8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
Size

648KB
MD5

0b893d0f1916a4d67516a74f9635cb40
SHA1

94704f7c516076a293121ffa81699d60732c1c12
SHA256

8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162
SHA512

83ed5b77b11653bb28c174827d3347c7c782938fbb2f66f28b263032561bcd89205811e88a218545833844fc2dcaee1df22a3062721599fb8e660f5398e20832
SSDEEP

12288:eqz2DWU8XI7vgbrWVQhTCYHvRktx/aICF9flefuKaO0VQ/:Pz2DWc743TvRk6NwG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2944	alg.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
4728	fxssvc.exe
2400	elevation_service.exe
4236	elevation_service.exe
4844	maintenanceservice.exe
968	msdtc.exe
3116	OSE.EXE
552	PerceptionSimulationService.exe
884	perfhost.exe
2016	locator.exe
3672	SensorDataService.exe
4412	snmptrap.exe
3540	spectrum.exe
400	ssh-agent.exe
1496	TieringEngineService.exe
3788	AgentService.exe
1480	vds.exe
3496	vssvc.exe
3832	wbengine.exe
5140	WmiApSrv.exe
5200	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60f8524b85dff9a7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daa930a321c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e55fa6a221c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008285cca221c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4c389a221c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000896992a321c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048d69ca221c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cfcc2a221c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004811b7a221c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c37bea221c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2784	DiagnosticsHub.StandardCollector.Service.exe
2400	elevation_service.exe
2400	elevation_service.exe
2400	elevation_service.exe
2400	elevation_service.exe
2400	elevation_service.exe
2400	elevation_service.exe
2400	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4960	8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
Token: SeAuditPrivilege	4728	fxssvc.exe
Token: SeRestorePrivilege	1496	TieringEngineService.exe
Token: SeManageVolumePrivilege	1496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3788	AgentService.exe
Token: SeBackupPrivilege	3496	vssvc.exe
Token: SeRestorePrivilege	3496	vssvc.exe
Token: SeAuditPrivilege	3496	vssvc.exe
Token: SeBackupPrivilege	3832	wbengine.exe
Token: SeRestorePrivilege	3832	wbengine.exe
Token: SeSecurityPrivilege	3832	wbengine.exe
Token: 33	5200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeDebugPrivilege	2784	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2400	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5200 wrote to memory of 5172	5200	SearchIndexer.exe	123
PID 5200 wrote to memory of 5172	5200	SearchIndexer.exe	123
PID 5200 wrote to memory of 3740	5200	SearchIndexer.exe	124
PID 5200 wrote to memory of 3740	5200	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8904bf4de440af1a355b2bf669d721d22293569141afbffc852c84cd4e9a7162_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:332

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4452,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
9d80e1add7613fff9205c42685079c84

SHA1
f2b4420950e127c73d5c739c6f18d0fce106471b

SHA256
0fe07578005535aee543c250fc6f32d5a2b847faebe0eb2b538b53eadbb8ea6a

SHA512
385c7d0d967805afb72b7f4ff096fa2c2ad2d485e10ca164b442b8bb796164cbc388bf4da7cbde294315fb3f8291fb766b7a96f5b75469a15eee372cc9e443ce

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b17ac24cab3bcd8008dc307071e337d8

SHA1
200b5d2f8a59e56da048b07eed56fb2dc1afcd90

SHA256
c89aeeea4c0e3d9e1fe506c3dd806bdf111dcc7553ab34d685623f91ad39a974

SHA512
669553fab8fadbb759f925c7f12429878f0689e29febda40d8441bdcb84b6411adfaee6703f14f25294c29b41f3335f146727f3f8d4064f2308024e6d623b20c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b57ae73d81f520bf4e740ff6b5274126

SHA1
9271263399bf67848da193dc3d6c28117383e399

SHA256
19925c8afdcb24dcf0409c72e9371156f3f18c14854f0bc7d58dffe6d3a9d0f4

SHA512
f879b5aaa96213012edf98bdde63b1ecb5691b93155dc5b2d3954ac3b980a89cf25ff6b9c38a3063325ea6fd1474e84aa710d34b389cd06e01e3cd6a9ae9e3cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4ce5a867888908c2099bf3d248b3c88

SHA1
584ce9f2bb952b151e4146059617143cdbd7a33c

SHA256
bf08c5e9ea52e4b040cfd55950b870131e5778d356bd3bebe2b2b98fe2419eae

SHA512
c075519244b791b3d2c2a06b74a1092b402561beeadebd5ddc9a9def22764cc95d782dbf503d0ea164a06f8534dc2113076d55fce55483a9b87031a1c3626d1a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5576771990520ebf9cb124420a6dca4e

SHA1
85148c2908fb0fb3e9d3e3404adb3a74ddbd7f2b

SHA256
539686405f090e4afaaaa105df79f40cd964d2f6b4329f191142e9f5ec61b4dc

SHA512
3ed8c124ed1d492075c8b186412c2a6dd70ce3bd94ebaa51d8bc6028403f9c216a86f2f3e08a285e914dd3f67228679ab3741e15251b24e3dde48d0191008a0a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fc3f9358e9fd6209905bb08ba6c4803f

SHA1
09a2c045128a9cc4d7310a59702cdc14eb39f967

SHA256
e94577fa65c5460943f831aa8afc7746e1fc71fdf0598ddda20bc674fb9083a0

SHA512
84a97c3bf86a3786dce47605fb1c636a590ab3c556d664586ebe98c5b6b4827d86dc50453b63b1ad91d0d61605fb6972d8fcd0b73e2384d2fd822ca4a2ce9307

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
22be2a3403b8db6f9831f9216c202654

SHA1
7d26e008f66140adaed95ef732207fa4da02c9f5

SHA256
761ade8dc8381d50f4afbaad3ee6a2d40ac5e3db5c0ceb69f5879411cf5bc217

SHA512
75ee3ecbd45dd06c1850975a14834f4a57b72fdcd3d9e9e6f39a90fccd68b6bf74dc71c0abae454c088c7cccfd3205000d2fa94dd5a018572ea945ffbba23985

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
70b542b26a4377b4daadc4996e644efa

SHA1
15937d2c1ffbc26c8d04b722220c8c1c703927d2

SHA256
199c0d311b2235ef0e39c03de3d4a6d24e1244a842e86e97cdfdc027a7e46cf4

SHA512
14f5d0b51323d614c134b9fa4054be0c7665f11cefe927ab01816e937373529755308cd8eae45e7a444afe621b3530658119e6ad3cd09717b3456af357f8d952

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
71258adeea456675a3face3c0e5d45ce

SHA1
6696a24195b3ef27d42e56fd7fd3eef648975afb

SHA256
3b2753c14ac7cd5450641211e063d19663112756f1cbeaf45ac03cf4adcc645d

SHA512
39ff8e5841ff808c4a60f1a00f6d6a15eb9525e037639763247be2e1059a31a15af4388e9420fdfc4f908bef7d260c9572ddb066539e64a5c06e05b2df34a883

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7dd99d56fef679f6fca3b1464092f8c6

SHA1
5eb19090a3c4c4d20fb3f1aa2183dee5923517b5

SHA256
32a0679557a7dddc63625b4dd7812a91afa0c7480ec217d9c5324ee138cd6dc8

SHA512
fc0af376d5a5975a6e4d49afc053efb00078edb09ea80ba0500ceefbcbad6651901d5878be761e9998dc7245de3ac7c30a86110ecc57564933e4b46fb0676bf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3b054ddfffeb09a523dc8c61dff652a8

SHA1
075d74f88463ecd2dc923e8b813dbb7845aa3811

SHA256
73f20c255aaf03b2639668021fa9b87751b9c6d8b3bb1a08488ef4ab65aa79c9

SHA512
76c04d747a3234346ce501e4f86270250f902d06921079cff79c6aff7bd597bfc1b1b26f36922eff5a4efebad5137bc6f7e7d5308da0fa5436324f9c16d9527d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ef3a4653078177822bb3a45e940179c1

SHA1
812ec33e169907eca28e8c554490055f2f05f1c1

SHA256
c62af671cdb808d58fd18bbab758a31b7b146445d00e67b3fa80f41b5862cc79

SHA512
0808b131b842afdc1bd9b07657528efe6059069d85cf98432ab74443613fa20fcd46c50f1f6813ddccfcaf0b812a22974934a19106ef4c29f232236ca0db74f5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fff6abc36240e90ac6da809cdc71f0e2

SHA1
97b6139f04b65826eadbb2ba50bfcf04eb62cbbb

SHA256
517c231b5fa6a0e6cd68e5dc30785341869efb0dea182baaec22315e0e2fb3db

SHA512
401d28d8e47a98b8c9fcb40a9b01fa4aae9bfd7ea8bce911c372d1f8e5740f5c540bf8625b8cab02476cd13e956446e89b128d634044de40a3d2d61dcb244ea0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c854e28e7060629e8974f40476617e82

SHA1
5ec9e30a71619843d77698d2a99f67538012009a

SHA256
8789fe1600a4b2127b58def1082b9434d18469762efb813ca2cc410027848083

SHA512
28d5061edf95af96a912d6f6c320542968dc5771dcfd26955784da71f4b04b7be1f9af0d4d5782dc3f092e2e47d5a05d5cb976ab941af27c73f911a492eb5d43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
31d49345855d9201b291f5e151ed1c97

SHA1
9930b526d08e88b26097bd302fcdafff971e7fda

SHA256
50069079a6a1ff48c15b881be90fb270479984b53ff22e6b7af221afe07cf61e

SHA512
1304a3aad3c2a163a29b685b03c7ac5529d7a5ce0cd1f967f32dffa73f205df0f4f555f8f3432c283d2a5a5db046e1ae7bf3893b83f5c13885214dc3d8ca561c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3dd3527d2a8a87783bed7267a5366b29

SHA1
0e8056faf4da8bb77db992ca37a3e22dfe52ca4c

SHA256
cab0b2e7487c4144ca49a02d40c5f993df8f50dffcf9d3a63ebc89ba5b1b4fd5

SHA512
dd5a910369f2864254689ce2a8527e2f72844e3c1b0168a2da28e36b5415bf62d05f9eaa3ba0e8b627342ebc08f04b6f6ebb3613653cdbec33240dcd37dc05ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
78bfec1b6dd843b552c2106d2c73303e

SHA1
64636a08aeedac2d77e45bc04f2f4b6b631495bd

SHA256
9c23ace3177be4fdbf752459cb086849f641104b01b7b31a497d52a29ab50123

SHA512
51e8727df98c78c6efcbc379119eeccb3a25a5e90bd7d9ba64d5ced8b0ee04a6766412ddcc1ca8584ce5b54a0648fd5403bdf784a59334d273a3f45b757738bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
13ad492dde84f47b9caedba15e53ebc2

SHA1
680dec3104bda0fdc96e0204ad3ebfb823df97e9

SHA256
f2041703e869bc39ab91fff39b70bf15609bb6fd1cd63974444cbf7d91450c73

SHA512
e00cb26fcf7cc0438efc3e8d01049f808cb5bcba1a985dd6146b9dee3a34a394a81db7041122fdb0744465f9bf20a1136fcd5ee5aafbeec89a279c2c597b73e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
cc91dc0c6c33d224084294730215498f

SHA1
b70ff18b4611278b926eeedf3eb4340e76d49c59

SHA256
ccd6e1eeda7cf6c63e5fe4ac637c907449436ec4592ca03b9fb9c1a6b4e2ce16

SHA512
bd837fc35ce239e28675985e773bf68293b268637845632c81d10e895007b7ef35adedaa5fa8a2c94c7e3c087d4c821df93de4ecec783183ecf59718a45b1eb4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
47ecca32277ab8c62edf2c5c08e1fd76

SHA1
45612b0c54c3fc60623fe7d81e13ca11ff00268e

SHA256
a9ed4bedb04e01a90c4b6b4c6561b0f26101f6b94abe636cc1077a9b811409dc

SHA512
1a4f8657275394e76b5135db79d4b403dca748bde193edf80b48629a0f5d7d61c62878dcc7e8da61ec28028d1c97d914d4214e7d0d59fa998ce9f8a5fb06733f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0a35bcf8c6a2b3c528d40fc6d4bcee90

SHA1
78dfa4594f438f4d087607baca8e597836922837

SHA256
852ff563bf4f5c50ad1305334ce00b9086a3a8f7776fe9f635575925e9861c1d

SHA512
f7b0f1ade5748d530bedc7af82cbd4ecf8a819f6b89b25d8bd419939ae2c1ebeffdaa3a5a1f3185a282502c5b3446f2c5d33d10dcf457a26d4a60497d845cb87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4332c18e7e38937ab8d794e16280d693

SHA1
ba93ef7a6cb6a63f9b4aeb5fe1f2f99bf8993e0e

SHA256
d2f612dce16e3bf37ca9bcb593e591795824ccfb25b149a58568aa667d47b61c

SHA512
6ff1c6605592b140df24ca0eccf3de1df0a1e3b4ee52218a6aedef4dc2d8671b60dd3224b3d19469e09450ac73eca913fbfde8d9b00e214a717e12fd2af5b3d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d2c29db8adc08391b86ad167bff333ec

SHA1
a18cc4a076b515ccdd538203de6d040d1cf3e59c

SHA256
4c0d7ee84eda1182388c3ccc3b531c74c6d51905737c79c142829cf303eab77b

SHA512
03d10dfcdf08ec1a01a6eb4af55a2d672ae94b6c55b2b62d5503aaf025ff3a6436c8a5a7cacef8a44e8a010a47449d513c7529bf321d438d8ffd2365a047f41e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f385a77df0e1a27ece5265ec062357f1

SHA1
1e86b9c7e8dae2d421f9d8793a41fd085f2ae214

SHA256
9e9ad9deabd529856ebc993c9525a5ccfde7e53130de549fe33981a6808beb95

SHA512
df579fc2ccdcb65e3c35a617534ef44b2fb88d025f4f16e87b861e573f5a7df51cdc0ac2a9bf099fe47d450a08adcc3f0c1a2866307cfd4e26440e1aacac8203

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ceabf444a136253964587b9f206ee8e4

SHA1
eb07df803392ab564688e4a2d8b384335c06b6bc

SHA256
d72e941600a36d7dc3cfbdc688387cab652dd2f86452d830ffb46fa60638a98f

SHA512
bcbd10e3d13035331d460cc350e2f6b4340ed11f680d38a515b36bf930c72b2b85044910f4ef830fad89f1010275a510b13742d4b4d5739545fdbc587203718a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c1bce60c5a6dad93bb53a3e32b5f4256

SHA1
9163f793320a45131968222927847ce81a9a7b83

SHA256
f3294c3c1cb68434652f7e526b3b59379f59cc4f4695fd4fdbef159c4a7bc461

SHA512
9c86a095b7b93dd4f22ba9cd2a436fbb832770cd59aa0392e9615edff740285a6d510f382e51c6cfd68aa7e0f7b0418985869c922fe751076d46cc16196828ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
968f6db8144cfa8ea32198dc49bb03eb

SHA1
af4d846917dc4b0dd4678d062c58fc3db23f2e6f

SHA256
6616550cf5f78744dcc5560052da1424cb1f684fd3dc21e1e24a9fed53c24f6a

SHA512
df7fb871cdb7601d2e4ee8bb5c9a9538fafe0dc5b6623f99f3cda2e91fbafadc32215ddf065f38e195b682e0eff50a6bd9fd372062b53d4bda0478df99e5bb02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ab7b3f07e1a67720c3e646510dbf6e9a

SHA1
92f5d811597ec12a46844f4a45bba9ff9d475afb

SHA256
0a84208f2be6e2ceb88f274842b5b3e80387413d6eb685b36af97541ea221fd6

SHA512
15b8109ea7071edc3ce8ef35ad8ecc8c4f9337665767081e4d7ada7d06c7d23740433b10d1b7924cbd1ff6f15500e87364eafe139ed73f192a5aac5b7e4830f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
52bab04b863a22c26a9071f08f199c83

SHA1
162ee8acefe8de79f131e30e406f10ee4f5e8c26

SHA256
f51dbdb1cfbf1f8cb95c90ade11ab75b20b88c8e4a68c7d0c16a8e2484e2bdf1

SHA512
397529cc154b73b9ccc5f3d71ba6ae66f8362fe0c10da0727ff3565f4acc2b3f791eb7c07434a873b8191fd67d7c732ecb7072c86907735c476d41365bf21e7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3da372c2f9819e8401aef689fbc27faa

SHA1
dfb83a7e922c81ad2917932aff29fab10a8bf3f2

SHA256
a0e95b82e2d804784d3e3edde3037ae4e512e184c8b38e2cf2d31f2936083d23

SHA512
2d625925e9b1494bba98b3788d39925637bd66daccfcf29a8a1d991b1e5e8f38f85ba604a281d088b7f9c6ff16e40c8e2474c83de92b468cd1d02b5efc32b9a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
27cb7c7a8aedd4aaace9635e5fab015f

SHA1
d560f0b8a6ac0c8854fdfd11559694782e5c1c22

SHA256
a6b2386345bcb81db6f20e1649bf17ff2498e71d84f42441aa8cc9fdea6b5c4b

SHA512
7509d29d2615ba9ddd0c0a8e0b157c6bfefec4d12b1ee20c91b03f0dbf2810763ccd685f997de97cbcfda9aeb1b1809253006350ab3690b169bbc5cce216cfb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a5fb94e1512c3d80646b79fe5a89c84e

SHA1
098c0f2465c37bca39235773d0abbff6115edecc

SHA256
ad1c3107a8a0fa71ed7b36cb4a24f8403c0ae79890f202b34db0416b6bfc8532

SHA512
b6f4b7b06591032e510ae025d44db43e852f997236eccdf3d8858be1794469507c98c518b5b50b49e0ee4442c0e2cf12bfa88d2b37f25b56d11d8753c20f6ad2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
134a62798917b8f5e172105d9e661e54

SHA1
365dbb2a97998b5404e9180da1e15cff42763dec

SHA256
777c6bdf2292f5c9acc5814dbbf3e3d5a70301cea8d36b8f5fd187756ba1914e

SHA512
4020c39ee435464a51f619e29945a35bdcda160869e0588d16d179fb25ca30a94161ded2f91cdb508c37070de63a8597ec93e3190cad6e80da13f499d81af783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
016eff18b29468923b0be445ff3b5b50

SHA1
e0be1a45a7d0a631419df599b10255f82668562f

SHA256
671d494c4c7c682326246d22aac271071456ca4ae3b89194d4d465d4e1b4a2d1

SHA512
4263fa8826ae8dd240a94481af4b93e75fd9c3a2326e782581ff32bfbf900e84f406e15137154c04c83f65c07024daa0cfd8e7c8a7cbec74cac3257be25b682f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
64f7d14448797723696ec8876c8f1d28

SHA1
741c5e45c3486b1ece0d3004ab4ba607aa29de32

SHA256
17b73ae7644c022a179762188fe7d60210f82c7856e14a7cf460593a573d8d41

SHA512
4003025728c5fbd197bd5101c1952a8691ec17e6c39928ad29eae58751d17685a95a444d07edffe96ecf2c5e5a6fb83d39043e3e2950db86e558841a65bba192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5d5a7704e3f40321a3276cdb0b42c920

SHA1
e44136e0f2eb5f1b47a0eb62ba82b7410685902a

SHA256
f7526bf5c1691e7037c81ec27f6df2d6b0a976bfbaa61a550748f5d2a335ddcc

SHA512
3245f6fc7c921e4a2e6b5e9e4ffdccfe48d65cebc65acc67c9ac4250ba1f5ec1b697edf7cc08aad04e15cfa6f581a5cb6fba616fa24b20ac39e8e20839048453

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4e38388a8d17a8ba3e30ddf1c3e433ac

SHA1
fa908a3531f113f0f6198c1c242ccf83eacce60a

SHA256
a980bcc139621c315791eac54ab3d23a57a50ce7347a7c4dffbe5ace2f15ae2c

SHA512
949809e8c367ce5c3bfb54ef36a5507a6a3d5237d033e8c3e526a3c68ce86785accb40fd1f67b4669365292de813a552e0bc6bc0cdfae223bf52c926aa439d30

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0a898510e04799baf49c8d74ec61d71b

SHA1
ae015faa27012485cb42889f7a619d11d8ed8371

SHA256
793b1718e3c997bc0e9669e9424a5816fee22816977a1f6b59d641d2e0a2f336

SHA512
30a3fd47cfffee45534452a066650d44f1518586514beefff7088ebbca91f9f7d8c6cf992a6fb267a50987caee41cc69713120f9fa113032bbf1f5575356e4fa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9dc224233fec21410719a51c48f3156b

SHA1
049c70d2cd96f124f1a7e744e563c3c865468b8f

SHA256
44b3a5075f89820787e958c2ca9a86d162a8cfb146e69380733f1d6dadd53544

SHA512
c6ca47ad5078d9622d126a93b639406f728ade6562e459ca6a842907ed0414029acf87b92d91defb51bf6cbf14042d2caf937536b4d24365644abae7a2a051af

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
185d72930794f4ecaafe56e17bea7559

SHA1
33985a9483b6694c73f03ceae50c9bc134a7f47e

SHA256
b08409883e4b96e85bf8220a23b24c3874d221d9ab82890d6602d7f64b62bfa4

SHA512
e3d6b20c90450001e68d278af0388c3d8825437d5d213037b6e2f9d84df15c2870a73f31ab4d974e2774fff242ef867b6f30741ef7fb70b1cf32fe85e80444b7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70a11a0a9e81e024776604e4af0870fb

SHA1
03662278ae5d32ed64cf8609b3a863e2d3dc5f72

SHA256
916a658e85a726bb693cef99f34d8ed5beb24d29dd622e054bb39c0d1a80a1c1

SHA512
59f515972141b09408b9771cd9460df9c032563d31926a53331af4de3f9b1660debac474b8a76df5db8ca2743944c6976294903c0b5f12dbabdaaf0ac61d31a8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9ee16023babfe789a80b21d131156b7e

SHA1
844a14203055a9aeab85705ae47d59670f0bea83

SHA256
06d83a0ab1e064ac94ed489aedb0b997c53c6659524041390eeb27f4f3e596a5

SHA512
a6eff619df95df4db01c1527594031d26f95d5d62ae7c4eb455e6ed0fd196a57959bf50e970a1e63d813ddb60cf75cb20367826490f2a60b0039fbf1b016676b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2d7cb7f0ec78d780342b244ec1dd912

SHA1
2ed2a183361c4b5a2437db508ead4b881c9da7f6

SHA256
98fa866e01e74474524946960a67b79fac8777857211663ee4e5966f5b58bd17

SHA512
772d156f965a90752da0751d0247078cbbcc4d4b8ef884476d184bc078d61f33c4f78a76a6724ec54643f8da3dad307a454932e23ed206b088c3ddf0bd01d0ef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
06e814a0275421bd0cbc3b7d3399aaf0

SHA1
13eedd2325fc751d801123a2eba8594b7ee6b675

SHA256
e93f8f85787f7085491f7c887241c84639f0b8917659bbb5affec80e77752d2f

SHA512
fdf48f9dabda93b7731e162a6e046c844a8a25c4fc7897b7179906068aa540bcb1b30713c7ec3ad6c7e13556a9b38c594d6305d1fbf83fe7e20034665731f073

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
267e75827be4abea708a10d69b0388bc

SHA1
8c16db2803ce54ad65a3cbed76a5ff92755dcb0b

SHA256
d28221d4a194b868aed3ff5fbaaacf3ecb56a7b219b91110202c8acbe8d20d07

SHA512
e23049d93f4c6e6f8e19840e5b00863e4fd1cb3e0d53762834b0b7b841edf4cee02fc153af7355249132581b7681a6528b0bb410b42e2b145831e2d74ae4eb6e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
78afb72cee7a16c463cdeddb1484b23c

SHA1
3f5e712fa05c6af37b5c650f83b85fe4f0ce4dcb

SHA256
77e61cb79ea45844c223e8776054a624351c3079540d98440ad4475fb2bf89dd

SHA512
f7d07a4b01ddaea0b59bbfeea3722284a0dae272efa27e985bfa11b6659110365bdad0b3960fb167bf2b201269187938215c28c475d155313fe20eb4d0283351

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4727680e053999880e99f84f2cbf37e9

SHA1
c9c60b520993c0cc8d6885c1397a6bee530e0040

SHA256
1d3a5b8ec347898a366a4b77b47836decd0a899fe6d53ff15b3e000ff1637421

SHA512
e3f4b37d3cd3c3dc801386522c8642cda0a53b3f6e1e3080a9f50ec01806876680f3f887ed5c26f520fbf25f0c5e6a4b28d9024a1ec2b841a7bdd68784d650b6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
13a5542d616082d1f39df7031e82cd13

SHA1
4d66a53474da72e5c58c93ddf5fa7370a35603ba

SHA256
3689383c81eb68a15afa0ab22dc9bca8136d891418d4daf85b384fb848370702

SHA512
cb056dafa1e12f928aab0f3e9daa4af8c6e9d9224a3405328a8581e3b7bec0b92c145a8bcc378723d827c1d54f63cc3a6accdf1bb83b36e96fdbaa3b676be127

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
61519fe881c41482d6eb9245dbd74cb8

SHA1
ea28076ded44ffabaaf27f81ce02fe454750522d

SHA256
e4ac555870220354ba83ec7bb1f0db8b78875d8d646dacf9be6768b4e89c128e

SHA512
feeadbeb236b0be3c033f0f6e48d5b75fb05cabe0e9f9fa28cb02f0bc1b1501fa9ad0f040a1ec19e4baea134aeafdf1a07c272073010ea8c682e448cef727ce8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2bbb56a4b65d70605f10fe0247e844d9

SHA1
e9ae4b8609399b7fe95b59d00e3eca74b6e95724

SHA256
81aa167babe4ee64a07a92b2c9eb115183e96a244bc251b90d7715e643d80e4a

SHA512
826382d784166a09b71e8643df089836e5cdeff65be9787e59984074d759819af7e47423bd7430c3fc1f3a769b76aec946066d7edbb9906e883aa6ba387edba0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d914e8a8001ffe21cdad5d60f56b4adc

SHA1
f8c36aacb4ba799fb350784aa7dd2f68a1aebe9d

SHA256
47dab624dbab2996e19ffdf4c9267452a4894938f5df1478c54a3c5d2a99f7c4

SHA512
047385d39975cbf78533d2095f2d58f0fd5c74101d562defc956e5bc450536b2b3755f04265ff9a76d595f9e73ff9f692a3997ce0a244c8aab06392f44a29d6c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a48e5abe78ccc723f8305a25de930bfd

SHA1
52be1fd07936761bb25f7fd809f7d586caa1dc39

SHA256
803eba778cb69afe1935f60ef60aa56ad34390031bf3e3bb50645aa1434e5592

SHA512
70d8e1ba4ec5bcd06d609df79c58b88c938418387fd1c797677d613574706e7d9245675599158ace6c6b1ff962fc911b4b91bda6bf2038d36e39c5cce8d8bb05

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cd205eb9ef6a339b7da74274f1269df0

SHA1
bcdbf63c0891b570e493a3276a34c0a354b77a70

SHA256
5b20c67b7ecaa4328727e1e9fd34f00621524fc53c643b1fbee080118004a39e

SHA512
9a07cc050daaed420403e6405f094e4bb69a11e1645567d925f096570e1f862d3e6db9abd6e6b6ea0233d22ec541821cc977a96880a63e986947acd6e7c90db5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
069d6cc7faa062395622a39a572bff41

SHA1
c0c285b3ac75e027eced7b801012a39cce3c74f8

SHA256
dcc7c43dd74b1f828bd5cb3685b54b13f7ed16e1f415eec2e9408c4883a968b7

SHA512
4956f6008d517f5c871f691744756c593847f5ca7890fa617b6192af579f5cbc789fc84e7059b017b2b240c6aa094b99fe7c61cf68d2f0a32d36a388720ad8b8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0fc7d629474e4e986b010cf18504b12d

SHA1
4047999bd2c48beb75afdd1ed97820870cc8e786

SHA256
b521d3b1215c89de1c03ded76fe28c03f40e73ad34af5369aee5d0d1e3ad29f5

SHA512
03503d45b95504173e9ad6fdfdf201849a64592cafb49590c7c885829e4c8136e1122b952c8f9aa0cff53d8e19093434fc609e2e6e7c575ab49f79b9b6527fbc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c941065c9994caf17bd9c12b1ad017bc

SHA1
1ae3d22526c2407a93ed28bf8ddc1fe83d0f53a3

SHA256
b66ce0140a08be6706ec20d4d6d6758d35939f370e343a1229923e4351e82e8e

SHA512
0ea4d7b44a076e0fa645bbfd452c6df4276a1c4787759ec1e7ed67e3f7b22902d0aa5ec5e008ba752579102fab7485baad7d49ab940a941f5c261464ad97b9f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be9bc57fcfe5e8054140c4fd0cfcc642

SHA1
9d249d79d26db07712a279335f3a2fd3aa4219f4

SHA256
b694cfd0fe31db482d105da5d094d3bf0acdcf1a6293fc5135c28bd27b590ab3

SHA512
ce6763e2a38b40b0896235a92439b72cc6fe0708d9026b82a226e4b33bd72032e1d7c068bc547c7b499e0c0ae25481cbed3f5e7a43869e887da1bbb8b5759416

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2ed5323f232f10c15cf8502dbe1bcc1e

SHA1
b3bfda3c6462e12ce434b80bdb9e4638bb51f3e0

SHA256
e918afaefbb204ac28c2d595152c297abe7e6cb29159c7f13d44b7ebca71cade

SHA512
6239b6bca408daeb9fa7530c9be8dd80e98c04c60dec2f0975896e79476306499bbbf5665a0c72acfaccb756e014d22e82350b6d0f5a2bbad60121f0b635d8d3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
dfa8c37b96bb9aa330187c775436fbb1

SHA1
3b0c49d17cb31dcd1a2a2be02429ad337434d9fd

SHA256
db9c93c225f827263c3ff79ed77750c61f5d76f441257ae47352cee30db50979

SHA512
60bc55e6777f02bce9bc7f2dc945864e2b06cabb6c857033353328cd55001494e11b3eeb6b518ebf97da8ab6c65eb1d3bc8ec3a86f2ee8d7d64d19e19792bc2b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
000a2acab4ed3a9c2c26ed2501d3f2fa

SHA1
f0c9444ece9654213e8775f0182f80dff81c6c8a

SHA256
5d4a0ec781d424d4a13c110a11e43ca47112155239a2b4a4b905c9f0aacdf09b

SHA512
0ef61170e029941ef926e9485ab4e7e071f2777a169a26d423288843ce45794ec1082017d775639c1a35a1c42f1bcf4d196d30a22cae8217910f0ae2197e5402

Download Submit
memory/400-137-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/400-529-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/552-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/552-97-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/552-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/552-91-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/884-164-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/884-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/884-103-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/884-108-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/968-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/968-151-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1480-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1480-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1496-148-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1496-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2016-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2016-168-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2400-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2400-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2400-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2400-131-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2784-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2784-18-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2784-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2784-112-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2944-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2944-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3116-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3116-82-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3116-76-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3116-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3496-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3496-534-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-132-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3540-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3672-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3672-408-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3672-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3788-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3788-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3832-535-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3832-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4236-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4236-136-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4236-54-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4236-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4412-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4412-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4728-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4728-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-67-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4844-56-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4844-58-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4844-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4844-64-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4960-0-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/4960-9-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/4960-5-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4960-344-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/4960-71-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4960-345-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5140-169-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5140-536-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5200-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5200-537-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download