690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 08:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
Size

1.4MB
MD5

cabc3fb02b8f5ded17e202976dcd40a0
SHA1

faa8ef33fb0eaafcc58f0896095fdfc6e454f5fb
SHA256

690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388
SHA512

3db0063a833d5afe0ec14f399fa17fbd72f1d72014336a30097269d5a608053ebb3d6d6dfc248dff13be43aaec8471d159b0422c8f81ea1cd977bb43c900991b
SSDEEP

12288:nvToH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:vo2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1040	alg.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
1444	fxssvc.exe
4612	elevation_service.exe
5052	elevation_service.exe
4056	maintenanceservice.exe
4416	msdtc.exe
2452	OSE.EXE
1792	PerceptionSimulationService.exe
1672	perfhost.exe
3020	locator.exe
3012	SensorDataService.exe
1828	snmptrap.exe
660	spectrum.exe
1436	ssh-agent.exe
4036	TieringEngineService.exe
1680	AgentService.exe
3524	vds.exe
4056	vssvc.exe
2880	wbengine.exe
4816	WmiApSrv.exe
2788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\49b4aa5e4bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021a11eb268c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e077dcb368c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e2b63b068c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094c7cbb368c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfdb73b068c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fb3d7b368c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066189cb368c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9084bb368c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2068	690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
Token: SeAuditPrivilege	1444	fxssvc.exe
Token: SeRestorePrivilege	4036	TieringEngineService.exe
Token: SeManageVolumePrivilege	4036	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1680	AgentService.exe
Token: SeBackupPrivilege	4056	vssvc.exe
Token: SeRestorePrivilege	4056	vssvc.exe
Token: SeAuditPrivilege	4056	vssvc.exe
Token: SeBackupPrivilege	2880	wbengine.exe
Token: SeRestorePrivilege	2880	wbengine.exe
Token: SeSecurityPrivilege	2880	wbengine.exe
Token: 33	2788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2788	SearchIndexer.exe
Token: SeDebugPrivilege	1040	alg.exe
Token: SeDebugPrivilege	1040	alg.exe
Token: SeDebugPrivilege	1040	alg.exe
Token: SeDebugPrivilege	3216	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 744	2788	SearchIndexer.exe	111
PID 2788 wrote to memory of 744	2788	SearchIndexer.exe	111
PID 2788 wrote to memory of 4960	2788	SearchIndexer.exe	112
PID 2788 wrote to memory of 4960	2788	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\690fe1f8a3aaea80642698c60ec094cac4cd1c6ad7b5b4b533da07b11d08f388_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2720

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4416

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:660

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4812

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:744
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9836dfece3f8cebf9b34bf7b10f6b0d9

SHA1
df6c43f405758601947c75168ab24685389c9c2e

SHA256
47838f06317f855dd9a74927d07ef440ef9ae57a78c7707a6be5534d3f498f1f

SHA512
05601a40af81ace814328682185b39d67f4790107b47291c359ba7dacacaa9419312279787188b1da5d5bcba4c11bfdc81b7bf5935de4b92dc0e84ba07ce0752

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
58d2eba38a1efa9faace0a60411b7004

SHA1
d7b1a71d0f07279d48bfd9523e57a068c473dfa9

SHA256
bb56f04c8bfc7c28ea335e1aa28024cf1233bbe64dd2a3d369d0ec84a0f88443

SHA512
83c5dd082095bbd9be7bf831415b27bb62c0778acc7988654d0963e6596074690b95d0f6a21437ecb036eae0fa1bedceb91bc5a9f354b35d1b18e202eec4f84f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
2353b2c7aa2aa50c8b47b9a0f2155016

SHA1
f5de2e2bd5c5fa248501a5db3711e8be136bd8d8

SHA256
4227dc4981ea12e4ed4ad9f04ed9c52520b3a5d4636cc299e5e4c82124d6da22

SHA512
ca3cb37d3c7aed3a31ad25a8d910fc931325bfe2502a8aa45abe2c2287c3c2da6df5a99219541ba3bb9bf2ba5e90cd66d59c3ce7ea2dc59c84bdcfdebb80b391

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
45905455793ba40c16ef5ef6f5b91628

SHA1
1988bb35c2d6c8d26f541c30a67b280dd4e9ff35

SHA256
1787c5deb6b2e5e7cef54fc45211cef2adde050e1503473c97944637aa7f8155

SHA512
f50bce5c658cc82b2ac52798f9c861f489d2f8659819385c248fcaed5f41fc7a9ddbef459b7321c4cd6509be879ec6ac500262e3403ef1810215e52888bbe726

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4bb273781a98b2659b3efa7460c97c2b

SHA1
e62ff995fa2e60a908ba33a11451a986569a416c

SHA256
327f245b717e8063cab50a56fffd5a9dbbf59bcd6ff3c4f701363f3ef7c31077

SHA512
3770363f3e48d543fc7e1cc392648a5532507533d19e26985bd9212f7a64c0615acd5443e7341d40c9bc7eaa62a1006bb580e273551259bafb027e92d4643bf4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
218fd21195151fa2f6d9386ebf4d7b91

SHA1
a3431343486ed83814546f961e1e41457c7c5109

SHA256
57fe9b3ef84de66ddd06951ca46387c722677305b8a0623e86cd84befb86019c

SHA512
de3b114555aa6a30717c4e62718b39fbf8f0bdf6c17d38f9745e786a4779d310713d4f6c66e33b41190ed46e8fcb25a141da2fb8c6b8f0ea7c19f878cc2936b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
f37a56901716d1c2736e504e912bbf4a

SHA1
4ff01abbb5a9fb3fa5f390183f2cd14ced789ee9

SHA256
f0f348d9bfb524c307449bc8a7c7d2f51408c23546e7cebf3b87dadd0eb01dfe

SHA512
3a8c5990106393211a5dc32213f39b9fa65e3aab348102819d2c7973f79d87ecc5e5ea2e34a5acb3dcb30efa1f0cd104fc8a89df588129f5059df6d1b62460bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a697725d310877e619a630698fe073b7

SHA1
9591db733967ba9746352d46862f2491a626a80e

SHA256
449c2bdd36dc03d433176b6a6968b42ff8f5defb76edd5ffe4a4c909f710826e

SHA512
fef94c533c080298c4622a36071177b7efc248f33d938ae472c9c0205c255bd1520d1e0b3d3bfe73a0ef7296ed598fe90606bb6846adf621f1d11e420a27050e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
783031d9be8b4bbc3ba407bc34e8516b

SHA1
9a54cfc4e9ea7b25dcd49e63334ff9bcf6bdb10b

SHA256
5dd59b1fc150eec11db2c8eb32aa87fd1d6ea7299d2ba55e5f726778a038ac8a

SHA512
321a477c4aa394a00b02071d5e6d0a25cd0d85023a4626860b7ea0bdbd008d2610790904097b91597edab363a40b0afb6f3e6c9586d3930c3916c6d62b44e061

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bdb62ebdc327110cbf710f76e2d2bf9b

SHA1
e901f8b5bb52664a928e876c2ce0fffa90deedba

SHA256
6a25d5c795293416d0b92d07f82966d0f20726b8e958f1800fcc5e7720ffb686

SHA512
590b7878a3e637781534464c53e42cb1543700e3b0a173f732d7cf4ccf3e131fa4d74f1aea0643fd5d8d688288e88dcc8c334e0c1991684386fb3f1cd1741d8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0482c6dd25b6710cdc04e1e942df4f00

SHA1
8888851b9d40e5794026d6af8bbaba6b24e04b30

SHA256
d8eb1698f0350f94352352ae470d5decb6c6f3db9dab070935a0970b7bf00248

SHA512
80c93e98519e8c8ca0090c3175f39fc529516ff8b683266f63b3249123136b52d6371fc67455c526e893b1c733617d97999843273a543712782d70dfc1e9a23a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c9867892fae8e63ae5571dd8644df6c

SHA1
c1da0fcf2d04fa6cfb6ed64d30344380b3039336

SHA256
650e2f33462d39b7e77e5cceb26f2505e5144043ee711d6c67a81869620813a3

SHA512
a7f6a3d6e4b13fafe346c7ce664b70decb48d5216f070f0bb3f450a26ab59646f5994f2b38b2e484bcc3bfa7db4ff6f170cbe98153c5d9457d8865fa088c739f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
6b670e0effd1a8df72fe885c9b3001d1

SHA1
b0be462f303b06d8b2bdece72db19c7e91c2d2e4

SHA256
1acd9042f91e81ef86f303e4e0abca829526083d55865afd245db91ec7915097

SHA512
e900568a2b2e29ef73036653b2e1680ec744e1300fb306931085d5f37b286aafb40834b7818bde21657a0fffe32a2a83882a56a66ce82aef9e140e8d1298d1d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
d2c6096f466cf0221f823d9f7172ffd6

SHA1
3af88108c4c980f05a92144bfdf27b2d7190238d

SHA256
ee636dd5d4fd2b18ce238f66ee51ab2c7e85dbb3fd54d69c4ea6635c7364eb5c

SHA512
6410d75388b02f1acf8a070ea1d92379a318037322a463491afeafea8111f3064a6995f69ec6e30567ef3c84c680f1fc27f686ac2062f6cb76f5adfa816f2a77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a851c36151fa749a3830dc2c8dd7b790

SHA1
8414a37be315c74fb3c26d37fb86d48bab1b5d9f

SHA256
26178f330ef1d2de370c912dc48899a0f79ed5c0492e2a3ac42734f4e1ed57de

SHA512
9d4d07f0aae8b6a8d22a862ee232c0758197c7cc08b574f73fb458005d1c20e77c67849393c251eb8c9d926dd48a4312f9f684a46201b2fc493cf07caff20c8e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bd21cdec158c9f4407e52289fe58aa6a

SHA1
84d5e22414f793df43c89d4e6bd4e579f48d1dec

SHA256
9cb702465d445c88290a284c4b8154b019ee87002761093acbc2fd76c9cd86ee

SHA512
41f59f8f161be447305a7f624233ad97848ac2fb1d70c1987dd96c0974e8404559ccea52c4898c9a084d8d80cd3d99c349bec7f9e9a9f5bca66bd05f332b3675

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5b8694482d8a7c5dd7b7bdd164107cd3

SHA1
321d43c697347c3de1bd388b5c3d16d154572c9e

SHA256
f17120be20ef8d3b3dfdf2d35eab4cc3557d04a2910838e363d653bb61f01cd2

SHA512
e33a8ec21127d51ae48f0e8b44f8f912c88391a5de511ae807c03ee85701a5123beaa103381433285db14606466bc183cc5e99fe81f6d74a1778b0b6f7b7a614

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7e9a0d6b25002aa0f218b7758c143fbb

SHA1
46889e06d48f67052f46ccc145894320829a1cfe

SHA256
b82ef22aa17dff98b85736452f8ef5c15fea960a32150a89c007d90c0cee1c17

SHA512
7a1837fe8fe0c402ebacfc19c7e762e9585d2fde2a09dc5cfc65bcd284aa2cf0264c0c7ebcfa3c7f407665a0b4029968472482e892bb8bfc2cc1d5257e2f9e19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
45ca054b51cd6855263ed6db8089817f

SHA1
2655ecc9fe82424eb73e24829acf14164565e629

SHA256
6630e387a0fe83d33ab30da8edd5a0bd50d33b8e1090414c3b90453f98cbae15

SHA512
223802c922c31372fcd88f9ad215b86a80b66bff2d21ff3b230521f3e0650943a38905c2f3eb4d4dda6e69a89f61c9033e95b12add9d41dea79410753b879c58

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
26a008f5330a32730da62e170fe74c63

SHA1
86e34c81745a104037b9d0be26aeaa1f712780f4

SHA256
33663cef7d6f6ea7f8dcbd0d2881d93686afe286c5224309719abf11b8cd701e

SHA512
5011308c7093413333083befeeaa7498f24fb04645cf2f88165ce29d7842dc6b6a3e0cc9f6059392555bf7815c9e704d9f2baf86d6672ad847aa4623e1340af3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
88093e0a37b68473980f88a0bf19d122

SHA1
403b34d29e438bd11c6affac34c72fa893fdaade

SHA256
f5345e4ff2e5f94aa8df8ac410d46c1707aa311445f18633dfc04c7a4283c1b3

SHA512
3d0c80bd580cda65ada1c87e9cfc712dc09f20b9898cd8f22bdd0a3be935580c9c14f61634d6d3aae43319ec3dcab2f7620099e2efbfc5ab5a00c365c988fd95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
519800acbf813f840d0cc181c109ec51

SHA1
79c12d41bd00694e7717e996790c75ac1acce5cb

SHA256
65608208835e34dac5779f532a900196d00092046df8d3998d399506aa3f8669

SHA512
040435cdddd00b04d3253259f3699691ea77f4e168f4895491e212ad7854edcfe0b61a5fe87129cd6464fb30d14e00f77c16998beb134effaa180fc13686e197

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
23133947c8fabbe92e903655a780724c

SHA1
c9d1c8e237316341345312d42b064e94b25a7d1e

SHA256
e34d14bb2107736ab76a427c0c513a6182bf40173ea3fd24ebc8102caf787b95

SHA512
87312d799cccc88c8e8ffa8b9d08d9bb7100ac38c99a30fe06c9419555e922ca9b95ee22aa7979c250a8b7169d6957902ca4cf4a8b24d62ae6295813dde97074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a834917107a672bfbe9f4da82655f368

SHA1
b381f2caf4ee37649cd0b729248573d9b8b0e998

SHA256
46363ef44d0382345b23f1909890ffa2aa83f2defee7719103300788bb5ae791

SHA512
8e53765b55f3095a69cdf0c00ce4a5df2978b80d5cf0a06eddf4169d4e84cbe40372f6ec5c052453ac290049de3eaabf84148710d07ef90ed0096d72390aab16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
31131c74cbac658a1e988559789f95e2

SHA1
10da072d92bfc728027c9ac772e20fde8d896a67

SHA256
b0fa83b38b8557ca0d37c6672698c51fb93683642d38525e947c0245bcd30d57

SHA512
3afcac675dd6ee6e9f47aa59b6fd9511162024d592a41a0eb111e7114df264926f1976bcb071bbff8db3717693723229803b71bae5bbf0b07c7daab9ed171f1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
e344c73988c14f83a9e9e6f9cd1df411

SHA1
94b4261e2490c940625f94e80a9ae50470684f86

SHA256
7e2010fbb48a86be481e7dc2983a328a923954558cbc5bf9694974bba95d2ac8

SHA512
be376b7c03d1d5048d44688f6c0544909d44a1ae0fb5e0b90902f4dbd45547b522f40847e24a8155fd75d0fc8b9e7b2f6141e46e146fd29f3ebebf2604ce12e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
10d82cc6bf67d236892448a0862f3d53

SHA1
6eddc62ee85a3c984c5d13b3ad29eed4b5115f14

SHA256
1523f1183a52f4ec54852aa9740e46ec9a59075d2245dd44a5ebf504adc00347

SHA512
936cc9d5e76120839d254454a6f37e960f0ef7be713cad8dc67382aadd74b59690a33b5663f6c0001dabf2b087155f8c7dfabbdead5a6c52e15664c58cda8771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
5c728466fa0438840cd8a0779830cb8c

SHA1
f1945d2772c4fa6c954b5ac2c0aa221aa240f956

SHA256
b5867b576183376094cf3d95e229fbbe811f82255a6ec3c789e8f7f13ede917b

SHA512
e6cc85ae5ea9c6f79a0c45fcc0dd5dde9e853ab3b080701e35569dc0bdc3329d62f7d5c995d702ebc24106de24a47de131ea922b89ea70806a91e78853d7f230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
6b64f86851d8089c761955ded37d7e09

SHA1
e1f22dcf72580cd8d8d3543d9c92488cdf352813

SHA256
2899d9193b4a314cedc60043a49a8b99e904b2b8f65f7bcca8b6f68a97e51cec

SHA512
d046edd3a6bdf498f8cad66791e22f79fa2b48c5e212ea5f71584f5dfd96d9dd9fccb6748b04adea7d29193634c9cfad1a34e0865c0706ecbe86ccb48abf83b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
b3e64c9a787ee16431d4f86b05436e81

SHA1
bd3f762e8739d309b8f1511d23d6670ad1a411a2

SHA256
3b2661d09686d6d86225340c89d144fc118e48c88174ffae0901d878d8c38f77

SHA512
851f9dd02096d3d49ccacd6a88b65d57ce3bafe191875900849fcf9037369555337fe32c0bdeff68c0eccc74e3c5e12795b47d9795526ba75eb6510a4c02b5d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
ee9aea0d2cd8d61df6da136ca066b572

SHA1
eb905ab55b314779ef936ff04842d41f842aed81

SHA256
16665fe077ad59464f6bd7c919c8b685bb6b15eefe4ac82f7e8b1250e3f2a6f1

SHA512
1607974fcbf3d549de8418018743747b444fef0a98a934932c1cb1e6d114055b0d0730148be65ea174504e353869e876fde043511c39379e654251b9a87eda0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
481856222f5506d0e40e2a93d48148ca

SHA1
b2163b097601390e775c2195d85a3995e21747cc

SHA256
8fbbcc627113503bfbaf1d45848375ff956e83845e9c8bc3426cee449f47ef6e

SHA512
f4c3220a788326e286c53950162603ca61ed9f6e048066bce8a318830338ff865b8d4ad0b9ffbbea5c1dcfb38206c953d8f6d7c97259531eeaec8987c5ab6063

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
a33159f4543f4604ee44e7d3c2036c48

SHA1
9c324411ae753ed3885cfb4302852b76dc794c8a

SHA256
13e3f727e5ec59d3ecfa18c688ff3de9e328e99ddd67944e93f34b19f2b225a6

SHA512
6ea54f9d2515b3ce81c507b13d0c8ee5a169cee73b6d0bd08f2611877c821d002e3b321a3ddb5fe81e0279f5a7ed2dcd99f4a3f3ebdc61bf3e929e8f649ceb0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
45a91f40909636634e7e00d780fd6529

SHA1
22de172d7c6bc38daeaae4f8a9b2cc827f32f4cb

SHA256
2ec870dd357f930b36bec40e27a8a8b1b6743daeb2206f1b66fd0c5c117abd03

SHA512
3bdc8b64f73a40256f86805f8ca2fc974540c856d82533f7eab963a403513e6e052d22b98f5a5058acfd99c0d1215472148d324105ef2950e7a076972fae3db6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
168790af9daed55e7e823d736504191a

SHA1
e7401497c36323cf572e687f2508de99bc8a8d09

SHA256
efd6e3a6f0fcc796e40f396d0c0e58003dbbfbe4478d2b7875e86ec03ec5c21d

SHA512
5f669d5406cc39984ea8f17858a1648d2927d58491ba86de32f4e4c46b2bfc305b8d0f848afd1cac26079b59b5f6c910574ed1c355877ebd9ba85ebd9b119b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
3a620a8a524551bb3f9d82fe42731d92

SHA1
9f25549c263a31941781b26e3eeb35a01be02cf3

SHA256
dec4b437759189a5fbd11a63de693e3fbd44684aa80ea9e6c46397aa3f8ec7c9

SHA512
0dd018fb89ac147092ea2dc4a7703269f3f789f7a10232d3fbcaebf7285e70399db340b7cae3c0627254b21b5d61efd28e87a2bde4d5d622ab6691c78b23ee7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
99f46847caf497eeb9edc96526aaf812

SHA1
0136f796084db7d1feab4c8a747107fe8c009c07

SHA256
6c97d86937cb2c3a6471651f6c2efc8e923a181f42006ed723d0b5b2b1d3b746

SHA512
2d971a62843df5f1c39d8c419acdfa03615c053de20c4305056d8d8b28e1f0be72329d6f3a9427fced72e1ffa79e9dab55aa3c77e821653276a04c40150023b4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3de10f72692f4f629b68d78239d2d4b0

SHA1
84d9feafbfd634fdc7dd2e27ef78f64523daabe3

SHA256
7d483fd493b71e93fbe5a56b691434c5bcc30a6732f3748d43178c7822416888

SHA512
3cff5e2dacfdc530721fcd0c06c18c26aab86c3c14f117913230c72ca6a1d60c80130e8bd4f495553e287cd8b9a459a75aeb5e93edb9402d5a43d91e056eda69

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
9a11206b4cb9035e1d56cb3d6a18e2db

SHA1
84b40931729b0480afa8feea8788eeefd1e85344

SHA256
c17644778707db856e98ecea112019f89b5d31d1aa17f549fa70d892046f6550

SHA512
3d7e0a728414d63d7168cc18dfc58f76c146183c10eb34a28114d47d619414919d0703ea3d40614942d098b2de256862679d427072d01f6a81d4813339be2cfd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
89da838da1ccc4335d6d151bbbeabb8b

SHA1
1e5c553268496ac3929db0fab3977b3848bfc4e5

SHA256
7ee34607a4f1bd5cbf0f7bf80f5303e12ca6d40e5f823971e8a1209471f4c7d3

SHA512
8f7d570fa5b289e54e94bccd73506154a7b1fc9c632ffb5e3299a23b29fc12c31306ca020ce4978bcb74ac83d69f9d0f8cf2939d11773b63e42b8596c79c1502

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d6d5908ca0109c112a0adce7fc2bb03

SHA1
a5bea870f6336b92e7a15091d0020db22c304c7e

SHA256
ae030ff6ff4cc45f9d07783718c8e3782aae185ed96d0bd9feef1c1f09532a06

SHA512
192f613d324a89caed8bd1eead068232c3c0b55a35c13e974a99b9a89c1947e49632a60c6cf8b4d9c6c4b3dd3109a19fdfe74b6f535c680b4bc23b3f60e797ff

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
c80cdcc5b336dc9d3bec9731039e0714

SHA1
14c6049911836d10d46227c8b358dbe9c44d2489

SHA256
7c6201d0cd1b95da5a7a49d752f09eac0f44bf7d3f6c5b724415b42605ead08d

SHA512
526fd339c3194f34549cd727ea8aee59d5d6ee4614271155752836934f9dcc0379e5d11a797877c4f63f4c3b68c02990b61396be4cae8da9593471aca12c181b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2a8a8a79a24111dcf6c2d5c86f856a44

SHA1
4772c8a692ed187916b743cfb1b2dcbd7d1dc664

SHA256
162207463d74c1e3391ac515c57b15a4911b6f6eb9b96cff99ad06f96db3d1a8

SHA512
52039238533689385057e008e84e66ec52de9a1b1e7c6f4dfc7f44a8d96632caac3a44c511d350ac5bb6486545cba3bd491c4e1f00c59b2742557870c4deaa7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
64b726ac91450749b105816baa40c63a

SHA1
06f2c9381e99ba6e3b80dbcaaaadf6a3399566b4

SHA256
0a7f8783c55ae7c8a54dc85e2bbf806827038b6163af2b450d1fd6721901e441

SHA512
4a65031ffe5e1155f48d5c0e92508158c7ac8af0f392842440d21b4a7a64bd86a4de6da1fd57c37c79031a1f5d5665e4791238818ad89637884421d10068e175

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
5019fa4f17d416a34f366e1911a5a56f

SHA1
3cc7cbab723e5cab1a37caf5ab93ebd06a4848ce

SHA256
bf8332b5be4ba1cc0a4f1d53bd4809e7094fed273eac73a65e3df129b4d208bb

SHA512
76c79c61fc3c91dff11e4a38a9f760d70562f8184d57e0f9390fdd0033e5793db06cf7c311193edd8e612f1361e346c6e2a1640d81c9164731f6ad1609cdbbf7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
71a363ccf23d4908b0c5f386ad64a528

SHA1
3cb89a8ddbb49a3820751e3d284e658c1ff42774

SHA256
bcabf08910670027979851b545d7b2c96e9c9421cffefdea1e4a6c3d7ce83f39

SHA512
2ed682424fe2a4cc05e4011b9d2c2a321fad6b46a89c12e97c47b458fd23ec874358bb9d59ffd2dd400a8d1dd418a53f90a640caca0727d798d11698e571aa87

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f6467fd72b2740405178a96752b718b1

SHA1
f085f1addb2b8c572fd37a38bf6d0a07126008ac

SHA256
231b5e9a000ae06f43155b49843d485b1d7e76c65bdc84c4338eff245c8c4ffb

SHA512
b7dfe72df393fac13f6296ffe12be5297a5934c5ebc095d2a63a416709efd266d1c66701742b0a41a7c063bbb8c02c75348fe0018016570624695681a10a194c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ca8d95d7126e09699f38496e6209678

SHA1
69871491b185f658faefdd54af4d15d52e0db6f1

SHA256
25ffacf38853f3736932a569a45c062bccb2117b93f4e42b1bccfafdfbda1eb5

SHA512
d36e48f28eddc39bcbcc0f6b5f0f8dfa7e2c3fe5e34f85a58b1f0786758036db0040e7186006e670aec45311f3d0899acddffa98b5feec8b8d61ad6067c7f061

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ed69399eb5f508eaaa8040f718084b1d

SHA1
0cd7154ffa651952d22a858416d87e99d32fa696

SHA256
5a6aa2c1b3ec32b4ea9f20718b697778215597db2807f418ea44139ef343d587

SHA512
f01917fb4e565207df5cb4adeb09b5cdc9ab6de381f0c388841e0233a0f848c40a82d8184163d0cf276da6ed402b7a063c06e0e2871b28254efd4017773ab590

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
63778d29e34ce3a1f5fb72e4a44b5b1c

SHA1
91c8387dd6975e0d670aadc6011635eb016e1a62

SHA256
888ed73476ed23a6a9eea0882f6c031b39a0ef1b24786fce643c608943d4e0fa

SHA512
573278b94ebc6a32adfdbbd7334daaedf729bff5528867f481df04aee4f22f3071dd78aab0acf28d6727cb373a2cec08abf51f62b999f880e35b4f1f5800f65a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7303e7e38fb0fd1e1f220b306b526160

SHA1
580fccf14576c1e99c3763e6634538c92b834e46

SHA256
dd61542884508335a1f8fb776f5e190ecce8d74e2edcb9fb5410b6e2930fd610

SHA512
ed49915b14d078d62a27675a5aff690685eb70b951dd09e66436e618cca44554cf65791e4ec7eff851561e00567f016a7e0c650ebfff7a6b24ff64f88a061dc2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
82d06b793c908a922b7253488841bbf7

SHA1
7fad79838edb604618d299feb6c2d2b668e3e06e

SHA256
287c4934cf3ed4b370f00e0eba5b1a66be618b6bf968997e8a36f713e534a6e9

SHA512
56b741db018bf5e014a224bf007ee31847c76b79a72a79789e56411f9a398c7969c11a7e9823a64f71f98a9b8868a31b7d833994ad13d8438848d089ca37a695

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
d89f3a318c19a14ba108e10ef928bc85

SHA1
d2f39acb017df0f2ec70fd7911e2be39f71767f2

SHA256
a370a8e564103f9a3e3510043d7810323283efebbe27fa68ad2c06d4b6b40a29

SHA512
ad5d295ba3220ad3c076a4e13d77c7bdfd60d4c7fc50f62ed77c3ea3ddf49d3aa174b73e448efbe6c79a89418f487508a40d0c7e2e55becda8ae837e720e81ca

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
d7334bb5fe306eae58562df3145db385

SHA1
b4821b9471604f928d92575fde2318bbfbfcc620

SHA256
5548a1c79f7ce8df63f65db5465cc7a005d46d3a55393b13ba8a2937df820939

SHA512
32ea4f47ddbf24ef9d9b347861c07c142a11481215a23f4e9420558b816b3c0269dee4ac065d3cfb2575caf01ae944bbc7273b52ca1fea51a7ca19ce67db8c53

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2e0b2692f739a0f39778182f67c2322a

SHA1
ef90a542616d34a1a7c85b5068dd977391b26c5a

SHA256
956a65da8bac170482bada67349f4a848c5da08ca951398f417c426169902698

SHA512
e466bd361e85e7735c27dab550c4f22a014a351bed8dab26f3f4d928450a7cb066596f8dfaa42a3616a27b85086cd26eddfbe9ec4c5503cb3e3c20d22b279f5e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
462d006b4ab5bc56bbf57c65eba545a9

SHA1
ba8634a3c9b71332c6e49a8fb876105f516633ab

SHA256
cfc1c920d0bc6f66f7012ae0c6a21317e6dfe41d8e6513c108109c786571f8b6

SHA512
a487ddb6cafff5d2c2587f891608a88f35fa3e716f7cc672dbc830fdbbef7cceba64c5ff163a3f90401328b95a5ca8864bc64e7dd747118f33b6e1c73c7d55b9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cab70c970ae016bb49eb97480ba62472

SHA1
77b76e5ced72fd50afe8c62c590547570127a828

SHA256
e1d0e3965c2e35dff3556005e5eec1afbf084284ee6f8ab4d0736f16963d99a4

SHA512
92f85b4526e46ed9afa06b98c563289ce5ca3a44010cdfe9579a948d6eccda6c1da3573ab0d47cd0fdfdabee131f2f04f255a5a46958df720d7a23d74d16b97f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
97a4d23e7d44b39dd6eb32a6b84d284e

SHA1
539e4644f313980777271b58865347842d34e87f

SHA256
afdaf77128c762ce4476855fdf282a84b8f47acfb394e938d6ee2827281d775d

SHA512
9961f4c9ec27e5bec314dd77e8d76453cecaf2f7bb40c9dc9f39aeb9c75a72b8b2ec4ed1b9e18778bcc51a15c2e0208876336253cc26884f8d446a0f171e6106

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
199444f6e38b70df102fea0c567e67c2

SHA1
a7c71a0db01c7edce70219ad1cc542b1faa4df0f

SHA256
c186ba0f3d061b7eda577a2b9c7e155b23c57645ab1cc5a94e28e922f1cdc43e

SHA512
3ec021de80c55dc086d1b83a1ec0e2d51278910c264e4e1efeb0f7791a860d9632c8c4ae49639feb7730d9cd7d5ac728e5a1df1f0d5fcbf5213393a651475137

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
e4d80a0589c4704cdb720d5f6bd302c5

SHA1
2e0a74d9bc456c10e16b802795b913aebdb549dc

SHA256
44e16f977d2534a092637931616e0fe8d372cf62f8bda71468aade8d466429d8

SHA512
ac45f31dfa477e82c7dd2bbbd9e5109cf060ecf6386699d5e89ba5a603445031b2240c5e3952c86093677ec87cd085ea30af5c3e3c7366657ca8d50ca5c564b3

Download Submit
memory/660-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/660-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1040-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1040-19-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1040-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1040-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1436-186-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1436-557-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1444-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1444-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1444-61-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1444-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1444-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1672-135-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1672-247-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1680-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1680-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1792-122-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1792-235-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1828-386-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1828-169-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2068-399-0x0000000010000000-0x000000001015E000-memory.dmp

Filesize
1.4MB

Download
memory/2068-0-0x0000000010000000-0x000000001015E000-memory.dmp

Filesize
1.4MB

Download
memory/2068-6-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/2068-1-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/2068-101-0x0000000010000000-0x000000001015E000-memory.dmp

Filesize
1.4MB

Download
memory/2452-113-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2452-223-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/2788-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2788-569-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2880-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2880-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3012-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3012-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3012-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3020-259-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3020-144-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3216-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3216-33-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3216-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3524-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3524-561-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4036-205-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/4036-560-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/4056-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4056-87-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4056-75-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4056-74-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-208-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/4416-90-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4416-89-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/4612-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4612-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4612-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4612-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4816-268-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/4816-568-0x0000000140000000-0x0000000140185000-memory.dmp

Filesize
1.5MB

Download
memory/5052-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download