9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
Size

1.5MB
MD5

0488a9613dd19dfbba77f39c2c351e00
SHA1

4b24f20a2a1f2fcccabffa61b4135553c13431fd
SHA256

9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9
SHA512

6addea7f00616089d75a6a8d978192ef97bc3f16c3c7bd47426344358948165e79b7809943f63b845de1ebc1568c5c5573bddb60c9d25e2a192b9c1d48348053
SSDEEP

12288:R2BTduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcMi:IBTduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1240	alg.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
5044	fxssvc.exe
456	elevation_service.exe
1184	elevation_service.exe
2980	maintenanceservice.exe
4156	msdtc.exe
932	OSE.EXE
4584	PerceptionSimulationService.exe
1596	perfhost.exe
3288	locator.exe
1408	SensorDataService.exe
2584	snmptrap.exe
3168	spectrum.exe
1980	ssh-agent.exe
3472	TieringEngineService.exe
4396	AgentService.exe
3304	vds.exe
3164	vssvc.exe
4756	wbengine.exe
4976	WmiApSrv.exe
4532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0c0dc1ac3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071827e3e5fc9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e0dd3e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d95d583e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098f6b23e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9fd173e5fc9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cfa553e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe241f3e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bca9853e5fc9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037f4f03e5fc9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ce5803e5fc9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000130e693e5fc9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bca9853e5fc9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
4180	DiagnosticsHub.StandardCollector.Service.exe
456	elevation_service.exe
456	elevation_service.exe
456	elevation_service.exe
456	elevation_service.exe
456	elevation_service.exe
456	elevation_service.exe
456	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3792	9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
Token: SeAuditPrivilege	5044	fxssvc.exe
Token: SeRestorePrivilege	3472	TieringEngineService.exe
Token: SeManageVolumePrivilege	3472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4396	AgentService.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe
Token: SeBackupPrivilege	4756	wbengine.exe
Token: SeRestorePrivilege	4756	wbengine.exe
Token: SeSecurityPrivilege	4756	wbengine.exe
Token: 33	4532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4532	SearchIndexer.exe
Token: SeDebugPrivilege	4180	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	456	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2072	4532	SearchIndexer.exe	107
PID 4532 wrote to memory of 2072	4532	SearchIndexer.exe	107
PID 4532 wrote to memory of 2568	4532	SearchIndexer.exe	108
PID 4532 wrote to memory of 2568	4532	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2e0b49b0f694b9069c7dcc771f259c39337a7a850d12eb19ba71afee9024c9_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1184

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4156

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
22e04bae2e1a271eca2298af65badf8c

SHA1
23e1903c5f2134bdd7cf9f48d9362570431bfdd1

SHA256
3728818cfb277065ac6dda2faaea3ea100d2a9c0f3acd74e8fdd13845c01927e

SHA512
51ae60bfeeb82cdded78c74d0a0ee05a5382b41d12620023ae1eae0593e5082a2bc6954c8cd451c6fa6d40efdc0ba0b7384d6577d6d385029914d126a80a2384

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
e0eedad3cfc6d45f08f5798bdb2e2ba7

SHA1
f7a64ec9aca338031e34f08b0bc3c382e722e52a

SHA256
41d3f13bdbdfc8ec527223615c09eed5caecba7d9e6d063f665c3e7c3ead602c

SHA512
903526edc59a11aa29f349b15ca033b7b12e05f11ba65d1259ca7db7871dd9ebb3cf78366f8d46a7fa94642e644663261af80678fffab5381a04d1b6f2b00f33

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4c82b58c0d06c045f93b2192caf5ab7d

SHA1
462e778870ba8cade3fa61e1f670987c07a8e44e

SHA256
42a2986e71e118aa101ef4b66edd171ee78de7899b7e8b83fcdb0f4d52e74534

SHA512
2f492f93e555eee80ffa8f34c0ef2b00e79a57b2f7ca3b706e831096ef59594ec410ea83f5d1330195341c29815ceb7d41053dbc03b77e9bc34a6a24e0933408

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0f7f60861c950d896416e530f66c3490

SHA1
86ea11212570cd4903b3297d03f50a8797573517

SHA256
bd1ebc51725b977bf838f042235db4210ab339de78e9631de141ce6345a78a5b

SHA512
71b4ad31b17d222897e48895669255026d3d1f01f485259ca9cbbaa23007c84685d0e0780b72ad39e62b1ebb8d2ab446ae3f95d5168c76c25b003aa98ac2a551

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bdf3c3f0b5bb05b61eec4e0705bb6fef

SHA1
8d9ac3e5282f041c2477633b1ed95b3b06fd174d

SHA256
71e01ca1b77b9d8a4d72751d45d593143daf1cffdfcadba0da8bfc6656ab7a7c

SHA512
4d096055ae3464be9a1466598b27d54dc666163a7556aeeb833390de386570e78149e19280b3ba8ad552ff01121f10e9ff88780f56b636fd926ba9784a367227

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
63e8e03407d8c9bb1e59eba3ddcd2157

SHA1
eb5fdaec2c8ceaba544a467e56000fb8f6847c42

SHA256
b1029d60c9b1bdcd9d97b7642e7cc41c257091cecc32da194461d7ae43a6c03a

SHA512
41634033aa2b8abab22886ee6b772837d2eace14936aea5405b8e2e493c97aa647939ba568fa6e1c588408d960caabe636c07c7ce1973d97c9f6ddfa45d5ead6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fb8ff320cb5ced38606e1c5106057c85

SHA1
e6bce52b5d64138aef9c0970afa9027d08ae9f22

SHA256
279e721daa8cc8c96b227ba9a01e38bcd6b5d15eb1688538280cdcab9c13adfa

SHA512
4750409ce88d8408f0fb0e393695bb481a95fab9a7902540213f2c106954b26b9ad4889e4a1d2cbc3a63895b3c6d3f4573c5ff98eed4629019779fd9c66b86bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0a998094a655fd9829514df8b9918c0f

SHA1
aac6640a963341a737fc68b20300bb185e150b75

SHA256
2bf16874c54aa5e311d7c62c54f25f52b1f6bc492c271cb3d70f628c43b91610

SHA512
72b02e2758384dd225c7ea7573812a03a1e687c31c202e1f373f13add388fa7a9c525804fac0477d42169779cfeca9ee9a5aba21bdbe145f020a68c3bd73c3c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
5b7424e0314eeff56636da209f0465b8

SHA1
7bb5f480bab5bd7ff0bc505ed48749cce9a85c8a

SHA256
cc78a3abf4bc29ae00978bd457a8de39e913d27a54ea4a961b9a4e43e28a1030

SHA512
8c7a9b69638350afc33baa43d49f04a124dacafd0c0aa495f2528a7c1145a5316aa91bb8d4b44d37f1f7e01694e21315a3d2556a6858dff575ed77101b6ba16c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
581f1c5cbfc4b915d518df73e8b60038

SHA1
cf84103789d6933e2123c1cef32f68ecde2b1cbe

SHA256
92cb34bcd55eda90d951930476ed2773fed030395fec8911b000eda3ce81a694

SHA512
e67a52b093dfcc2804722a8a50909b5daadcb07a16ff7c1abe8c1afed26de80fba848ffb1627d7a12a7e22508d8ed9bad06e1f684347b14666b857e8b972769d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e0006f3330c6b03df47c2f3ce77d3e4b

SHA1
5f8806196201580aa608c10ff703d62b8f0ff440

SHA256
b1a6ae2ce8fc928c57d4aec26b3026a6d9d6f977b95c7361106c25a6bebeeafc

SHA512
50bcb7ecdded24829209a8e7a9c954b0724d55fef162550a2f57722d9450b3985e1a06620fc096f4953cb294ca93946e53bfa117f3508b96e7aaceb8c3506b05

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
75cf697e4dbeb14f82ba8579ad0a52dc

SHA1
e3a9f98e79a3646ca25d1fab891af35167732a1f

SHA256
9bd16e7bee9f852903a5b68178246f46cb41f47b6836ed142c872e8ddf9cb0a6

SHA512
bc2c89daa7424ed2484e043446934120a3fe843fc19eeeb3d2b3478cd434fb602fbf312defc95ff42b9ffb43457dd02cbe7f2a5a79ffc2d38b4ee0c4a11e3383

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
21acde311c5ccc06c60c2dd1a1146147

SHA1
c3d53ec7b08be33378cf964ae4f0a11afc456b0c

SHA256
cf6020092a1b1b7a22273ef238a83a11eb5bb64961bce8448a49fdb8aa630625

SHA512
b381f68a05b85c97f99775639db61b901e69f9dfa0054e7a27645846fbaadc7acc1599bfd2448f0add06f7ad63d8ae42e0f12957e0701e260c7191ea8c09aea6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
3a67c452a9823704261a3ad7af070104

SHA1
b42b75e214206b9037dfcec7d018a26b0d5d7518

SHA256
14f17386ec6a3e3d48672dc5ffb86ae4a7a03e5a0fe2be9b626c24e6fa953b6f

SHA512
efd281f820d5c971e570df076e85f046a987c471e6dd3df162e8a03a45def10aacc7e76d4a06069e83eff2f1c8be6ec2ca48946b393cd85aa36b8a88f3022dc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d652e794b2e4d1179c80a3414bb27b12

SHA1
b81d5c7f77b2dbf9401962d02262e9ed375de152

SHA256
2e254b8b4d9f70759b894d323bb6c5a5dced85717da1924b03f22d9b9b7a6240

SHA512
d10efd734bbf72a0f4ed075500e6df6f32599c016c301640893e3b09641c08d6a5a496770938523523d4b5fe735b5ba515da0235920770a64cafa676a11e62e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cc542967e3c90a4175374272c93560e3

SHA1
47d7f944ae83c8376c6e43a77df00ba251953123

SHA256
dde806756328a2677306ceb23daa60f2456602d9a4c16ca64c153624cccc6cfa

SHA512
bf1b7798ac57a10ad19419d1cdc26a3b3c7eea648f29a120011d6dd7710066c9fa79d1b28a89f509d48c2c478ea1494b474a3e945283bd11e4146d0445508a04

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8797ad4046e4b6d819db4d577ccb760b

SHA1
f09c046f5280593f6fd08564be6802f1bf5ace17

SHA256
60dfac15ea35c9437f2534b1d2b429eeff8eb052180ca252bdb152d386ed94f4

SHA512
0ac7146d63986aa5ddf78990a0143f11271eaeecba092122c53c880e73cdbd242b2368dffee32672d1edd32d539644cf7e45ae1479d76fb46473e1513f2ba7a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1346f926e71606efa344af6293f5d286

SHA1
daec44c95b00d404f1d2f1f49608e73cfd5aae2b

SHA256
8848818f6b73e90c7f41a147ba97293c8c83f592fb06884228ca641db105e939

SHA512
b80bb98819e58d67d340f9104f7e89ed63d44cc1fd7d3c262843af5d04510c4c0093a2b139b6efb4d21d1209410855eca3cecdf89ceaa790c3a6a2f7b114728b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3a05bd55efd71782655c25bbdfb76649

SHA1
52fbadd0eb975abeb1d27aea1f011dac432aa76e

SHA256
c08a2c8341b54985a4a8930251d10483b42b638a5f69711ae3e1cb9866cafeec

SHA512
4960e8d8f438fd48254eafd272ea72a526bc9ae91d56e44349cd17519b226768e6d25124b5458879978b63d9900fb29192da0afdb9bc9763f8c97ab619d9338a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7258afdb3753d81448c338959a61cd6f

SHA1
514ace491ef21facf21a9cd26e9db87217fb5182

SHA256
bb8b93f1a848c088b594c141ba0cb83410c899cbc8772e0c6506e96069085fcf

SHA512
0d582ca071886b607831a218775abae5296c849c0fbfceb969b621d60320f95d75373c9736571ba1e97b5b7862c729b94f480cde0b1138508c1bb726402d9ff0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
fe24815fcdf18412a804cac3b8c9754d

SHA1
c74a25153e596c1a9083fd8c84dc1ca9b3c3575e

SHA256
10d2438b988fbad6109c23f9bc4e6842af436cb3bde66205ea45b2571b95d225

SHA512
7d81f1e6e01b4daeac3ea15437b8493f2cc185fbceb62dda7693ab1e9a4c1da87b173d036f6de67150ac2d64760198dd379497e1b378d39f0160e1da4bd3fcb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
4e0f1516c9f672d95940df2722ac8b93

SHA1
b3342d67d2803b08c977259ea049f31267b0f565

SHA256
539797108ffd0b11c175c1cfc7e8664b1c8fd9113ca6b16d611e50a199bb1b7c

SHA512
c536b7849be285c01a7cd09d357eab1005d3c17391d88a40feb902244696c39ea955bd897808898875d4fdf2c5aaa2002ebed82bd4c37a0437995936ee8c06f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
001b10df0dfe3d4d3430a51b89e7107e

SHA1
56beb526312783bb1f11047550e174d21aa5c83e

SHA256
9f930c17f9d045f23e472cea0fdb6a6b4769e1e0faeeb8efbf93edcc23d84ec6

SHA512
19cc361790d712c595e40781141fa6ff622716064e719ef7e5b04ad5c169e7fcb4e4ccfafeb330cf9f15cbb9816b70511a9528b60fdea69aa0a213efd238ed3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
408a96993377a4d3610f0fd057e5a5a6

SHA1
e898b153009f459d271b20a04ac86274efa146ae

SHA256
1661620492d2afde85774a235dcdbbbc992e2ffd83d61fef4780bc02801a84b5

SHA512
4a9da9928f40759a2538ad4c19ce1a04301a42bd7a1431204e70946e35c4c5abf55cbfb289cb28e44194ff7c9134d114bd7555db734cce951bb64137b81a7d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
f63ddc5ccd23662c981a879aedceb1ff

SHA1
02f9ed778f77722373978a996356f820c899be04

SHA256
87dafec5bdafcdd654f6b865db7e9c3b045a229d2fcf7aa5c34283cd1983f283

SHA512
5aa2eaeb011e7baf4aafcbfc88c95a3fc946fc4b9bec3b658c59cb5e52edf8860d9f5ca5f186aa1e203d44b737cb91fc5a7abb8e9725206fc3fcba6fdfc6512b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
dcd22cf03622fdffb0979a3de6e8d0cb

SHA1
8bb1407867a6ab77038282f0be5857c9ae0e9e5d

SHA256
b99656454d21bb1985d3b830fdcf50416bb08364001596fbd9a509586a3ac070

SHA512
3560825ff2fec49b20d4a958a49b0d5145868dba0f9b774a074ab96f41d6b69836e682c3724a9b20b6c608d6c835bb490856f539fe62a4323862c51e66bef84c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
808ed20c8a8056198d361f86235588ec

SHA1
d22f75b8f1c880d50e6bcf4ca35ce3edf3e7ec82

SHA256
bec5df966ae12af9b71960b2f7724aff6301bbcf806d543149f9bad602a2632e

SHA512
bb39918f03ecac8f95e538b073a2109aa28bb61374b188c320bc2cebc2b5d5b34a591bf8b33d080d2eaafb8725c124d895d19fc1a1cab875a02d360a4a14a502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
993e216d53eaca7e735177c4eee828ce

SHA1
1922990f23230510bc5c2c0a42af64b33685cc04

SHA256
a753e55f2de6bc36f935827669878f730533ee7b6680592983977c4cb7d51c75

SHA512
ac2fb42d394ce1b1f4801a54b759fb0b8fee043202f9abe2927f795bb97fef433655b3f9ae2063e13b8f61a47ef0d63810b8eca0d9349e4999cf09ad62c11aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
03b7dbf397a057c3f1eb6753ac7def7a

SHA1
782f30c50ca196152cb2fdbe49544bf3fd52196f

SHA256
9902655f21d02c0fd4a9926a9e7c15eefeaa20c4de12fe6032ab7dadc2c17205

SHA512
80c426ccc32780dadbf2b6c6ffb396eb9952f81eaa83851802ba70a841043d286ea16315d52e2e9470b6a509572991b35b24ec8918e593b5f881ae15a868f7b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
0297c3896000887fbc4a501bf26bbd8a

SHA1
597ac14f8b7562117857aa6bb4207c5a6ac3d33b

SHA256
1269dcf7dd3a543281efeadbd41fbda9caa94c6c68312fbe0554a1876eb63ac0

SHA512
b409586dd460eb803494f82864c407ba3cb9727ddcc47a7314a6d9aa1a7f9835bec74951881a8e8a2b7838e18e563a2d7843801594d179734fdf3830e75a3fee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
97d713610369c93498a0e66a81a2a142

SHA1
980bf7e79f778e3b48b8c205c2980391806410a3

SHA256
0ec9bd61ce3e2733d6451ff88e6c53162f42e83d81136137806d71b51e43e820

SHA512
60d607af76172a350a23d24228ca3ca6f13f746a2fd85b35ec9bf9b95ef2ba6f3f08ce3329eaa54ba650871238c7277b4459cecf4a57da97ad850191b7424168

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
3670c2345bd2acbbcca6212276bd9ce1

SHA1
4dc37c5c6baef01b08436b7474775ba80f1ac724

SHA256
3c9c948b2b1b15770e7a48e57b0b459b2c7033f36e9ae7d790aa04b5ca04176c

SHA512
19eb5801f048b178faba71f4a95b5ea061b2580aa6ca225b849e8191afcf2e71bb3bd9089c204f251c41d0ffab1d7bfe28e744a6101c8497e5f00db34e759f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
e376f708be222164481e30883fd471b7

SHA1
8627250509bc62c1a0a5b86d2aa24cf516e17672

SHA256
848266dac49f1aa5227dd1a6eeb87fda8289476caca4ed74d156d8db034408ae

SHA512
8e827c6207f2851b998bf3a88c6ce9a50e1c9c8484f3713102791e169d863e6b6c64dc850a56e0a080825fc6f5dc4fb300f820c050a184eb3f0a3f991532963f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
67fc3a1ecffbbe4ff30583f7bb6364a0

SHA1
1b181f645e056b8f9b8105ac31c90ee36a449ca6

SHA256
9d5bb538b5bc8fa133ad84b0d429b73d950b071ceb0e7fea952b0d6ede38772b

SHA512
fbeb64a8fb2ad1037fd343d293d345a566f8c8cc040ee03ccf2d5b235023925919a5ac91feac4c0affd2148ac21685bf48a041e5c3059f81093d8a22618c5e30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
09e11074129f74b6587df8c5426d99d0

SHA1
ed25176c497e59f584ef7d6b7bfac36c8205ae24

SHA256
b41df720f276cfa52b10deab4dde5fa5cc9d27c9b1355e216db869e5fb9a43f7

SHA512
00d0ab388815ae9a5989d56f154bbe0212c59750af43654655fa9407e37966b71ab4716d4ace4610f5e70eab96dc87fa62ecd02253d0d2e2a3be287d3fe921b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
4b9821581891c150d0b34f76534e6297

SHA1
a01954feec208d90272a12ebf6ff46f7c9f7e6cd

SHA256
6e24dbf4563b3410c718c1a353582d14d02188c1b1f70fae86214dc885c1011a

SHA512
1bf8d93c307a31ff0d2702e25d7c0b63eadfd76d21229d479db2b092267b28216f8309c87b0eb114bedcaafa0687784076eaa92bc36af59c0122a572b54fb957

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
b5e48e7d4b3f3343442fb881493274f2

SHA1
d0ef4ad8c3c24896cd67820f50fc9cf410791b5d

SHA256
f4cf8eb1d430d9ea820599afa6460018f24d07c835a3ed4e74b9ae76460b49ac

SHA512
bc55b1b33af3dea8019feffa69fba2640ff989a8837b692dac12458640c4757e6a95502ae7b779bbeba247a8156d6743ff3781e0d32b1e6a78379005c0274840

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6cee3f6a580484061fb0035bb0d24598

SHA1
ff33c86ccd8123b229c64164c6dfc6620f78d0fc

SHA256
916ae22d53ae41e0a47a8305d374f35da27e117427c9e9ba7c8ac2bc6478f249

SHA512
c594521457ce750f96454ba2af759c4ca1fa71888c84659802aab07b5420b838e06bf57ec87e08d6e80bc54a4cb081df80b10fd6c477887c2e2a175f7c67d24c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3f42a18a53e8f01f91467e94b8978a88

SHA1
a0edd920173b8aac41c11ba5535b6f573b873d2f

SHA256
755a2b143ce03610e4576fc17379fa85cf82253b77b7781ab91453be55d7ec38

SHA512
09a1472f2628ffd0289053fd8c3371fea8193d8a7cbb3496ce902a3dd40f5681df51eceb6e852f2c3aba0ab450a9d6c6e5034fc252b3ab540e48bd511ca853c1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4f3e22d693235f4a445de7923600ef2f

SHA1
0a4ba4ae25faeb061053c47240ecf934030f782a

SHA256
463c70965e65a65cb10e5715c4cbc8e5c8052ec1ee12125dff546072bade4c12

SHA512
005a582f611a575787511ffd95c5fb5a27f4541ce1df3ffcdc90052cb212c37762bdfd93b44ef3d5bd69051c543e68006c4ec0d2ea161d44c044fde108866fa7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
90fd1ca9e3646dbac33ee21b88932e6b

SHA1
57054ed5ab5d8642f84cfc2e662c89adf7773e88

SHA256
ef4c23e0dbc9ee2da7e84756f1a9a1c1ebfb3a0f842a140ba12a3b951bc4f924

SHA512
d3527b5e6193571388a6c7f712263a741f07610b5f76ed665c044ac92d6c212c60d3a63ac76d1f37ede806d89290cf81f435e041ed67ce7e7be301264c692b98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
825633a53549e672ef7814bbadaeb6ee

SHA1
66e1d08091dd9b615a1443fd3fdcd0b6f191b6e7

SHA256
c5ee2957fa30091a0fc9f7bc163bbcc381b5a2ba9d480973570403ca9f3dfead

SHA512
cebca6392769c1a27d88114da2e9634d59cb229ff488fdabbfb6529b519ce74f1e74872b2c96c2e16d33a13f3c1bb0374f3262ca8c3f4b2ea41215d54e331cb3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
596e70d7a9b10d987b8979f0be07a066

SHA1
118ef4dbfd1332b168cb6432f2bda7f433c0e36f

SHA256
145710f1855ed080abe7e29f67f196dd4f552a412508fbf69ab1328415682b14

SHA512
e6134d385f388f532f931eac516d8a6fe7fde9b020356c7ca4701715e99759d82016b4978fdb07fd293d17ebae97c6dd3116d06deaf019dda836349d453a4505

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ac6ac8391d026699eaca7af22ea00574

SHA1
587d3aa11a2486e7041b6934473f58e2102176df

SHA256
7c1b271d74f6a507b257508718f7b8ee7c05f5055b358de0903c0eb11ba1b643

SHA512
ee695219fa9e534874f2d0751cbb9a7bb5eeb9162be854e086604d414c9d34ea7fe23437bdf86f64b82e7dd453d80110c385ebab7d10dbfa5da91ff3ec09c295

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
06e8a170d65c8f06c3003b90eca0c4d4

SHA1
6fbd08bdc74b9d156a24dc83393b7708c2db13ca

SHA256
c27e639311814d1fe8bbae3506d5a4909e594d7f0f79874bdc934376ab75b339

SHA512
f9add1711fa977c85213837ea539f5ed122c9653e55a553bdd544200979ac972cbc39af135bcb4e3a92fc9b8274e2b27a094625875a10bbdc2d8fdd688cf1150

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
10a12f44eb373eb6bdc9e9e3236d1227

SHA1
a4c634af123014b6040f19658e60d117c2e19822

SHA256
ffa167c6dbdee202caeea39df197654867cef3cfe59e7620b19846c3c26604c5

SHA512
c4e8867bcb8d2f489858e1fa2fc82cc79c272d21323688f832d4019529472529d3d8ae0ffa7b1e355492f0383e92883241d722768dd34f698f7f25a4ebd1753f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
794c2bf0e9d93ca506cf4b5e734382b5

SHA1
f97aa60c96c44b7c4a61f81951069d517e81a013

SHA256
2387861b12b0f070d01377a3e637fddc990fa491b166df02a54a99efb4640267

SHA512
1fa8b8e4a9aee443feaa83f0ad23139b572b2b6beb25e6978f6925ba4ce79e4278c12ead246056ccebe914ccf65c3021f653d27c652a2afde69aa77e272b9f42

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a047b9e4c6ecf1fc76cbaefcce396a7a

SHA1
7781ea892391890ae9080d7630f44e17e2a8b3d7

SHA256
4e2929c74c74d8539689278f96bc4c3d99684609d537e56411b2f5bb038139cb

SHA512
eb5723f9e2637d25df065748332e8c0d7f17b03f03b55f030c1dea615f9bbd8fe78c627231f916a5094bea230f97be4b319a7998c3da8083c473617de0626642

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
35584e5d153cf3612ee4d7ee21e2f9ce

SHA1
20058280fc30b3550ac86fd7070fbccd4de7e090

SHA256
58906cd98e65bdcc16142a00d01831fba0b8f9c7f1b8777c382b920830695819

SHA512
de6667f49a00b9cb52579c451a0d97baf43bc43c5a2ca2e8656e41ced1cddc95bca73d41f4ecfef2c8e3ec8441dac4901bab9d0b2943613a89a59641f06f1bfd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
cd74921ca76336cb13c80cc0f3fde656

SHA1
04cd922cad0f64ac9aacba38734e7421639dacf0

SHA256
0d195fc8b116b0165997f35a85bd799f660cf577aa06ea2bf1f3c03247260fdd

SHA512
a729ea1287c28147fe9550cfc668992a5e0924e190f65a104b3bc6856ba2293f2c59802474da17cb1b2a72be0f74240367e861ee5ddc2871f1aec1edbcd1f8a5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f95ef304c2c33095dd62a4f059ec3643

SHA1
16fd033e21d4969237db94b613eed4777cc88d6f

SHA256
aec373658b7a185db6b931da359d68069a9e9c7b49a8b62b2fea2939fc902fad

SHA512
d21a5aa34a3e29352f35aa4c8125a03f31dceb9675e69b7db22004807b4a6bd70f5529aab29663c0fa7f1ce287d07c0be4e84cd078d0823366432e6b8893f376

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
55894e1aef66b80064d88bc7b0e570fd

SHA1
4eb03f27c8b58cc8e918e928a3abfb834958d4df

SHA256
106c3b149ce4e6c34d9fe190c366654bebc87b9a25262a6e89c49958577ffa97

SHA512
98539fb4afccef86bc98443a9d5b0c5d0096a505a0c58e9458ff46573a23b2aa16594dac66877d521cbe07a8245c5587ae4e5c33dbdf54c597b07a348c10b438

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b2e0c0e740645bcdc7e38597a7d85c47

SHA1
9e2dee76a5b0c785b742069530dfd15b9744770a

SHA256
a74266105fd295a68ebd45bd619d29e9ad1d378181480089bf8fc6a83190a8c0

SHA512
9434699e041d09f2a81a0825b65ebb2638ae3e71b00884e77979ae02d8f84790999209acfb31a868bf07973ffecf5e1945bd4056e3b665fdd444cb2f67cbbdca

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6e7da1dd2b92bc63218e0a936b2ee45e

SHA1
2dd72c70abf24a26a0bbc4c0fddb54dd9ac7abba

SHA256
549c6bc7d989125c964fa96e45e5777eda192770f09aed7de2896ada6ef43ce7

SHA512
63992afd6efc268dc133a927f60e43e9804e5f61ff8b930c6829fede08b00e05fc889fdaea9b4ca787e3347e3cd36da6999520cabdfa94c079103084d34a35bc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba3d03e39cd6e01268702dde8fe7065f

SHA1
43d912dbafa9c043c38093907ce72adfbf5b8bc1

SHA256
c4a900f42a5ad5a616ed7af981b93726248ced3a3f9c7c5e616083990677b6fa

SHA512
f6335eba6f56c7ce3a02a2948faa9dc418bef6fa5303cf3c21caba355825d99959edf142f487ab0700e93a0656a0a3e5b48f1ce25067ddc8adf40095fcd70419

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
74dfd78a772910ba9043eec9773433ec

SHA1
d31703b9f3f79e9836b31e902189074a68094e8b

SHA256
506fe2e57495fd13e3ecac045c4fa62ebbe697c65c751365c4822c480c9420e5

SHA512
152c105057a564bef1a22a86396dc39bb51624f16e2c8c76d085ff1bd85b73fe21b6dbb857efa223d9424dbbd21c9b82edd12b418d5aaf271513d6823249ed95

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
25574bdc191cb3c7b0fe0f78047cd3d4

SHA1
823ac355dbfe835c049789c6dfb16f7f2389263e

SHA256
182aa6845a9892b6d4f5c3f519c902a157bc53d7e486420e155ee7c7d8825254

SHA512
d67169d166205c00a8222792256bcc73a4167bce5c71c414c4d7525bd4a55f1b0a1365aecb0ce5e81bbe55feb6881bb88fac232be1997d4ab78b53233ed42ba8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
705b3bae42df7c41b11e12a5f5b3f579

SHA1
650a240d36e8e83b2e1c80a3e696deaa2fd9395c

SHA256
b8329aa18903fd97f69099ea07d004b58737ac015796114fa533c25c655350b7

SHA512
cfc0857f01cadf43697bbb054a958a14725168163f91c738b578bef9a8bb1b9f71f2da7cadc690f572a3e89fe9477d9b86cb49790c439bab52f0286c035f056e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ebe3fc11ce08d88ef94102cd4239ca5e

SHA1
07d80edb67d75d9c9dd440896775c86d5d13523b

SHA256
84e374db83ccb93a10f500278a2435d985226da10a840ee0fe0c1b7d019c3c63

SHA512
9feb5069726736380515399ecce64ebf65e42a633077a6dea16ff3f7ddd90b9778b304b72e3bffc44d864557f70106f0388ef7dd3df252b4a700c7e61f201156

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6111658d254bfcdacd8a5bc2b8d04379

SHA1
7049835f6b3797ea713f2bf34be63e5672307766

SHA256
fd1c377d7e7eefbe2ed545d2a050d06fd3715edf82ad20612ee54449d59033f8

SHA512
6a04a8a7221d73081278db1b6d4028e735bdffe7435d3b064771c1ee66abb5e60968cf7d41e3f4de5c51b7142229a35a4e9d003bda882efd17d533614d7582cf

Download Submit
memory/456-39-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/456-33-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/456-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/456-510-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/932-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/932-93-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/932-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/932-517-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1184-516-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1184-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1184-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1184-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-137-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1240-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1408-460-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1408-139-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1596-97-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/1596-521-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1596-108-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1596-102-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/1980-142-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2584-140-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/2980-65-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2980-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2980-55-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2980-57-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2980-68-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3164-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3168-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3168-522-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3288-138-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/3304-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3472-162-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3792-7-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/3792-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/3792-271-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/3792-83-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/3792-1-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/3792-0-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/4156-81-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4180-25-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4180-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4180-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4532-203-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4584-518-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4584-91-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4584-85-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4584-95-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4756-201-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4976-202-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4976-523-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5044-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5044-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download