74-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2340-85-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2340-96-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2516-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2516-20-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2516-11-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2516-241-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2712-511-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3176-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3204-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3208-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3208-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3208-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3208-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3208-50-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3564-143-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3572-145-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3704-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3984-278-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3984-512-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4208-272-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4220-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4328-270-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4540-268-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4804-0-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/4804-97-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/4804-528-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/4804-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4804-2-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4884-242-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4884-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4884-33-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4884-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5068-487-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5068-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5068-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5068-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download