264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
Size

648KB
MD5

af3e3010931e379c75f3cfdb95db1c60
SHA1

aaab7b654470d4954de092c6b9bcc1153772b060
SHA256

264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644
SHA512

9a3826ddbad0e23e86f170addc0247b03762d1ccf5bff4a43e1602768e662d1fb39504155ef0760b0efa0748564c62a1c867abf7eb21a52f109c9499b3be71e5
SSDEEP

12288:Jqz2DWU6PU6DQPHPcJrX+YIyjSIHpVXiV8Ih8Sv/uDZTk9r:Uz2DWrlDmKBJfJVSVTLgBe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4804	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
5044	fxssvc.exe
1300	elevation_service.exe
448	elevation_service.exe
3020	maintenanceservice.exe
4084	msdtc.exe
1824	OSE.EXE
1176	PerceptionSimulationService.exe
2612	perfhost.exe
5036	locator.exe
5016	SensorDataService.exe
4968	snmptrap.exe
2588	spectrum.exe
3612	ssh-agent.exe
1996	TieringEngineService.exe
3348	AgentService.exe
1416	vds.exe
4368	vssvc.exe
2128	wbengine.exe
1004	WmiApSrv.exe
2172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c7be9e2d293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c1dd87ed0c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095b28f7fd0c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eaaa37ed0c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd69057fd0c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000049d147ed0c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093855e7ed0c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
Token: SeAuditPrivilege	5044	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	3348	AgentService.exe
Token: SeBackupPrivilege	4368	vssvc.exe
Token: SeRestorePrivilege	4368	vssvc.exe
Token: SeAuditPrivilege	4368	vssvc.exe
Token: SeBackupPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	2128	wbengine.exe
Token: SeSecurityPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	1996	TieringEngineService.exe
Token: SeManageVolumePrivilege	1996	TieringEngineService.exe
Token: 33	2172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2172	SearchIndexer.exe
Token: SeDebugPrivilege	4804	alg.exe
Token: SeDebugPrivilege	4804	alg.exe
Token: SeDebugPrivilege	4804	alg.exe
Token: SeDebugPrivilege	1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1340	2172	SearchIndexer.exe	106
PID 2172 wrote to memory of 1340	2172	SearchIndexer.exe	106
PID 2172 wrote to memory of 3644	2172	SearchIndexer.exe	107
PID 2172 wrote to memory of 3644	2172	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\264396cd791f2dde9f51b0113100c0d4772ee104a5e3adfc438b8b229f5fd644_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3260

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5a43e51b8e8d20bd07c858d57486ce96

SHA1
ffe785e553afbc481b27cc54bbde31e02b43f695

SHA256
96c75c1d68dcc9954e60325d95f81961813658a9e8efd971226e1b6b9c72fd90

SHA512
38a48cb7a82b00998a92a2582aecd8a64ff7477fea985f4ae954e9c662c085e7ae16a69917239e0ff16b8e4ad985510252f2acf50d57d8036d16a9936b292941

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
50d4be7a0ddb43e7d5f59a27194dc384

SHA1
393d46ba9683a8bd15be3462819fc3ae38322319

SHA256
342f0ee2c582144239433e584c2bb3b801bee0e6b9b4e3b3c4185d881f0c72e2

SHA512
fd4161da906fdc085744c9faddc364041b12cb106e69ded6e8927ddb4df470d8b74a27857cede40a6bed3f8e1223cd48a75bdc73b427fc0239b90d7f554efb4f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4cd410183b328aeaefa5e1b7afb13078

SHA1
4b624592b3e24f5ecf0e5db935362460f0e2a312

SHA256
1717a8ac3afd8b45b26cba3d9f7bd38e4103d7b8b5976c2463572f4b05d684b8

SHA512
48b297e68b6ac7f12ecbdca485d5c87e81aa338cf70e43cd398ceaf8f23b9fd4238fdb4dcf05eff16306b15ba3535e24fbe4d166316bef4ec9daae41032c3c30

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bae3c864bb85afdb2291bfc1b6dcc63f

SHA1
d22058f4fc7530773884b42b3bda614455b6ecd7

SHA256
4f2025f48ca052cb08c860f50ae57fcf330f0017404ac6dd975d5ec505fc571c

SHA512
a9b9aa215e1627dd093137bc1ab5771f57a8aface1d2984efdaa0e830b0ece092ef23bce510bd93096d3e73a48fa762d1fb5e4aa4518ae942886d935a3dcad05

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f9fc9a3aea8016b63ac044dcd277f27e

SHA1
84a7f27288f67e41caae28ad0b0c1f957f68fe99

SHA256
a3178c72a46d0371c513df49ce889ef76b2af1e482d194bb655d1d03e84e8d0d

SHA512
e83b2e47c3f0d5168218aa9afc459bc27c4478aeaa10d58a68fcfabf450298de20ddcd790bc08a7ec17cac6d779401f73d858047b27099896e565c200ef8c9d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4eae30c4e0528e0f3611cda5498db2a2

SHA1
9238b1c975dfa44657448fab4fd6b3fdc9f308f1

SHA256
bbd3f4041fe67742921786023f3ea12b80c2c3d7ef89ae4f1bb0cd48e11ba5ec

SHA512
6c1b90642c63bf86f059c26dd330e676da3ee7abfd0747a97a85819b377dbd54f6e294badbed31841584daeac60ea01230306f987bcd7155ef01697b95bb0a39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5d67bd3f83cf7dbe93b57a7680f38b2f

SHA1
694253587376fc1ac7c6bd42a2fb58d7181d8a72

SHA256
912db1f14e5c38f4aaa791835059fc1bcf5b0f7549879b0f3471512519d267d4

SHA512
0036ed892693ca629d266fb5665c1722f5025a24bee02ae69d4477a13244e35159b8f1e7e1207e5490a7852b8df5eb7caf8391df74a03818c980cf425091dc3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8f006f1ee02f0efd955661ebbe23d433

SHA1
119d3dc02f89a9bdde193602fb61c7e91b76aaaf

SHA256
06e3f79d42def97dd826eeaa28419ec52df6efeb835597274cf6b2c0b7255f4f

SHA512
52df99f1681d2b7bea996d9726b5bf39544c321834a9437c275c5a78cc9a2e2de32c918ef00128abd0805dcdd91d40b2755d997d7eebf3f88fe872befa758e6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ad12690f9c4bbba7e3e2bff709a87809

SHA1
4d0c02011e3af7139fa6a6c87862d22445ca1a7b

SHA256
68fbe0d51314ecf57773aae45ea60c09cc8db1da597a64b69d1d98e6fdc31442

SHA512
e7faf58efdeffb8d3a2c760e4b9518a8b2ea2f2e459c894f2af2d9e63fd850b0a516bf25f14c90976eaabae29a56ce0fcedf04a0649438d8da3024f849c954c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
10169dfaa936e9f963781d4e1687c546

SHA1
1c69f419a3d89c58b6a3351098ada92c506b51fb

SHA256
dbf1250981581883c94b8d6d6b406f9c8db14fec7a491fa778d6a0d8b7bbaf6f

SHA512
d3a7cb69e24d3ae8aa41b867f7e616dbc98c4a2d033003893e51cca1b16144556da50c5ef00fac93d0b73d89a0ac8dac4a5755c04870c0f621c4deec6d34aea3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3021207d547d803e8da5488a7d76b04a

SHA1
aedcb0486553487d7466495d1bd8d256edc84f81

SHA256
52f3c0e1a213c78c4f5a7b147969079c6332da05de73ff7409ed4003f3ffc526

SHA512
bdaa8412fdd93ce1b8e618f20453ad8f0e8fc241679bb7a6d7387e4de023a5c03b1ec765803aa6fe1a435a5e3627a8daa32fcfd5a7a9c7a75d993353b4d47cba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fdd50c22ab1da15ac1469219a19c75e0

SHA1
0d20894d009922846ae3c27d1ccb4948359b5aa4

SHA256
38af56e0c5aeded93b1d59e7a0e9b34962cad2d8606bbffbe247db27d556ffd9

SHA512
8e9a0a8dd6a16cbf16f62bdf5f4a09db77b4e816568533faa6742dc522ec8daa3991cabfdfe59116e2f881729f1cae43906729dc98e86b34040c643f08912243

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cb6c2d3a2755db1b04a50dc12367bf5a

SHA1
84969b5e7da013f5e4e92d6b5d644f1f4277b225

SHA256
d7fa30c18860d9d07757e80e3a104e2f6547673351517561f715fc31a3eb5898

SHA512
77b025a537945015b34684c99c1bd7dc83e354f0729a0fbc10a2218b5b1ad7fec7d5acd6515120b786c29e37e3697b19762aedb4116e841eef01fda169db00cf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
426abfd8d2da36ac53381851d7da7ff4

SHA1
03987400baa7efb86033a0810b770a28830dfb4e

SHA256
7dbae2ff3869f56e1b6bddc6fea7beeaa85e805e5c0ed07553c3680d79cc0866

SHA512
a3a8fd4b3079b00e9443938987858791a8018eb74cf25e3f2a07eb1f4f41e7501afc5ed48d308f01775614fe6e565911e0c4ed61049111b6fd832e146acd7086

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c8c048750f460c6792ee3db7e4e38637

SHA1
d2894f9965e4933fe7e5d6e51641898b22317072

SHA256
65552fc19d56e75ea81268d165b474fc20fbe02e83ae35b97b53c1a6e4aff741

SHA512
bb097d04f7af34314aa2630c2aa484de71a2f8a0e34cf65474c1cbfb797522cc0b64ce11e6111e3b6b9afec4bbfcd8faa8fe6638856e010d562c357ed4ed42b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e2f7b20c272c6989bb297286196c7a27

SHA1
f53343ec21affc4c414a83360b91d94e531394bb

SHA256
bf27273dffea4bc554239df82ef2b4708b9a3576d979dd1b11f9d41428e80416

SHA512
5fce64fdc02644c68f12667ed4fa74ebc67d226f1c19b25370babbc4437a775310be242073395f186b910a4d154c7be8d3129ed94fc9fa6fe2ba58521ae85523

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
97ec9336f6cd1209757eb3716144b5ff

SHA1
0d6d2899945a3eb6d0668bf61a3be776ec382b55

SHA256
b46779a9f19f160225c31659d0df2c883861d9f1d7a6d90a36642fa37801a7b3

SHA512
32081c3dc49970ecf43a1d5a60cf85e5854580c4acd858d098be44974d707e837d8255ac8a8b922ff97cea07bd64379781630650206858559477903f28829b22

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
af4d3bb87dcf801ecac2aa8291acf5f1

SHA1
fac120d1641244f198707519f9350a198d5f9d00

SHA256
ce47cc7e3e84a2b2091cb21808d8be00d5d6a249939a183254203d1328947acd

SHA512
df9624afc02e3ebccae0f868da6d3ef40f9355caef37e8c112925255316f25ef1ad7ae41e217f9747c2840d0bfb6cb0f84060a14896b2fb5a6f3e89e5b2110c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f475baaafd3937a6bc50875641409b12

SHA1
cb5642d86f319656717fe4dcff32e17c860ddbea

SHA256
4a2abde24595130b80688e2b837260e43bdda7c2acf5f2ded957a8f3b4d42d05

SHA512
9b0bf26785b8c26a3b98d9a5836284184e00efc6ca63471a4563e12b2e58ced8c416099d2ec233cfb74472f80d971f425f47569ae1a54cf00eaaaebe941d5b66

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b026b1c5470ec3686e71a0199a04f113

SHA1
f8a615283b58e701f8922baa3b614ed812916223

SHA256
23eaa68b7507e3870ebc2c27aec09f374799b1c6326e4bdb6af2a0bea51025db

SHA512
b6a945f780ab13a5009da37ca17f2a877704c230fdcdd5ba1eaa8805265ea66b158e3ae06d7e101135731f078df2c62015fa0818880d2fefb6a028379abfb847

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
13a8df796193c0de545637ae3d0919d2

SHA1
b002f6e63ef1991450d08174ef032a59fe4c7087

SHA256
13e1ad61a1fe5958fcd1f9e23b36ff30c3db1391bd8c4c079b25efd95fc9d1cf

SHA512
0f45a07eb847b9e40340e0dccd2152cf852276e201112fbc64af16cbed69682dc3c69f07b27628c94f25e9a573634b13caad88ec88efe17792213ac29376d607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c44acf7126e986253af8cfc3a623a2d2

SHA1
4d3bb9b25aa033143ed24c724761582b2bf69bde

SHA256
40b2a8f066eae00c187b6f9b7bf25e8126be3adaf68d60f4b43810de2f3ae3d8

SHA512
7d7dce6303772b4b4c9f92fc29de0a34664c2847729da22b8049cde1473334e855695cad973aae401ff7b6db3a4c8050f8a67b9a4c21e44cd1e127d2e116a973

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c94464e40c20a408f58b4de469afb8ed

SHA1
2a8068659474606cf300d75dd1ff7c8f71436844

SHA256
eef8c6d6e66edb1eddf0c199e480cd3bec55b77730d0134394a029ed937da7ef

SHA512
3c7ebc60debc115c825e83ea8bd96c9901a2c8bb1ea2248829397e2ac7d073928e79e024206e74e3f6e96d078fa7820583b6b0dbbb815a3f236e864c90a4abd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9ff23d5cca62f8b911d7d0c56f2f857f

SHA1
e8201b0f711a44ce0a6a060f88fd95dc93c1c930

SHA256
09115bd49f0ebdf4ba54cb99609b25000187292dc88d0a0aa923b2cbca6566ab

SHA512
287799033297f9b128a6151e37d0c6556440cc621d2a82b57e5f8824c84adfc3006cc166ee2a251de169a8243f00d1e5da4821bffd3ddd46d649df56d9649f5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6b10c9013331dba3e2c8c745a60b6c06

SHA1
0c3cad69f8705a9b63439997f69fe83dbefbebb1

SHA256
136c30a1853ffc6cae1c4085e06303ef65922b9581e29ec7085a073ee2d5b7dd

SHA512
52113ec8376e5d86214b276967387d710fabddfcf1cb158893e6d7975d4bf728598b7fdce1c6884fef620100aa18c02d3c02474874dd36e68532b90adeb50d16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
df3e5fb25e47892e079b924e780085f2

SHA1
c8f80dc8450ef86dca4f39c91d9e9bdc39f3dbe2

SHA256
51ce9fa2ac6755420cd2cb1798b0eff94cc3efb2f978b96a52fc84b6e814da59

SHA512
f98a1ed16cd7ea97a3a720b614228f968a5da3dc3cddb88fae3a974c063896d29aae0ea7149b490d87945699c3d604012aa645ce902af21fc76a3c9a8b9c5d32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
daa8db143eb49e94264aefeba1e5cb60

SHA1
6ec1239caae1572178e46d1f8742138271d2ba86

SHA256
844da84d91b2f50bd9596656ef76e533e1e229bc426df60e551720d713a15492

SHA512
71db8d0e62d1b20d8983ec16a58bc2734b544648565ceadc044770fa8ef568693cd32256ed6466b6ff1709801b5c49afffc9e0d8a75aa1fdb7b9ce305e12221b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f653c4364d9d2f0e251b97806e99ca25

SHA1
a4ba92523a7379d0df60de1c5e6b16d98c8a2b65

SHA256
e535a240cb5460cfbd92f879c8f68f228cde279a7f854eccf14c81bdac5b2794

SHA512
95bd60fc3ff15ffb48c37ac4bc41ec7a620425c1b0d0a24bb5bff41cea9dc0ab7f1b21ff888008cabfaf58f83e7fde9fcffede346fbbaf83e07f8554085add2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7f4465ae2b49ffb67cdade80f398e3f0

SHA1
8173cd308f0b77d6a4551aa9ed7f2fb9b4cba31c

SHA256
ee433a7c11cc34644c68ed02d6abce6ee9400838a556b38dc8dcd36938a2a5ed

SHA512
8666e84a4879496414a97de4eac9d90371f542b6d72b61b7005a872f33575c034bed201a5fa6f58ef9ffcbaf4f5f4a65884141e3411d2c6ee9bd42049d7d0b3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
267a8c96fe49e0fbf3f011c2b5164f31

SHA1
6ee93580a38d5f39e76705f4428b619e8342ed69

SHA256
54dd02dfd64c55480e8fbf153742727db2b65c7aa1833ec35784b20db76f98a7

SHA512
9106f12b82f434505183ff0935ed7906caf68dad54ebe55be9f87b55d6b4f1ac5f8d0504e14a3f4717c90d2c71ee40d0da56ac3c11562f9109693d67df6e0449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4c800dba5c6cae14266c1b617681a390

SHA1
d5bc104771c94e339c58a885ae053035c607ca73

SHA256
b8d0a05c60771171dc4b0829db09f8c1c9dfadef0bb1113026724945c866db60

SHA512
4a3e3c0c5c59bf586e049a3a9d266973562b901c0295f3f2ad2e6b1f1ca7c9442d9f3a49e2d372156b8bf861e68efbd8644a614e2144e5f0b3e75b663e17a5de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c013aa43c833ebd8d7e46895f9063efa

SHA1
5f0c4faeb8e06b8567837d245e79e690f2c38fd2

SHA256
d448bdf540726f32948beec79a81177190e2fa0ff3665a666d74e4a8c29ea26b

SHA512
5a9d0812db4be8f5439b1ade3096de88f1a3146e53992b2c507d8cd33d42f5093c9e8112854439a6f12424c83ea9f6b78a8a318a2387127a47a6ef992d5ec6a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2e42e47538a17a31df6d34462a2da721

SHA1
6c67b75bafdc60fe90441dd527e35656f4ef001e

SHA256
94d50f1d5d6805ef674d8f4235c6aba9b6a556f490e20ee7e8aa87c9c503d50d

SHA512
af683642d800df035aa84edbde07568fbf7e833b98f1863fd49d556fd80ebb75da0c0b2bc5690017a4c89dce462d97d2ec533594ec45f5c7fcec8a4ab2b5bb40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
de1f4cea6e38d7351513588b60d83f10

SHA1
1dcc81b8c16b045dabc6171ea26152284219e096

SHA256
10e8f808674e82a8a49a4ec46790e9e6324222333ba0c760474164e74ac06b89

SHA512
12a9d856bf8246f0b98174d69b87647b373d4bd779a3a47cd8beeacd82e002ec4bf6b0abe827861613d8331f5a39399435d6d6de0a1d98decc6af633d4884c1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
09c5eeb29af335f0ea41fbecee5f016f

SHA1
e22ebe410d767455737b642b3bd8ea22b2e92cd5

SHA256
71145d9d9ab102ffa6caa729b7484fe6d19fc26fe36e0f759249d3995c533ce5

SHA512
67d56c84ace169b96aea293c5055b44a09f9e56e3f47fb1fc6bf0b8cfb7d79e7aba48c9c9705dd66047ead238e07bc939b276838fdb721bb34d3c7df21e38f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0e772e9589633949e9b5bad0c0af8d3c

SHA1
7bed6d851da2f2404119f42d58e15b05e8e2ea78

SHA256
68f3ca16bcd741a0ab93b76a8f586490e7ff197f50e19cf752e23f2bdeec2d44

SHA512
9f935f159707e09a753507735c1e10758478e3291af7b9384912109a6e39ed508c47c9ba667b200f17ae9955333cdadb41108bb44afd80f1c47bec97a2645e8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a3eb26d37ddd704d2b4ecd43b0f11415

SHA1
c2dacc52a9610c99551113ea32ff00e897e48940

SHA256
c0c8c07aceac2006fdca3c694233f1bbf3d9f0784c2c0c87b07b6d2f139aad93

SHA512
01ea4e8e327ab922b62a65d86b83c12d72b5c6f02073a58ae2817b42b7a2474d4b4479854db8303ad75ea025d6e3608b7471a9c1dc111b4a8211633eace5c851

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a7b392596d3124c5eb4b41ea27851e7f

SHA1
40e1dce3579380d7805f258ea0382ed3f451eba9

SHA256
74269d3ca56f6a657993de90a547167b8b43e27d68f3e0323e1ab6967bca9f4e

SHA512
16c2d1c060d1e63c84108e8c1e40a453be2f03497fae8a7edb43510aceb788a3ca152b0a4538724594c78e39f3bad922f86c8175e9043e681f9cc031a97be599

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9a2fb159f18bbda6ff0d4dfb7facedab

SHA1
cd69ea7e3e2eb58427a5c964be3e5ff50d4fce23

SHA256
82bcf699f880077fa2b626a17a6baa8dd42164e8a1890722046c28fcf6399bcf

SHA512
fa1fea4840104f51e75a376e01ccc46bea2610a5940883e459370d663678cd59c67efa86fadbbeff0fc86de4bd7da1d10e4c23af2d607df92bc819fa4f41dc3a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2f9ea3aed54fc40c0466e672b458e833

SHA1
c9e6af3a07de02d552a4bbf4ebb8a0dfd0f8af07

SHA256
9cb2454526f372e5c98799ab72b98575fb6799c19252f7c6cabcb187d8e99000

SHA512
3d545c2376c0533beb368e5e225eaa0fec1d80b23bacba8d327b14a54752d917fe5f170ebd38dcae065c451305e3e649005b0235b7d5699771b117d1adf78564

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
897c93c3e234265d1f21dc2e88815abd

SHA1
4936df934dcf36d04c366c39febcafccf32454f8

SHA256
a1ac792f8db76700e930a669ef10329501d6ea271502f4c7099624a67f5aca48

SHA512
0935b02de51b5c087962f26ae768895c617d43bb9bcbd18627aa5f877e5f8c607df141b4f5ddf54517dfab6c55fb81e07528ef2450ca135f9b95fa2dc3c9c88b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
324bd55ceb7ce96591019ffcaa052690

SHA1
37e831eff256ec39bd9d274d7eb9cedb487a5f4d

SHA256
8bf0a5613f9f51670fd25a988d4ae62f6ad6a83f17c4d9a45a24c7c34f11bc38

SHA512
d3316a483e90580a30332424f172a9a60519d63608a5c3226e4bd65e366faaafe0bcc97a3bfc7017d1d94fd5708885ffbcda7992c2071eb447ffa8b5616a98ec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1ba358207ba95a1a7bbcb74242f0750f

SHA1
f36487e2134c08b25a2ac9b72cf2f071cea329b8

SHA256
03e6d1d85ecec22ef57b40ec7664892aa4e89216ff4ac5e9e0f81060544cd88d

SHA512
a6c2f51a713ec77bf9a62d6f5916d8fc3026613d190acea1738c79631e34a39af616fc7e6fa2f65ae3862b21a979ee5389ffa98f51cad1f5063271ae58b34646

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
23681964a607240094c1258af0044f59

SHA1
88b307b945496a3108c78b97ad4039fd0982b1f1

SHA256
d5436f1fac922516e702510277c678073f6478c25e8ea74967dae2db3e6f148f

SHA512
0ac8fdc7d1c2ad7444a7546406aa2454c0d1ef463c13c57fc749959e928d71479e5d61ad39cf547ab598fe92a618f11b6553dc1ef5a66f097d966d0c6d3158a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
db4a0c8fea2d4cf93ee223e2db8977f8

SHA1
98f6cba741e7a34bdf799a8f9dd31621f4b3201a

SHA256
22f4fc95c26200e0cc94a60d2450f390f5c0ff6e9790e39547f2d5e9ad17df5b

SHA512
e37053ba0bb4bf1f08d57fa6822c4b02fc784d1055d2cdaee2a2e083959f3a96f054b7a6008e1c37caccc02c9d573b83933aaeee0769239ba356d0973d9932bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a3a1a9996a44deae3b4ae0ef46c4df8f

SHA1
0d1d9127e87e4a318af549b69168380f4d63cf3a

SHA256
09f6108c23dfa1625f5aefb19f1ce88c319a81825ea51aadf8ef566e088d58e3

SHA512
fe73a167456096692943fc4c09d669c37160631d6395d4295efcb232196294982030ba9222707337c6c571f52194a763badfafc0e5048d89cf1ee2c790194391

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f7b6bac6f99fc78160c578dd346f9142

SHA1
c49b207843a2352df75c2f5a87115137f35faab5

SHA256
5aa644876715e36c565c442549fb8438c8ef3ea0ffbcaa226bf69bfd5b928242

SHA512
8fe018f667b09d755b5e98ed2c540a5b7f6bb377a679695de36692ef0672e2e57f9f7588fea1d53ad9b571a0546cb10a8d2735446da0f00b4637c21be9221b7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f2a52d926743bed4402613d8d5c1378

SHA1
d35ba2b2776de160be57215fcc02df5b3bd9cede

SHA256
7722fb113f44f1857cbba3be71dc8366e7cc8ef0fffb8fc14718a28d9fdb8b76

SHA512
7f8d21354fc3b8c8491d47ddc949f2e26071d941ec1491aa4734423b8cba20e71c58992d2a4e661c902c33831ae5bd203f5cf7f612e93770f0573c1c00a1a2a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b90bb26f7c8406fba4ba7a7e0d30e392

SHA1
2e8221572bd1638ecf72a19e2991b26a00b7e148

SHA256
3af9786ff904720670406d578d8434b449b51bf3dfc14aa5a3db6d87be2f6a9a

SHA512
285650e281ff88e0b0c0969c6b638f4b344dbf0284007e233a89780ee39c2af25ee2496ab44bc1af5d50819a6fc65f9ad959dd274fbd3a5c4131ae4d28b7ccc6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2ccee6f29f48f19db61dd379ba5b35d5

SHA1
e1514c3fcce3842c89670c0794abfcbbe66e4e08

SHA256
f9ce988332994af0ef68c0353599385ffd16ede9fa223450d4b20d0c6bd3b90e

SHA512
9d84ea604302bd650e3222f920af1867b27042b635462d27099cbcac57fba41dc2cd07f71a928c0e058244c14e0a5138c36ee418f1b84137b4b739066cfe8fa8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2b6178838f85c47ad627d96a5774f5d5

SHA1
1807c38e34a1dbcfe1a6e382ed83898ea9dcbe37

SHA256
f973a165e43ed57e808b37b17127f9f8b622bd79ddb87cf0922e58dfca3b492d

SHA512
1a8a5badc7347d210fa9156f6a042491b01931bf770a8425266b077eaaad1f64b2da2de2556f53d01699582a3f84e1595a407385f1e742348f524de6a6bce363

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
db41c495ee241182d43692362c0cd394

SHA1
6eb772ced748f32aa08cac249b8a1f89425aff71

SHA256
d527893ad9aa3689d12046851adca737bfd2968c94a3e198929abd47554b8979

SHA512
131323360f286bd8d742c234a00f3ccea6c550bee978d037c9e895b9243b1a564784be1b2552e219a9e77a5261d6ce20a2baa7a821befbd0d488e9e1b5affb80

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e40f0e9d0550eccb73ee2d4d010765dd

SHA1
bd3b5009032234be9d2dca1a633580ecff9dc74c

SHA256
95ace83809d1f7027c21d8abdf8c51525311ddcd2964ef87e62876d2e59848c8

SHA512
dfd99a97dec01452869e566d42aace0c76b2f07266f2b48c8f982a8103268e16775dc7ab27792339b7576d6d8f54736315a075ac01e1085c3d13392472989dfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
541aad1531d1f100ad89fe30eca3b39c

SHA1
72f1637f8220f596a0b20e9ccdadcfea0c6f08cf

SHA256
742b07c9bf7bc68d4f064f668ab7ce7e61e7ee961fb7991fe10a71cc21a9297c

SHA512
311e3c52ca8474ec291a0e5b5490cd7f1d0d220b28133d11bd21fa32cc499d2acd2fc5700b78f10995e2ac66f154d37eb8f6d9278d2be61fcee8e91ab92759c7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4f85a095891c3fca590f3360715ea59

SHA1
d71569e31d063f09a37a7b2862892b1225df872c

SHA256
a387efd1fc1641c0e7b336716b97140a43e0bc09966a35c58a0e2a3162a20f54

SHA512
9feeeb3afe2745e7a7c670de550bed69725d74af3b364abaf166528aa149bf01b7f47f9115e2eeda934662d72385cb18e722c1bc8b3bf7099ce620f711b72400

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6394181c7fbd70987758673b9f74a30c

SHA1
5259256a52c76bfdc3210dd730ccddc6893ffde7

SHA256
8863ba6c75d909381f7e16d75c18e3db332328dfb8fa7b30e7173ef225523687

SHA512
14636d7739f4710c6b74d92310fe719b379c912c03b9b0d9852a5706696e9a1970135bb087772dd483a47c0c14f2c869e44668da55abcacfffd6d007d5ef7c32

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1874d8320cff2414dfd0672b83ce5a65

SHA1
a7347937f27647ebd0427287430f82a14e6d1402

SHA256
f7db4ec1753e3bb91ecfc193f512133dd2c70f7690ddd0d9cab87b50d12c6bb1

SHA512
6d416c02887fac338de720a5ee29643490661c03fab7ec16e7d89d055d85f29726fd07acd5c1f6ee082f86348ee7e0277a094055223c356aa442367b8cc7bcf7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5126905338847f11ca81439ecae591a4

SHA1
3bdebac1855a2992ca1e4cc5403a96fb35cd1f50

SHA256
2f3b3a4272a8855c33357f7cf9c16679b358a55049bcc089f0987e41f73a47c9

SHA512
f78c327bb0dc71ce1c5021350315cc2a0695db51cdff56234c8b3007bd78df8a481127da6c16ba4abfb642700c3cc8d535a621561a2d22da27c2b3c7f1d71113

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
aa008f00db463bb78c20a60bbc428f47

SHA1
fdc8b2671c637670365753cbf9f85242e2ab87b9

SHA256
31d2127263b038029311a1070a4d006067327b19856997e774a7df7f22a6de7c

SHA512
2d42fc120fd6c039b620dda5757737ff1f2a09c8a1c783c202535194b83f04f4035401f59569f91b7c3b694829a7413b129b50283439998e2b5003d581d2a95f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bf9b15025dc21b6aae917fcc065e7d26

SHA1
2f0fee4224052c47f3b75a7f30b5b4eaf22510c7

SHA256
d2aa19643e03d5121d281e7a90c34dab23a7d21c14b92c3e98bcb0ef3820e3fb

SHA512
73489c4e8e0cf1a69780f876a3ee4aa2f52e2df4e9151ddaade96c7533ad42f3732297df3fbf261236e2cc93f0c9499f1756296064a0d033e68a3ef1d10b363f

Download Submit
memory/448-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/448-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/448-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/448-604-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1004-271-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1004-612-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1176-179-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1300-52-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1300-603-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1300-58-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1300-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1416-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1504-74-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1504-1-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1504-466-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1504-7-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/1504-465-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1504-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1824-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1948-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1948-33-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1948-27-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1948-34-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1948-264-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1996-611-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1996-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2128-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2172-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2172-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2588-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2588-609-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2612-181-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3020-86-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3020-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3020-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3020-82-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3020-76-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3348-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3612-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3612-610-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4084-90-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4084-177-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4368-266-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4804-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4804-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4804-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4804-176-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4968-184-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5016-602-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5016-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5036-182-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5044-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5044-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5044-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5044-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5044-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download