31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
Size

1015KB
MD5

bce0818b2abc09329ac710ae006848a0
SHA1

8d14a052c9beae4bf64d4e346c6f4ac069acabbd
SHA256

31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb
SHA512

5cfc0eceab553368e9307882f32dc0f34a3821c1394eb0c22250df20b16fd2899db8e6a2adeeb7693073a381202c6e1f11e7540faf25ca144b7f5c115253b5ce
SSDEEP

24576:75lB2hkhfvCpf2fTfg1N3RUDHNmdPCAaq8Nozgi/rE0TOj:7l2hEvC4fTfY8HNUPCAaq8Wdo0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3432	alg.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
2488	fxssvc.exe
4460	elevation_service.exe
4880	elevation_service.exe
2528	maintenanceservice.exe
2108	msdtc.exe
1564	OSE.EXE
4484	PerceptionSimulationService.exe
4160	perfhost.exe
1152	locator.exe
3504	SensorDataService.exe
384	snmptrap.exe
4980	spectrum.exe
1124	ssh-agent.exe
3544	TieringEngineService.exe
4328	AgentService.exe
3164	vds.exe
1020	vssvc.exe
908	wbengine.exe
4592	WmiApSrv.exe
4396	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\35a80a22293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007193408865c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1907e8865c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd05948865c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a58458865c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce54838865c7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8303e8865c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001559839065c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009952c18865c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
3316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1916	31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
Token: SeAuditPrivilege	2488	fxssvc.exe
Token: SeRestorePrivilege	3544	TieringEngineService.exe
Token: SeManageVolumePrivilege	3544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4328	AgentService.exe
Token: SeBackupPrivilege	1020	vssvc.exe
Token: SeRestorePrivilege	1020	vssvc.exe
Token: SeAuditPrivilege	1020	vssvc.exe
Token: SeBackupPrivilege	908	wbengine.exe
Token: SeRestorePrivilege	908	wbengine.exe
Token: SeSecurityPrivilege	908	wbengine.exe
Token: 33	4396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4396	SearchIndexer.exe
Token: SeDebugPrivilege	3432	alg.exe
Token: SeDebugPrivilege	3432	alg.exe
Token: SeDebugPrivilege	3432	alg.exe
Token: SeDebugPrivilege	3316	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1008	4396	SearchIndexer.exe	108
PID 4396 wrote to memory of 1008	4396	SearchIndexer.exe	108
PID 4396 wrote to memory of 4328	4396	SearchIndexer.exe	111
PID 4396 wrote to memory of 4328	4396	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31821f8b5c1f8c816663afa141ee23ecd8ba61d24f0adf3d4201e6c2380eb2eb_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4788

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9b566cbf646b6c41f8d5484dcec4b43a

SHA1
2f08ba0c34d39d31ad788fb05b8fa56715450eab

SHA256
e4ba5f007e8252243bcc8b8697ec2aa79280194cbdcc1e02c4b0c3dcc1c55a35

SHA512
7a5735d7ce1fcaffacf8840033e9fe30a9f482f03f2464e7bdcf39653f7a2e514ddc626ebf938d7a64363c27a81523494c478bc068f5bb99c3b06e48611d5d0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5f11311d60f16444367dcf16e9e87eb5

SHA1
aea1072792614cd60080cb12c2824eadec390dad

SHA256
92a081916aa3cba9b75c147b3373ea40f8661bf935a4123571c1ab62924115a5

SHA512
2c9398629dc626a402eda0f38e76200fb9f009a3e514390000f45fbee4ad1dea9b0349832e45a6393532c46f461a2a9599509cbf388ece596fbe2857aa44581a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
864e9a1a673dccd98000f3bf60ad7a4d

SHA1
c9df772f33423d2d7e9dcf34c96f0dc3e80e2d3c

SHA256
c2605a2fcf860f37677075b60dfc3c90a38f575e46d8b9342ac2f25ba13b543f

SHA512
e11523111dd3990cb5ca853517358e28ea41ad30244999d54ba643acf5643d4ed255387fa975cb9725bdbe904cdf65fed5c59e85ed35e0d09ef52cb2fca51002

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c448ac7128c3e1179d09f5d436f4db07

SHA1
f4333bc8fa9952043afd9dd5bac317df4fc4fa58

SHA256
78c397107ec76ce71bb3e557dae05b169c4a2570f73c81bbf5d89224f56e2390

SHA512
cdb58c5de0e11358acf07a60ba3a0b1a78f463774e8ba71b6f3892c2660130aefec28b06c9a8b21aabeea069abd7e97afc3663615744526ce2002fd7bd72b04f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
52f0b77c8b26a8740469a724f42844fa

SHA1
38461479b7a6f8d6338e0f0ffab0a680d89219fd

SHA256
37975929dfbbdf27020ec1233cec96077ffd88605516d0375097e81d1f30d9a2

SHA512
652901815e2e64353ad176769d493a12473efb1778a5f4bf683784bd6f16454aa5119eaf0d8df2756f02183e3e9d82d197a6f9ca4143ff310a1aa5735b518c15

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
594c06d0f2bd58c1774a60c2b4d53f4e

SHA1
34847445fa6ff44debdb91b894be3ecbb2bb1c43

SHA256
014a60483cfc0057f63a1970fdfc3474853a45ec513f6eeccf5cd8df2db1383d

SHA512
483df8ce93fcbfb62b73baa5718e09400f198a1c33b2d990f641230d7ce503130c8c83ba07a7830b3ba2c561642cf9db3926c766f0b74a192dfebcb880f470b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4205bf22be0304a698a7581156895db0

SHA1
2776345cecd6deaad7854ca611634438b1bcfe12

SHA256
f523ac237a09d332a6ace1a1047c9212815c78e347a0b52ccf8efada43920468

SHA512
3bf8b66a041e66c0147aca5b083598c1f8287d45503eb737d63936b99920e6a2eb6f170a8199805f92e4dcb93e9b6ed4be7d8333b73e608ae86ff417784a8976

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
51f9349144cdcf9b0507a84457bfd76e

SHA1
e0250b31bfa814e38c85b38607774e4ba7e6cdb7

SHA256
7b5e538b8c7c5b99f608c99ee3ead196645f3c864d310acb1029c5d150e47fc9

SHA512
7a58967d3b6ea5b0f0f62b13b0c97d0f710d91dba4486bf0bfce931b9821bf5c85ae74136684af6aea34c89732f0807e65cc08c75a68b96170d89f781470d4fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7ac91bed99ffc14233ad8d02ac3649ea

SHA1
34d7d3dbd6a9a748bf56ed0153c10fb78e4f19c0

SHA256
9a14665c70d162af9cde92871d2a38a309b8eb55e3924b67ae4a18079874b7b1

SHA512
bffbe51ae4e5d20ac8c626012e477d8e04b3a3890e0c8703a0b60b7a6a5c8c56f83a5b734afbf1d89cda5478c15618600a72b8affd6f263f9fe2b1236be56c4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a53be80fa0c1d6290bcd9a05740ef2f1

SHA1
ce818fd74cb9bd08183be1e9712ca22bd5ce55af

SHA256
22de604afd0f5b3dc1ab21a179958ceafa345a705bcc1ec1d7288cdc7172aa8e

SHA512
351d00ef7e75481ff932a4d6c05d0db807a7c5fc57ee4257acc12bf5fbc63d39cafea239cfd4a66e76ab8b72e5f7511d65599dff592855be7e58e3c7995b07e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
703d5c924f9d37a6d17ce52677400345

SHA1
b41beea24c098c285abfd237d01401b6478fedc6

SHA256
fb2a74cfaeef7b18f42d796550e4030d366b2980c94bc4f9b33d446cd5b22983

SHA512
c1496300037b679ac3be5681271508efee145b6264d1575703c87d2827a872a9ee2402ba1793ba2a16bfe2bc9f2bfc1c74d251ad98a5b22f2584fa8edc15b5e7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2c4b34b673b270801c73dfa6937163dd

SHA1
b2e91864e2ffe7c95ad2d4320e2115181cd71742

SHA256
092739567d4fc8911d912532c94db39dcb04b091bc38967bec5fcf541da6d9fe

SHA512
904a7669d56f1ddc913da19f9c84fd5abe4ff56369c02c9ac1dfd4bc5a553aba8cb6861a322f227690cf9cffc5134504541051794695a6b91757c6ecba4d553a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c3fb3dd898779b949bd224968433506c

SHA1
032878dff9192c25ded91753768c2ade48555e5c

SHA256
24ac6d4b68c89ff39bffd8e6656e386482342dccf6fb1ffabd110900091493fe

SHA512
a2762f0b6084f496152c5c1a34fe40acc073e95ba0d8d0eae474a879a3c1e1b3b5e39bb5fb92d3dd1d2f198b1dafd69fa59fe340dacd706a57a0f638f0dcde45

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
522201a98f56849304469230e2fa556e

SHA1
3b071d15fd4323f2ca3ee245246a2f0a42429535

SHA256
6d66954a09a8fd2c503dc049e5a16423b2e069fca2f730bf9c10784a18b9abb7

SHA512
88ad3613e79c70446229a1f645982a45f0b7c851111232072626025457c38cb114807081944644e8964b3d319aaac8d5bcdbc5082e391ee81c35ff677a04b1c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
496c386248aea304edc98ac4fc641267

SHA1
d433b4970292a9ec135631389954cc4c11a56dbb

SHA256
74895f34208a1f314ac77488c9430119d424135c8e6938cdcb4cdcc0e4af3aeb

SHA512
9630a6d908bbbcd77934be8a15650dc9eb00625d20f37bed5e264c4b718470772b5f2a9235b58111f7890713156786c450ed26bef0d683ce8cb3d830c995abfb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d632257f0f33f6de8d44e4267115396f

SHA1
d4b225f7c736cf8d16aca8a682fa0060cd9fc6ca

SHA256
d94e56b6537fea445913dfa63e72e1c2f38b3f8cf4e5cc722fa7ce1efc6898f4

SHA512
d63adcba049b750084b363099e401a7bf4ec9d05b28742a81f112aff3a3f7cfb90bf165293d2b74f634fb42ebbb5e3f75d23b5cee12464cc5b0a2f82c0f0e893

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
84c2abe884e2051cc1ab9e207e1342e2

SHA1
ad78c3d6109caa18483c5430d8909e26a65f6365

SHA256
fe48dbf16035923bbb3532e5831c6c4ed1fa6a332893c396d87e095582a22824

SHA512
3282d9ef92cb92785fac6d8a04ab29a29ee36423da6f17a147d7ae7b858fc18c1f91b99122549363bb64e9b9eae3e287416115641ab356f8838da9996f868936

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bc75059903596a3cd5759ca40add3e58

SHA1
5c445aa60b184164e987e9a6deaf4e556c9ffd2d

SHA256
13d0ee9c0699af8eb8eb0912d283599a96878cd2c49ff7af5504e803afec5d29

SHA512
e432eeaa396e15b3cfeea6ad7653b010ba7f87317cd2b2284691ef4660e224772e05ef5025d850ae8726d4482fc8c72c7803186c43ccd9a0680f2dace83628f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a33e165197961048896b39f9df02e445

SHA1
fd59897ea15b18294248a26fa5a788b9a927a3e8

SHA256
e95db12e7a567f1a23a98daae5cc67a499ac7538310a929f512b8d0be066a1f3

SHA512
64f6342e0b2434347fc01e34cb10df46cf63564122d4d60c94392e53151b699b0d22f7e3fdff1dbd5f939d285c788773032187ad6d044390303057fef2684c69

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a7378be6ca996b01672cb353652796f5

SHA1
324baae97abb26ce046e65c2e5d72b6990070dfc

SHA256
6897c25677c4bffaa10fe063c9722ba5867d747e458255a51f9bde046250c77b

SHA512
70be3a96dbbb74c411736ffae61fd6f9e95e5c228a74e34f0c747df11c5f3a555ec8a5b21b86f94c06131327d3a9117984d4c22b16603ffe9ef786f48f33721e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
19a652e053055d47ecd3c2976873ed92

SHA1
7c7970dab316239945ddecdc250ccfcbea8fa09d

SHA256
fbe40f3012eeee714621742e42ecd285e8eb129d5928427937f8a9417d66ea37

SHA512
1dc77aaa6f386eff3d300164993c552cbc247e3560031ba709b25895754585ba7cc527c4d7d1b2e933b6879fca702dc0fcf4a72e731db6353e06c0743d1218a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6eb5c8ec5e2c82d5e7ab75a68325280e

SHA1
17e2a30f2e2f0c3a2e31c23978398c28f2d44bf9

SHA256
649af5fafea0486a1e8440dbbcc329423f6a09511919e0e4b8dd8f993dae41be

SHA512
0f81af15ba6ae361a9dcf7e75ba6983b1f297596be38f3b7c80cce6e9bec3387e4c892123c3c19f6179df1e5ba84456f891211521dbd2f025e79cbf1933d42b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
df0307fae7263c70d07e7731e301261e

SHA1
8240edc449adeb63181af176f921539b0b3737be

SHA256
54381a3472f24caf4789f9e7d10b4bf023113c4205b688c47c4d706cd25f0a18

SHA512
0fd1f833be1575781e8253a25ec65f141f5ab0b85c2af1ebc456b3acb51ae99f010f183c79447119d80bfbbf65d774bc35a614de6bc90c43ba81ca851e983b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
95ffa998ad3e72ba7a38b392e8ebe262

SHA1
e86bc71a89bd0a4db43c849a8e44594fa011d1a2

SHA256
3db58aa3d13d65344f7bda506c2933ef7dc29d57da75675cc0c94cee30bd2cdb

SHA512
6f6df08e1e5eaadc79be939f3a5911edb1047ac82e50a426a1c939ca7c92d8b217f10d7d0e9136407ea56a55bea73ada9190f46185ab2021447515f21e99da45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
75799794b74e59cffa44e8df7882b494

SHA1
c35498298fb18f124726a648172cc3ba243e2687

SHA256
3ce026c5b4daca12a3de2eb26f7e174b3fa1793f8f9e77739827e74a4da432a5

SHA512
75a83a617df10d74d86f67721c1e719d37dfeb751619425f2ac2d9b33b306642faabb28cccc0d5bf8993966b3420835e3e08174b1072b2042c3cb628d5d65dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c102c137a73149c714e3d527cab08e74

SHA1
c5247ae2b9daf9afcfed867ea89a0f4f5208755c

SHA256
ea4028bb991c02cf51626adc4947c342e1e0d0ccc3769bbc2ff1c56aa45578fd

SHA512
770d775e0f8cc98962703975826310dd5778569b1d9e066f0c5286ce3087eae838bd364c33a155282a0a3574bf2cef4a65979dfe2640dccb06ebb7a2cdf82b65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a862d7bc472cfb8addfec9556ca20307

SHA1
45bc7f8c3fabc5181af4ea5c3c64c0b7db7c4d04

SHA256
57dd05e3270280e3ea01bb02b0d0c0da43b0b0c868e7dfc9a3a7d455358afdbe

SHA512
3ef6f8feba443dad75ee945c2aa0fe3ffe7aba433c6e5276000386122b921e2a599e1907951e8fee3c69cd30611d0de53a823e3b2c841687d79328a4e4a4def6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ad929431c0306f91959bc277b14be0ad

SHA1
6c8bfcf493de6abbcc8b2451a93431fa681cbecc

SHA256
0a4c7e233064d1e4d0748910fab9666ac1e401459deb9c8a8ab8b15958ea9fcc

SHA512
a040a1cf630256bda0efff5d7bc952cc0fc0ee98bf579523f1d5c42bb15f2f503fd4a24d00cf18cb3961cf5d57257ad278fbc693cb576d79b22d020656d08987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2894690be7da17cb648bb8778539c283

SHA1
5b62b25b9333749e09ffc3fb9255481c9164624f

SHA256
f02cb2c23624e73335e91163e6aecd5665c0176f65709a5012997a4a40b493fb

SHA512
1dad5fe0792ed001cf790591ed4110a817b251bc09a62ce70e0d14177beec20cde308e6f9de531ce6b05fc435d771945fd44677e9443286161e99b56863c9a98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
365ef2e7ccdab7a6fec3d4f47d502183

SHA1
47988abb56610e581177132f79b2e33b1211c4fa

SHA256
6c51e45c1b0920d7eea8690f691fb6fab047968d5e9aa511de0c3f95c1dd9267

SHA512
b6b9866cd2f016b9a5dbdc9e5dba6f06a0792af9a8bec8c5d1ec90c3fd25df55c725ff5e102f6e1458459ece52e6b1e27749e7dbcb3d39a9a3851e538f9c3541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7ab50b0c8dc19440b257b1486a64b329

SHA1
fa54f678e321c0d6dbcd068943ea9391ae77ca0f

SHA256
4400069c2d1b54564fa62dc890d6b5cfcc8849252e2c8a791d102124426e0cec

SHA512
3319cb53cb7b462db645936ff71b9584532e812f48a7ef1ee7482a0f4a190a8f8589eb57a6828a081698e1c1831b3af7af8a5a5a06687235e1bd86bf0bf2fd70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
33fc8f8b9c1b76df4fb04fd9dae82287

SHA1
bddb477b63743530d35ebc25a3d72e3ebcb533a7

SHA256
b9b814cc9975a42091d5bb1eb69b78c7a1716df025b973171742095151c1b801

SHA512
6461255e34d3b4910c59220ccf046933231b80a24451b5920309a0ab79e749173d4f248d04f53b71038945af706a1be7cd636e6e9c2bd8b687ff38fd2a1f1c86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8544daec8861810c5a3b4db48c9aaf97

SHA1
5a354633514b456e5de84839e61bd4ef98d78684

SHA256
2804151456b6a88e23edeab919d12ae78eed6b544d9b552e64c55bc6a155a180

SHA512
6003aef0c4d61b436cbd36130a502d151a5efd4fe92c7d37ba000c05ff8066edeec584be070b5b58834ed579f36de1369e367d9aabf37aa9fbb39f2e4e39a110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
848d9434bc0cf417e06bb43172958cb3

SHA1
e7c773108381dad8ec1c9479142a82bd1a9552e5

SHA256
27448a7a9a7391f4204663060a852f90215685a3f47cd5b15198c3c94f65a109

SHA512
81e4cf86b307ec88fd677bff83fa0afceb6b34fbc43a682fb1a56285307fb853a31b0aea5573018c3b7b18fbeac2677f0c7ed98416f1e55c0ab1131c47c73f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c2f3fab807747c79f7829c8b43e2f7b1

SHA1
800f345751ce27211e8a852cf4b1345826706d81

SHA256
da4eada75035ce2087f6117f9bd6fbd24c4c827d5b7a8b7e417aa30e86209e59

SHA512
bda818c991263a62b0bf02c9bec616591869c6c165bac14aed9211c2cd3fa5524b36d3f7edcd43616cd6642db9b859601e26fc0aa9479bf69bef7719279d6536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9156466572bdd0d1032f9b489034f7bb

SHA1
cc921e15cf1f2b4f369ab3dbf0ac804897e2e227

SHA256
cbce8d9184c9cd8ef0ca87ac75f5bf612788a23ef5d66204f1411c04467f0f3b

SHA512
ca5f45a880945e2835e5c45db32d5c1ed32348294839ac98f272e48baaea1356bc391be1d80831e8ef09ac338c0984aa1430abb4f606331933e041a33bacda6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1dfa1f9d17db1ebc2529d21dd7d1a4bd

SHA1
e729c88a173eabf02ce85315f4949acf8b7cc68b

SHA256
4e351bb457d189bae31231fd4bbaa18a2cd79342f2067aeb37c991d6869f8b6f

SHA512
8f8972f8ef09d3607d996dec512d5dc3230af45a6484ea2ad841392c88069012ce5e822a139cb7521da5a1f0bd8c193e52e076aab8544fa2f247fffec62d4941

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
088838adf188efa34a732c08553cc5d6

SHA1
40c4837b8b575da2913669a1b8afd70da1f1b49a

SHA256
70fedd9628f28c38651d500d868e74d7deb668d06cb6a8b72545cd8ba2109f94

SHA512
a2963a0370048ee292b11ff0551366d4c0f19359f0a1d2422fcdb8dbd807e5e184e95a65303963ebf9d3049177b2672f82807716b11f6243d779fda55e808c45

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
eea4966fd132ef5440a43cc3e02adff6

SHA1
85ed6fe645b186b17deb0c5b06b87ba91a2bf15a

SHA256
6d6d177fedeee3c9e7ce1ccb1fb3ad9c00a960a08db3b1f7dfb285c0d817bf13

SHA512
d3aa8faeb6c1f4cfcfa6171b9a9c4eb04f35797b8a414bb1a9282813640b89bece6b0ac215564a1c9099a754460b288656573ad8a3bb7aa240f3f47d19c06e2c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
924e9b2d0b35c1d815c66c18e31fe984

SHA1
79aba37e431286658859060867b60a685e9b7b3c

SHA256
965583484c771ae2ca603ea4ec047d3aaa381fa8e798e6afd7e4aa80447f71f1

SHA512
c98e6117944f8084350f9e4f4adb38a852aa8bdb403abcb278487b19ca80762448fa93e30ebd45088daaaca46edbd8deaa93ea5a8ae2150a079d753b76cb0c80

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
215891d8767875a9e8c2083a87aa939e

SHA1
a2eec2f6caa81f3147cafcf4886960a38787cfb0

SHA256
3f567c051dbf251d60e268d34ab03a45439d7fa11b3b9d9340b949b397a76928

SHA512
d9b86e085ebb770e2d522420cb3f1116770133dfbf98d11a3a2480604cfa10c7890e6957ee3341fde879de077bcd5d137671b9e6d96e4c3054c2784fc275d2d7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ead194e51b759702f25e8746797623d9

SHA1
74cef8f914b238686ea15f5c8c1ae7415b7b6f8b

SHA256
b146f49d16056cb84814d61304b510a13d9540a921c25de4038a74bd01578e68

SHA512
0dc62aef58f9f03b36d520990a79a027de8e9edfe46b67a95047757dc099325fb47c15401a07d169a533c8a15b686daaca101855e03c3cac4bf608a2557b1ef4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e5463118720abff59bad7ce8f82b3e39

SHA1
21a20dab2adb32fbfaa93cf434b7a84f3cef2ae3

SHA256
bc00908c6dde14c4e53ea4be9d41fe43c918086a926a30f6256fd761c496755a

SHA512
0b0e55e3b559c7f085bd6ab98cce22cfcd7263e1dc91cb5986ec2f6f03b192c0d56a84a028e135b234844ecb898a60976adff3fcb4e48906d19eec7ad300e898

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f15d4025d1e808986b4c4a83923cc3cd

SHA1
139864c409eea41a46272ecd2925d920aaf58799

SHA256
68aebf839e48e8d4de76cab63bdd260fecff274278d83e02da75c8e3a5c44674

SHA512
25b1070807eec341f6d75fe9aca64e0a693ed4af7ce9436f2dc12b0a8e57abecf60eb16eb5a525a43b286337f0cc8e7e35495d928dbf8c34a8e3916a085b1170

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
75f8a26e3e7a4851f0b85b0ef518bbec

SHA1
db377342ab3a8ac4c801bd7dd257aa07d832c16a

SHA256
60592169396d78b128866962cce10911fdf711f6c36408aa283308a732c81fa4

SHA512
9c1958e108bddd1e23690d3a05d7a07f2c78bb7a7644b99827aa707b04839b4c7171244fc4f60d095933512660cead0eabd97a5a432d203f5aa7391641199f30

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
86e622bc45e43b37531e96cdd3def25f

SHA1
f90c6f57a4e62b200c358264a41f2a4d8f2318a7

SHA256
c4e6d757a1ed396a6e85af6bb71a5c9b25082031057490f79c4085bc07f8d779

SHA512
8211e9582ab40e997ee5183263c4fae9025f5e6b44bb8732774a12fb7ff1a8bcbff1396dbd7df46a4156bd8c74db319a260859adf4dd032250ed8645791f7a2a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
366060ed83488a3bbff53749bff7e04c

SHA1
b06812ee6f066d59776a580fd816d9c4458fbae7

SHA256
974873718b9def1b783707753c014ba04d1fa684324411684ffa7fa09952bf78

SHA512
9298caeb358bce8df554543b917f7f0397324063de3d6bbe6bf15112fee5fe1cb54dd0731174a1c1884fcc87a24b86f8b824850f2bca9ef83c63aa9e8b358153

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5777eb66ee9c29e40c42a9cbfc639979

SHA1
53b36cb01d7643f9819e788c0159ab20a61e8911

SHA256
5ccbbcb228255b319c59549072c163d785dccd0d4bbb33871fcc7e2889dd7476

SHA512
c49ce4948292cf4875fc42ae1a1263db3c9eeadcd4ba8ebd5c2b4736db9f819c73bec427df52ef47c9618174a6f22cb9bfc94c5eb9f84076790aff281245994e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4c3d2988b33e1605af10fee05a9b67f7

SHA1
7b8f65771643b8df8d7b2318c42b0dd35bc11da1

SHA256
386da6be84feb51ee4c3033c4af41b6f6dc0c0aa666dc6549d9a76027c54ec59

SHA512
e3deb5a7e5307a9c948df54b0b072f78ae70c4b5905aa60122ccda97adb6cafed898e714d43a8aca7b422a9e0ef9d021b7d748e8c948844af26aa5b004cdfd67

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
21ae4a01dc348b2125eda06e836df40e

SHA1
b357e11b4f9bb1370c783e8a5cc961df2f8b6b98

SHA256
4a6d2331926e6ae9a80b55fab1fe84b3da2f7d4400b55044cb6e536840998195

SHA512
61ec6b0ee078b21bb96e1555125c0d673c9fe9c998abfe9ea63fed0879eed4c6852ce0584571b67ee76aae2476deef92268ed61dc2ab51ffd22116fb857fba80

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
27742d55dbc4ca34461c626d642976be

SHA1
73b77f47caaefff3782df2714a92a331f00b0c44

SHA256
a915cf0493f661fc6b6ec3f35bc320563f62da315d1403093021df5a19fb94cb

SHA512
41d83cc510b336ef72706c543d4c2e7993fba5c228049043f5e71cfbc4cc4afb57cef424c31460ac64776cffa14652a7fe2fabc2e088b9731653b3cffd36782c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3805bd0654f03f17e92965fd5b1c4595

SHA1
d5ee3250b40de8980d9f2723fd7e401792d0d1ae

SHA256
c4e9451cec73db0d116597713101bbd4ed19dbe4c701c1ec166af376f330cae8

SHA512
112c05db8afbc116f912c4f57473764d8fba53cfa785f3f3a68bfbde5428c530e65a3f6f55c53b572ef879bce59afec465cddf8a7266c162ca7ce960422f24ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3731b42ac40658d59d846fc4f75acc81

SHA1
cbc76ca2a13516fe5fc49285af1ba167b7f52aaf

SHA256
59ea7e22a6eb38ec1cf17eae56e3a6177964c46646053b2f04e2e7770c4bc7ad

SHA512
6b2ac092243c75347f5afe0bb67389fee602ff69b87fd9fc8b1391b7a969af508981be7a82156ef2664209beb3efbd66cc9b21ba2ad62fb34df923eac6068a7b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7ae8d7e08ce761d080233db23d0083f8

SHA1
b004c0e6c8995c36e9c4f221e8c8f4dd872b6c8c

SHA256
eaffb092df3fc8e33a902fdf11a1a9b87dab64cc9bc15c44a2bdfcc57b58d57a

SHA512
00aa62188069887d2755daaa11cdb819c2a7e58d0fdd94236efed39b0f3c20ee49defe7ced783836e0611d2e900195ae78879e94429f4a03492ea831f02d370f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0a2a8462c597bada99485bd2bcec551a

SHA1
944d22e3ab9481be00fb37a2f634b6fd3fb5f698

SHA256
59edd0fd637c1cb8feae4cfecf6270d80a37b15fb63dc58799cdea1d570956c0

SHA512
61432b2ad59de7e5b23ac846da0af261b513f12e73c56f50f948f548261aad952487d819e4476893bb71e59e3eb3e3ef6b6edde7bd62bc7fdd30847b07df5a79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
46d1628ba2230371d03a362bbd07fd47

SHA1
1eab0df199103f7820b2c26111e1443e54b81744

SHA256
199d88fffc0af9cc577b32bc9be94d3631335c314fdc521dbd7812a3382381b1

SHA512
5df0f872bf6a0944d84f9d400d243bfa36fdfebf70dea47b7ab8ea81f3b87679019faefb9efdc727dccecec8048cbdf1bf6b6fec6db9e3c469776c085747810b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
25a91eb59f1412fbcaced979c4b41a79

SHA1
441fbb5fb2efe97ba2576312be27f7fe56802add

SHA256
8ecd6efcca0cae06ff1ba9ef4904b20b493fbe5b57dc6df7d6b70f300c4ba350

SHA512
692a49094185d82d68ccf96d19a33a9c636b4b2fe176690bdd280cc154ab1d2791e533ffca0176c0a38fd92cca4d06fc7566bc3b3d5f69caeb6f7f9098451914

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
01694569e392ee1b20fada9d6027052d

SHA1
306bfe6a7e7681af0bfab3b3590c25db49bc44e7

SHA256
5c59b74578c9b71dae0826fab343d8a1a17cb02e9ca7e78f7328ed73993b1a8d

SHA512
678031e2c72797d548209eebbd5d73f8ffb9a5a18a216e4028c94e252c4ffddc0bc6eebed345d263b70b36227b7912d08c10f79efae198df8db2f8ab8d07f43a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c963235023daccc6f06b2acb2cf895da

SHA1
5634d01bc8c6f7a8418fc927ef7b9dc8eb71ab60

SHA256
61638c13071a484521de159638c507690de44755d63a4c15670094ea3244b808

SHA512
f3fdd94a99b7273e742af9aca91d8c4f71574202d65339844ca628e2ff0f97cc0323c4a00b17af494b1110a67e7dddf5a68eddba3c54d8c3eea1683de65c725a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3bc0d241bd07d05e1d51dd1214545d19

SHA1
db658052c53c96a57e4cfc3ea0570770102eb54a

SHA256
3aa3e341266b30f10f26e3242cd7e10806ad173d518bba0a1af1adcff796e88e

SHA512
4918f5a22d93109619dec81fd5365d590843e760fdcdeea740d221c4ec841301c4dee1ae23c955ea839611e63da69eccd8686fd960ea275b30d2ca1f5fec9417

Download Submit
memory/384-557-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/384-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/908-607-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/908-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1020-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1020-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1124-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1124-601-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1152-136-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1152-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1564-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1564-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1916-414-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1916-2-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/1916-6-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/1916-71-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1916-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2108-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2108-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2108-88-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2488-36-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2488-55-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2488-42-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2488-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2488-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2528-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2528-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2528-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2528-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2528-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3164-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3164-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3316-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3316-125-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3316-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3316-31-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3432-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3432-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3432-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3432-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3504-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3504-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3504-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-602-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3544-195-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4160-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4160-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4328-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4328-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4396-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4460-54-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4460-52-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4460-46-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4460-176-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4484-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4484-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4592-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4592-608-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4880-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4880-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4980-598-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4980-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download