452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
Size

1.5MB
MD5

2c63f0a5e4e0657c13ec2991e95badc0
SHA1

67c3fdc15d39fa8334491207eb2d7834ce599eea
SHA256

452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4
SHA512

7b6093faa52258a530b4049b038c7a3427c4c63239c0cff3958d09a8db69ba5d5adaf738ae6e2bd844e6da7c14193a49730fddb76b62c994f79ab04c29655e1d
SSDEEP

12288:Uka7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:TaCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
60	alg.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
4908	fxssvc.exe
2320	elevation_service.exe
2756	elevation_service.exe
3588	maintenanceservice.exe
3160	msdtc.exe
1440	OSE.EXE
3376	PerceptionSimulationService.exe
5060	perfhost.exe
3356	locator.exe
3220	SensorDataService.exe
4604	snmptrap.exe
344	spectrum.exe
3336	ssh-agent.exe
1356	TieringEngineService.exe
4428	AgentService.exe
3536	vds.exe
2920	vssvc.exe
1464	wbengine.exe
3832	WmiApSrv.exe
4440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ccc2846fb3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4518928eec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055039a28eec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f39f3d2aeec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c79362aeec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000501a8e30eec8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b3f7628eec8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065522f2aeec8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1037b28eec8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe
2372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3512	452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
Token: SeAuditPrivilege	4908	fxssvc.exe
Token: SeRestorePrivilege	1356	TieringEngineService.exe
Token: SeManageVolumePrivilege	1356	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4428	AgentService.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	1464	wbengine.exe
Token: SeRestorePrivilege	1464	wbengine.exe
Token: SeSecurityPrivilege	1464	wbengine.exe
Token: 33	4440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	2372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2980	4440	SearchIndexer.exe	115
PID 4440 wrote to memory of 2980	4440	SearchIndexer.exe	115
PID 4440 wrote to memory of 2296	4440	SearchIndexer.exe	116
PID 4440 wrote to memory of 2296	4440	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\452d1e7ab8579e741d4f4594df6e35f3f8f64469140ceacb9e62ad6d60829af4_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3284

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3220

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a5a62864b017a3ff80c15d5c5de903e9

SHA1
f92a2716b581533345a7d38a5eea38110d9ea5b3

SHA256
4648f3bc2f31f8a6531bd23bccc92862544b10625bf55336bbba8b956152e2bc

SHA512
f73c49cdc64a1a18332fd51b529d7c0af65f0aa4aab2fdd5d49da9e6513d5a1f749024c406fcc8e94c54607841b066b62417e4ca31c7df3466b325bf0df2a26f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2ff530b1ea0b5126b93572d9162d6687

SHA1
aa144a957b053c8b0acdaee5bdeae9339e7c3fdf

SHA256
415f9023be68251be9ac8a9cda486d274088a99d5726063bada3cbad4e29ec85

SHA512
ba1060f402c9ed6e86043deb5152eb66def83422e6d4051ddb701a55df5f05a6993c1f6e90e7780bd370be54eefc52d7cb011654a5cc1a44967979bc0ef048f3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
6ba25ae8a270ecb62ac5018c4d64c3dd

SHA1
231c67fc64b26371be166244d6b0e92fd437868c

SHA256
65f302acf716d1fb71290f63f4a334efdc97a910547011dc4e24d9fe5e4cea8f

SHA512
01c383d748bec96c234f0fe77391db62332c4afa1ea1f0f9a8d7d9d2e0dbd9e082b3b9b7eca70cf7b0020d989f487ad91eed91de968c5e5056a76802962c4ff2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
85f020c5b86a50fa4d838bf0772bc39a

SHA1
45ad34b1963adb5c4cd04315cf8667409dab1a84

SHA256
98bcc758d8ac97c8d886ebb343fb750e4a78f0a1aed1bdc3dd91a2701d1b0561

SHA512
e6d95c4eebc8ff17de4edaa27bd2f4ec3d69d0daf7d4182b348559c2e5d0bca4caa3c6baf69758349531497a2678880f1ed54f884b965e772e7b3d2f0dac4990

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e040c1c0e400d2786350990e857abbb5

SHA1
f048d86d66c5ab5ebe811282c6defc46e5973005

SHA256
919f62967d4811ae624369113ae81651cbe77cdfbecb35615e45d99c1e7d684d

SHA512
dbb94f008bda146edf9000df7db7859124742ccdb8e0d873a537407121dbacf569f5f5605c3d0cfa7389531a2c1ac72c0e2a148be27b7342b0fa7508b6cc7056

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
e3e91482daca4f9199e077401910ff2c

SHA1
c7a24d341b5184bfc2cba019db58e08a75b1243a

SHA256
427342d82df8dcfa98481d3bd3a9d5435e6d8a257a77c60141b6c9bc5d2833c0

SHA512
006b4040e559600e592144afd9fc41be2153e356a8ac0cad13b580fff772b62029fe4d715a99ad932f38effb4d6c5645f0126ab3b6057f80d0d2486127c9ff3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6c017894c09ce32189508704e11c53fb

SHA1
d9573ab13aad5f6f7867ca7c7a968350a30922a8

SHA256
f12dffdafe698c2027b034f8fe3df8ebdca3f1d6a9056bc32fba75f545abf28d

SHA512
7db2181995a37d17d23f7c414e5ad90dac6f912e9b64c179bbdc86755f0bf0bd297a1a8782c076d4fc45d1e7c0475f5ccefc4c140da0c1f62a270162dd7aa135

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9d4a942da5f3b8bdfc37c6a5bae33684

SHA1
20766e974a08181603c9d643504e9d9b6e7dd401

SHA256
9a32f446751e92b4556f9b9c3d2c8c1cdc61239fda2fa031023aa0fad446e573

SHA512
fd722ec3008c179d0042f114a9cb2bb5a530ce4f8ae884972bebb24226dae0c70187946999622fead607c8ae6d6b0192441cc5fd9e5b8f3ccbf49adebe9dd6f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
221bdcbec7107779cce31df4b0d61393

SHA1
1cf4d767510ff57a86b5d35639859073f7adb26f

SHA256
d0e75199ef25a78d6fe47bf93d5dcefe487e721be9d09fb5304cc1785e55df2e

SHA512
4528905523f15c8befcc7ab560a3d7cfd4390d2ca92dd4e87e780182232fc7478b42cdbe53b39d27df1b0c782e87e39dfb228352adbf406cbd45e24eb52047b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c4c14435dda2300da611946d49051d2b

SHA1
84ad28b306a74355f72cc8e9f13361c0774684bb

SHA256
5ca4e3c28ed213a2ff814bdbc5685245592136f9b7cc3442dd23db4a1c8ff072

SHA512
5dfdd7b0000f91969a85b331d8c005b1a0399c027320282ea702b900ae367e7d1f6a910fddb1d6be51f3f5ced0fd68f501c37a546b47bbfb66b27a2b83144b32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ca97598749f1190345d7e06c44b6749f

SHA1
af2216368ea96147d0fa8d3ec6086109db1c72b1

SHA256
4f95682d08c618f2abfca5d5b49db1c219ba21b0a8e658107800fdd643575ac7

SHA512
32d9c653adbaf2c45a543e289e1067941232818d7b8b52f968c85b9c774748fe0ade74ff4acb91d3bb404ce22a52f498e347c443d7c21c7a0d6c5877432c69dd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ce51565ee3a1fbad29273e2b65b0e840

SHA1
c7137da70e1c18c55f17dac77c8c3ca59e07cf82

SHA256
dd5068230d420d799f6da9c9e82fa5a5437290352cf1b53b11722b33644ff283

SHA512
5f478a6aefdce51860ddb22de0f10606ea3931bbf64aece362194b8c251bb10ef8a4a2fb18b87c66287a9b9f061f2d3bb8f0c9f8d74e80f3e575136e526a7362

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
df515d4fbb696f4e4134497146a10728

SHA1
48c591874bf88652b473fde742c95e26ef7f66df

SHA256
b441aa7422b83fd933b320b54f78ea0eb7f053d4fb68c9b120b96a21f1f6cdba

SHA512
5328109aeae19589a47e901b8316be3594d7dd54d340e82753cf855e04c1abe4f86c10acc06e32325708c65a3ec5c440b7dd90a62c7be1f7f48a88f3e68a697e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
8d165787123fe32b5540e13e7276e6c5

SHA1
618f0efffbc997e919b3d35cdffda385ee1e8ec2

SHA256
51d2fe463d9b053b0600bfa54a0b95954273200b249298c46a5d0a01251691ae

SHA512
dbd96b5ef15bc8b8520e481863e827b80f96ec01cd62d8dfd455c4a1db3863e861d0527cc69184aa95709d823a4b765c4c14515e6e9475d4aacabb248952f571

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
db640a8f639f7a47a1346272d242986b

SHA1
2fd3895055a200bdcaa6186c4826b87b58f51ffe

SHA256
81521bc9507b9aaaf6ae4a37f09b71b337a8374ca20ace22a6d6873b32789b3b

SHA512
dca2562889fcf7dd50f5bd68fe49b245a749d7785212d42971389cf9e2dd066a9d05167fef1968f3fa35474e6ad9314acf7ceefc500adaa9202771413a25c43b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bfdb689bca4dc012c08d935e5fc1325e

SHA1
da1262a33bd4d74c46244ff9343added49a2ea17

SHA256
d8236f904d7baa10dbd62780c7128737393dc5e3e985ed2eef3c456cc84516f6

SHA512
527b43dbe36736fea301316f7ccf47b3dc62bf68ba77bd2b0a679dbfaac1714acef6d8311be2b3bd27978e920d158daff7bcad78e0db824c151d2c508d8dbb77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a396d5304f676f6705de2c91dc0bba4d

SHA1
f5630e9ec6d3d6463da34617ba48ca1a5dfdf5f6

SHA256
1288bb6a3aaae8c23e2a94ad176916ef6ad5aff86f1e660d67fd221bf67e327b

SHA512
1d611d6f12ef79ab0dc9e08508d8a555f298a748e5d29bd85f29a572e2e0ba30207500c5db9fb2e9d0b356ca4c927896ebbf98a5660516cb64801e40e46d9547

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2224c591392dac45498231768ce0679d

SHA1
90fd5a84cb0c565b1612c805daa959ad01df0dac

SHA256
f395cab78ab6f79661e7edbb97a7348b55ee9ba5d2ea296387df4d0d2d964754

SHA512
e79ae61fe4122610ff0ecb266e23f3cb53793caa29fb0fc0184a1aab6db167f75b7627d23e658623e665c4f77de23d351a2f669e719e48834ebb967f348b93c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
89a7764fe0ae66968113e3e595c7f44d

SHA1
7d25e66efa91f4c69acb1964a6bbdda5044d38d1

SHA256
f61a3d345684c63c01a92aa6bfba5bcfadf9f52c6c8a35e87ada77687ee8a0d3

SHA512
225d73eb75a71e35ad4caa0e22bf23f6b2e221162632c6f68c258995881dd4f795163e1512adff6a6c8bce037e04623a13602cc1bd7cd791daab095cc3707c50

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9a765fa99d5d0ed3829c8986b62d3427

SHA1
41f21701c1217b722ea11bee7ef689105baccea1

SHA256
dfe4aefaf6da61289bcc29aa9f1e4ba50a8e30e1889e8363fdc232464c00a4b0

SHA512
296f4d1b28ff63767d4df859fd707f3fbe4fa8566b719b46271aaa670e73557a0e46835940b548ba660f750b3dd5741140f7e3265459d7987668cadb38ec8ac9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
34594839f1042b57674934635773cd3f

SHA1
ec22845893774675e4f433d1bd400b861931fbd5

SHA256
2cf8acb8851f27cab9650d0db4ed31a9dd5f7597ae07081a25c1f10899bb1b32

SHA512
1a15809f5cc8d6ffab4039af9eb2455d3f45affd593d574e053da5a85a0242b7b29faf994970bb8eb63b6eb922a15305e56dd9ba326663aa3cc657afaa506485

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
fa9f1486ac040385f71737d3d43c9b47

SHA1
1f73138dc4f36cadd8d1911283c8c0b2246de242

SHA256
26e89a9e1e6d655dcd4bbc080dd0635a3ae18887f4d847f4c25cd34fdd52850d

SHA512
df0e5033e96963c3f62b785abff92de885c551a4f003a27c339b2b5ffc5a7a715b48eb0028071d36a685c8ed6f51ca095c3ae151c1f398308479cdf2270b73bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
43fefcbed766f5a880fd17c92d999a59

SHA1
0affb489da4b6a6b2a77af8ccc3e149112263dc4

SHA256
175620fdb62c03e475789f03accb2cdb1734fed1161e93b49664e6ec670b2942

SHA512
a3a50dcf01cf44836679cc289b2741b65d0c019ad7e47fc177f8c58a07f5f8a7fa6947a94c2d6a106a54ded9510c93e49b7691b021c1c70e5a44af43fa9c1b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ec09da0cb3bbf07843dcafe0bcb6afd6

SHA1
2f11f4678ebae2bd8e220170ef715dea3a6110f7

SHA256
67c54a2872880986747b927eb22399d10489469d3f5edcf7c41b5ff893b1b419

SHA512
a2ab3a3c6cfbbc8d2d215505b1a1dab9ff2424ed11eb4520dc401c9b531281cdbbc4c882e60adc7e1e419ad89eb44d0700757c6856f093fe38315e3a016aa768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
0bd25355658a7bf442aee2ceed072812

SHA1
4a1ff4a3a54596f640b30227014116c885733c88

SHA256
4a2872ea1bba712a5499672ada05f7985575ea202ea42f40b6357825997292b0

SHA512
6b6e1f1c8659c69461c7e5a22ec5db4e71c620901a11f937a2334784d6c223dca5a673863d7c1749fbcadc8ed909d2b2a21bc509c66f43bee78325043bdffa0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
e0374bc901bad2a0a2757bb77bdb9f50

SHA1
acc34df544391265f368910ebe9a7a40c09cc608

SHA256
bb3d5c2b485be0f97baab33377dc0511db8d5f8fd3ac407b7e884169f9864e1a

SHA512
3f7d741537ff824c7d4a0cd946414cd935c43bbe95c7a5114e2369312ea5c17db0b74a8e26ab860f9b051787da88dd43b67682f3500e8fe9bfd6ec4e3c4604fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
3918397a6f7677595db2e774600ada95

SHA1
6c919e568cae850c481bd933e250b8bfe0bbe10a

SHA256
12a5caefc68cc03ea79bc3ee46a4216e166ef6a69fe69c6fce5935ec05fa3436

SHA512
27320ba48891efe55d67cf17287b7ca3ef9f1fa7d5ffe3eb0521a202c71c92ccb67bc2609056f53762f0dfbc7d491e57bffe5dfac4615a8367c323e015bc7722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f15888f06c31affdd36f380c42da16cd

SHA1
f89f566a52502d42794b4ea3059b9afa8cb243d1

SHA256
fdd992ad502bace16dba5e4a972af930b271ebb8d45a01de56a147dffec17d55

SHA512
4b20a4a212013af9e6971e87287e8f52544a54a8791e5ac033a0c6cf30325237a2546564a98e0b3c1acc63c3cc4fbb85c00a22d2f0c6e88130a2bda6d209f2df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
192594e9bb36a55a0eb57f9f60bef9e1

SHA1
4e5b300b43cbe33f2c63fe5a720ca2b93f8aa6dc

SHA256
ab5da45f16ff8f9bdacd1f52e376c36a9330911000642be7312adf6a5f63a966

SHA512
6b598d224caf9e16c8c6656ca1f5b775549aa4b50ccc9386eb208a5ad48a0862f920500741d254e2c7e88ec01e5cdf7a0c110308ab5547ce68d0ea12ff84de8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
a6b929b7e720b3f311c2040f661120b8

SHA1
1117ee4429a86ac6f0cac3844460cc2ab8fa3fa9

SHA256
466f6ad681e7d6ee8551efbc170dd33923104f721ff206b859f23a807e25f81e

SHA512
1f47b260b35c08ea4236372cd09facb088f5200aa01d24ca656a6de470098c1c40ca90ead444a07923ab97db69e9831f39ace213ca153f7f5a2a4b990b3aa46e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
5fa3d1cc79f4800f887a03cf2cb881f8

SHA1
39a09f7d4de6afdfed3ee79320a6b22235ccf2f7

SHA256
c5f4d4cdfbf93ba4b0472b5acfadde8eef09966ac67bc48b06632c51b963fbb8

SHA512
28e614a28a11b41061e8a041c1c842b9d6afce0fb5b5373dbe3875243006513303444c16ce50377e1108907cb83ec8820fc7f1bf77e4468af9f67761b3986b2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
cee31ca51d4fab986156dac1a65450da

SHA1
aeacb297892a001c53f73afb677875f27b4deccf

SHA256
1b4f10f4e323a7d2a7b1d66d95b387e669ae1f5bacb481a6c4ecce9fb35fdae2

SHA512
073bd62f46a2428f03f5088ab2d04a75b3af1c7f8f80bf8ce2c875aa47e4afb0abf4f142fb353fc5c377758bf1802c5f7ffbad0c5ec5f266220bcfd701720880

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
dd2bbe09f169343ffd67a6c5b4f77ecf

SHA1
286abe16750d6068a00e1f3c6e58ba3d34817422

SHA256
8119c3f8bddefa273fd2eab31eb9706078851e23c16b20da3b71993fe4a9300c

SHA512
6184a3d6db2caaf50e7627a87affa23eb9a6c5ce63d254bacc006f81960f7e0459b5911517291d95b8960c84ef90574184a873290a00fbfa3e3506556ec66614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
45f914b0d8f2fdeffb5133181ae159aa

SHA1
602f7cab9f8736b952a398f8ea4097eb2a777de3

SHA256
1fbc90d7e7bcab9986dc80beecccb746407b95ba2b7d8fc9c17f3ecc1d5ec24d

SHA512
a5c7a3da792d97c7a9ad9624596720a577d93119d48a4460cbfc37b446a6a14decd2ab80f3f251f6bacbc6268f264e171dd7723a4af54b6e820e7841c96fa44c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a029292bfc93dc07d00d1789b213fc51

SHA1
8b95bc6f003088c3613454480d55fa3dc34fb4af

SHA256
153b021dca4033db1348910e89a8af84144d97b484588e82fc1de888e9620208

SHA512
db5ac6149bd62d439289dd803ff48b53833f6cde5f2f2a270ab54178eca9f71d4ee0cb2a2ecc1e2a2da797fd5bd5b4dd20e87ba3be667dde8c5964ef970bb90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
9e5e4f02d42777a648cd51542cb7aafb

SHA1
845c87ba35a31ed9bc81dcccb878b3fc0b02377c

SHA256
71a2e7160f219ce898d9c59f93832e4961950813d588af5ed1943047a879deb5

SHA512
7f3cc6c06ddb00755f26b7f1e6472ed7d6dc95d51690ead83c9307174af6e083d1537cdc9d75ca4965926043e46640a2aaad096d4f7eab020431621ec3ee8aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
bcda42f5fda29c7fbaecd3202ad1e4fc

SHA1
a7e7ec66c92a246afdad89cb5b0b792735cf2b65

SHA256
9773ef3ebebafe07bb2b8d6f5443e18136caabb7c4f37a42cf48e419a7362992

SHA512
fb8b3a22909804314ccd85b547ec09c2df189a100a5bbf05db753b11522bcfe2d35833d4ceb267cbf8d2eecb6263749b0be4a11732596ba5d14d65e3d60377f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dd5d49cf9e4a449256c5165bd959bfe7

SHA1
1d41b1d92c04b63ec1d16cb44b89e503f69bb99b

SHA256
4f30852648374959d1f3206f7930c58f3ab847f9c0bceca5c69fde8f6566107d

SHA512
595a1749a7132d0444ac7e60f3e5d1b56abe3d8711495900d3fdfa398530ede09da5ab199046a94023849bc8543111ee11fe4ae381245ca1b95b51e943d635be

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
1e1601072028fd84837f67d62d930149

SHA1
6c79a8cee757f722524f0e37345563340f3fdb56

SHA256
e9095b3e87b6b187f99595db8ef18ca43447d8e82e346353177d6008f00343c9

SHA512
fdf6a8f37c5bab95994236f88c26f13a85578fd4710c5077b6edfb3161aa17feb3a397c36d1ffd7a6b254e9cc55d1ab181e10b8cfa165dfcfef78dedf4fec6a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
b820e71bca63e3b49a1ac830dd6d490d

SHA1
8e1d99718db994e7983c2d302961d2d2e3ad8b9b

SHA256
515df912809aba705e52b5c045595db091106b619a3ac5c06ce744a18be86bd3

SHA512
40b73ad1c44ec4c8b355cd964b00239bb289503706ec0957b6bc6d2d98142d3a38b21c4fe7689c505531ff17d2c52fdff0fd3052bda8e05b7b4c64fde47da761

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a4a6b6ef98f8f3ea3cef76a6208ded4f

SHA1
9ae876f968a03403b9a99f6b39be49bf7984c604

SHA256
12391907d8e3c13470a3ea877175d5fab84ad0115e696c0e3333f142daeb1297

SHA512
5193afa0bb95d3a4d9b0406e6843e00b01808ea0120d53f97facb59c6983fb8ae88d9ff5a08949ca70cd9df8d24b33503be5c64d4b0908fc86161ab01186b1a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
aa51e2d92f6a7a8cdd43c567a8cf6190

SHA1
71552b73e1ae2ce62d4b8fe15bee964f25c017d0

SHA256
37be0b60ceb54a92eb7e646461ec12fb224db9bf93c9d33cc392de27c53cee90

SHA512
2c4646463083d0b1134471453596b58aea53c917bbecd2446dc57af5e71a81d2e0feec47318d4c50ac576bca58af09e2f3de86f1bdcc5fa9d0d9179bfcd03797

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c62637662684073a0960e29ac18cd9e5

SHA1
4f86a0bff4d11d5ee53c824bec5a8b5be1527186

SHA256
151e2cf891d0636fd0c9fcecfd420ba1034e3d1f06d8a4c43c3592feb2c442f5

SHA512
524cbaa404d26a895938336bb3e74e675e283e0c9b9c58b753d6b89dced3991bcac5520f4c11b1304a17773e5d67b077758d07e65763fdda8275bda1c17a7024

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
b38adc425429d4b74ae1776bca70017b

SHA1
3d65cce3af76773a11018f836c2eb8459c02cd7d

SHA256
faa68bb5a8b4a22e7dfc40aff66957081791a3194e44b75531da707998779158

SHA512
e8649dbe9cf0f3755a398fda8517aced4d0b89ea779135f0ec3646b9405a9067e354223e7fa49dbbd92b582d891e8dca48314a86bef0f544a706b88cce3ab22a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
cd3da2b347d8b95dd20446df9c8e7d24

SHA1
135ecf7db34b9ff93b96e535e43969cf21e75566

SHA256
2559a1ca8ed1dccb0708a3f12a51c9bd6e29a9623cf7ca04c5f894b2673290ed

SHA512
3312cd509fc03af5ebfa62ae0c3a6565c984ffd52cd00fcd11c9bab3b063f9f8596aaa0d45681a9741f4cf346c01c0129377ad7a1e1917912ec1472c495b0238

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
4c3cf38b1867d87038243b7d9b668534

SHA1
d6baf34cb074e4821bccd598bc8bc9369d9cde94

SHA256
85ddacf68c85ad9006ecd7dfef3505a6f4fb858291b0b24cd3a501ef96982423

SHA512
f0b56515c248fe79249c142387664db77ba5dd8a0ad876268d099f68f00181125a86c769a88cf1bdf08943f4ff8938fdb52639731f554c74673bfe0853a5224e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3cb3845258cd88b7e807936663a15218

SHA1
b7806142739bbf581f5d1b900aabc051a4de63f7

SHA256
61c556ef787e1d79cef096cd78e005241e93ff1d73d465b0b0d22ac62e624955

SHA512
932d47ba38150b629ef0ce0a53ba191a17fbed46439350cb4ec293df563a3a04ea2a3560ac43c577093d4ae39a9684cfd274e3fd6471ae8e2e207a73ac2f8afc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a4123896169d4e2094d7d15cf9e36afc

SHA1
f301403946367a147e6bcc2800255fb7041e1508

SHA256
20d8e5b7a123046465f2e43cab6d6a9a2939bc33c1c4f626fcd31a46076ea59f

SHA512
6558f5ee88dcffe38fe00932a784e833f51ea06c6d21576a231f01f951f481c7f2da70bed5199490b1ec1ec97dcf23abca8157126df023f0702530969fc1aec8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8c9c242fdea8a35ba37f48ad7e703b1d

SHA1
68fdb3196970582764c2d2cb163909d7af75616c

SHA256
3ce7ecfddc50bcb67959404c9a7a9cdd63355d5159c8bd36740c59ca2481c166

SHA512
376428747b8cc4ade536ceac37b6336ef3a6b214ad7809816f7457e59e78411e1cede51240769c5b0c9be119902bb4939624b7b3fd753a86223cd0dfc31ccd1b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
d59907ea587983e0b325a938134edbf9

SHA1
bd730304f7301273db1b1936c8819fa973b6dc54

SHA256
53cc070003174ff5f04c42b2e15a5306e6774eda62eb18dbaa782c8394d5506c

SHA512
7560d8a72f3160bf07ce8a3afbf4631f7c5da7bec2ec800c2b4c908ebb788875ded76b5324a2c077b1b1e67e9b356f13df0342e3df27e990286ea0f26d6050ab

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a28bb4a82798e65a3d5bd7d82ee04df2

SHA1
8196b599dcd2c504b8223cbcebb51b004e9a5389

SHA256
ec5fc1d2c19088c57389ea4803e924d46cccb062ae1266cd0a62c46ed95852dd

SHA512
17bac1351d7d6fec2a120c4d905e16206c34f090232344c47c1a83385a69455191fa0b5ac8dcf2ca473a8f160da7b0c25cd277abfef51e2d287ea37ea895faa5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
c573f6da2690be3b6257bf745456ac40

SHA1
1f7d91b8aa777b222aa58be46743477827b1b377

SHA256
caa6fe26e48fd9d0aa5f57856b6cc6ab80cdc07741ae441961c8e52cbe82d54d

SHA512
3ca2231bf6cfbef8f303e9e7c1dabeb40c58749a4da7b875facc9ce1b5d35cbcd852c711dc89e58d6a3f370d05f75f4819f5b17f65b0187f8edb94f4c89454fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7a7bfe14147b110895dc45cab676842b

SHA1
0760cdf612bca90b166c150ea51884bba0597500

SHA256
df1a918a760cd26c5b586386dd59425659ae6bb2f200c13fba666be79f614852

SHA512
841f004ad2ab39a8099575b751b7f4ef806750fe932cbcd5f331ad2572d68c8bc5934f2bf674b82d8227fb3a4cb6ab9bea7a8f5ea2db188081f2cfde69a1f5b8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
0f2ae11efd21860709b2aff700c33316

SHA1
0838f1e4d58d9965b2f85f27508afb45979e3ff8

SHA256
b17aafdb5285f6be9e2db86cd5e2360d3573f1fc53c605359ddce77b5a08679a

SHA512
0bd0da56a55f40be21167604a3e4380127dd1ba39df3a96f83e5a46c7ab372a3ba7ac6261a2c6b36180980f45fb3cffa7b126922496df4701fbd9dc91146fb1b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
10ce2974a6c8f80bf4c94e5dcdb6a232

SHA1
3ea75f0d77fbe237398711e13b01e6f60dce4869

SHA256
7befa9f285ee2b52bd46f1bccc87cc78693c2554cd623e9bf391211ebda7638b

SHA512
87f3b26bbcfb17b82c1714dbf465281def1bd36a55ee24c929b886533697a7adef18fb2d78b6c773da3aff0e996dee2e6be28f6c7873f7cf145f1319624607c9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
c69bed03db8a18fdea6f288f63678be2

SHA1
ec6cfd38890d49aa3c6f9db2f156060cb010e86b

SHA256
f3e04e7b6244d69299fe2a9c8a1a23da902ff24bd8ffcb54c3406be1305b95ae

SHA512
5884208a65b939bba1ebe410a2fbcbf3ef0c76b533fd0e363779dd8907f837ce3583df0c0b9252338a6e722759780f5daed5c6a9447f33796faad5735b961020

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d6056f2a74557d27a296fb72670c8066

SHA1
31f58aa4c4c780bb51ea922f95c7c35c1f4f2228

SHA256
63f8cc24a61a98916ca55e545dba8efa15c707a50bd3b4565da1df02a8742e7d

SHA512
75a97655c3b283b5737c4a0c49530bf0dd81b3ec2d51fd9e6590a596468bf5160c5cdf7838f17a5ba95f60a463016dee41d48149477323eff4f04a2f1844858b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
734baad47c481e942c3060ad6c09da46

SHA1
cb9c7e58accf026045159b58fa058326ab5695bd

SHA256
fd402aaf642de23420ed91843fe8ea190ed1feaf410d101ea2a6f59ef2a769eb

SHA512
9bd64ce5280578dd0913286196713862b5b73326f40d79578e2531ace45c0388425d2c348008a01a642ef29337ec2cafa4bd4205110c30beae9a55b11df1abd3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
b15b2b4a383f86ef8988ddf272b4f6aa

SHA1
742ffd5a5ab1b62ba620a77e7bd5c443f5c2c5f1

SHA256
e8d87124d30edaa0cba60076d3e0e13979c5470cdce833008ca6586b6f0fcf5c

SHA512
81d52dc711e22bbe91737bc7242b9c086b3f3682cfd6896033c3ae438e5e5feea38d5124022f28b2b1c416f591eb8be9db2588461a8dfd1fe86134b2fcbac7e5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a206f0d9dcb0fe4c86c9ffc48bd8ef8e

SHA1
f93441271c0bcc6e4c45145ee5b6cf2dbaee665b

SHA256
ce18c9ce6ff6328122d4b3b16f63e04b2952192b74045cb666fa6addc2cbed76

SHA512
460262d55931a8d0b2a07875e6de6b286600b2d670f09fa25f035f15a5f09dc9afa8af17d6217b66971f30cae15eda7271650a9f9e0b9ba2c6b6b4dfad68eaea

Download Submit
memory/60-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/60-116-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/60-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/60-19-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/344-548-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/344-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1356-552-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1356-198-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1440-215-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1440-105-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1464-623-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1464-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2320-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2320-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2320-52-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2320-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2372-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2372-33-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2372-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2756-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2756-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2756-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2756-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2920-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2920-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-100-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3220-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3220-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3220-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3336-179-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3336-549-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3356-132-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3356-250-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3376-117-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3376-227-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3512-0-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/3512-82-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/3512-6-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/3512-1-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/3512-399-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/3536-617-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3536-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3588-88-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3588-83-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3588-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3588-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3588-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3832-624-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3832-251-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4428-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4428-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4440-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-154-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4604-389-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4908-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4908-37-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4908-45-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4908-51-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4908-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5060-128-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download