b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
Size

1.5MB
MD5

279eb31026764e5b4695e54a58bcfbe0
SHA1

e53c9f32fd31e71d5121ed13ecf0339ec6109e90
SHA256

b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986
SHA512

6f2319a063a0789faebc9199aec1df0ddb561d8e2743977f0c4948a29e5312f30b7d3a924732a8b6722ff768b718e3db493c82f996821cab05a6bbe874086299
SSDEEP

12288:XEuGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhW:UBt/sBlDqgZQd6XKtiMJYiPUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
1332	alg.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
2700	fxssvc.exe
1556	elevation_service.exe
4820	elevation_service.exe
4800	maintenanceservice.exe
3040	msdtc.exe
3356	OSE.EXE
2944	PerceptionSimulationService.exe
4092	perfhost.exe
3988	locator.exe
4192	SensorDataService.exe
3216	snmptrap.exe
3468	spectrum.exe
3692	TieringEngineService.exe
2872	vds.exe
4112	wbengine.exe
4108	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13a938944ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bfc078f58cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000062b558e58cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ca22c8e58cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe
3948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1160	b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
Token: SeAuditPrivilege	2700	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	4984	AgentService.exe
Token: SeRestorePrivilege	3692	TieringEngineService.exe
Token: SeManageVolumePrivilege	3692	TieringEngineService.exe
Token: SeBackupPrivilege	4568	vssvc.exe
Token: SeRestorePrivilege	4568	vssvc.exe
Token: SeAuditPrivilege	4568	vssvc.exe
Token: SeBackupPrivilege	4112	wbengine.exe
Token: SeRestorePrivilege	4112	wbengine.exe
Token: SeSecurityPrivilege	4112	wbengine.exe
Token: 33	4108	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4108	SearchIndexer.exe
Token: SeDebugPrivilege	1332	alg.exe
Token: SeDebugPrivilege	1332	alg.exe
Token: SeDebugPrivilege	1332	alg.exe
Token: SeDebugPrivilege	3948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1588	4108	SearchIndexer.exe	112
PID 4108 wrote to memory of 1588	4108	SearchIndexer.exe	112
PID 4108 wrote to memory of 1280	4108	SearchIndexer.exe	115
PID 4108 wrote to memory of 1280	4108	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b868797ce23df17bef3c42217ab8fe5283041d4d547365ec43b9f30e159a6986_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1588
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
eea9f400373ef0d55a0f6e20b524387f

SHA1
a1121eb6be0425f01ea338f1f673b18ad6723556

SHA256
f8381ea047c2c029ea5072e723a7140c0db676e72ec677c3f5b50e251f4766b9

SHA512
40003edab69488b3e8be524390ae6c766e267c411080603fd4e824c5605f261b07796939855fe65c5a04229408e4be24f1c01c70548b23f871e6629df5f521ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

Filesize
1.5MB

MD5
e07342b8a74de880211e5385a1f56333

SHA1
8a1b8dc67216eb49bbfde001d004cc8b279032d7

SHA256
76f30e28cd246213c8b73d2394f2328f7d91009850536f621a7918b4ba14451d

SHA512
5e4d75911d314ee77c524a733370c8b294046f53c1ca0244c4d2ca3cc2dc81104bcce5b9324f271435d10573e73fe60b921fcb910b339dc29614379a8138550b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Filesize
1.5MB

MD5
956ae26bb9d4e885e270e892a6152de8

SHA1
b4b01dc90cddb3caaaa514b54f45d3c31585f864

SHA256
b742a3403c2b8a5a86b51329c3fb5be1da3ba5cf52e7a8bac3acad8183189950

SHA512
aa6ebd8d83087f5a7a875213f9bb338856d9853870d7c3fb3f7147510c1a0144baeaa8d9d5a4edb314ab197267fd572a7e222603da9c7a2db619a547bdb2dc53

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
34a342cf27798d2fd2941bbf32693942

SHA1
730b857450c4371005f90173deeeffdd322ee939

SHA256
535aae64d62de03f1396608a704fb32402834ced1b4d41f310f67305ec93d6d9

SHA512
94f1f1dceb5c120eba80039aab714adf8de407aa9b7cec4f919a5476a06be60c5142ae4acc2781cb454b30bb354da8a6c4b7d0558e1f8193132ef351b35bb4ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
7f0185047b3e438ba868fa42122249d1

SHA1
2e32d4d6ed0550fbab0494a25b8e3777b80878dc

SHA256
b00f4e871f8e495f5da171d7706645f8f9250e53e6437f0fcd3f4675a7d601fe

SHA512
8683517342c07447d99b9e8d45ecc1b659c9a0735ee0ceb938bda9506f1add0b076ca0eee3063f1b5d952a9290d72ef1c0d2165b1a94cb95052156d63a9a57d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
975830a894382567a6bbcace6af90a8b

SHA1
5db42be801f10b6c39ff2e6f489c7b3af75a9c94

SHA256
2fef94922de772c51315c3699680ea31c5f50e465658154dc26706e4b5b6d64a

SHA512
87347989fe3c1e1fab7cfe298170fbd94e5e4299348b799c2479fcc159d64d4f79c7fead82766a9a30884237849967a58af90206c4c28aac445ce07c63070638

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
b59ddd6cb4046d4406caf4ee93595ef9

SHA1
42c538f8dd47b525c82fe0e9742f8858771b433d

SHA256
7e9efa47c3a9e4dab6bbb7227fc358a76d9b989ed8aa87f91c17f9928385f1da

SHA512
4459b45d19d6dd09dc9eabcf32576ed3fe834e4c74146261f2dc308f25e9b09f816b9c5a4324ccf02dd84ee7d66c050c837c4c250ef3e44a959515554b8abb27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bb05d80b19796ab6a6dae80427a2613f

SHA1
5f0fb54a921880b94b84c37a6d1ce7667cc178d7

SHA256
351a804ae28c317abd09ef98b3a5c5e46f27cf17e71961e0c23910204e749111

SHA512
df741bcc7029c745a4e09c49490ad9b8c879be549d97b1003c0833943723ac103c904ec2765380300a9e4b6865f8960b0d1a166ec3897c21331985ba2d676689

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5096564514ee951cd007f270b61d7c38

SHA1
d278f0bd0e6e8abd0b859e7aeaf329c5806c11fe

SHA256
09a2e7ea61b68ae0988ea51f29b8f92942a18a9fb5cb154f29f565b1dba1e635

SHA512
7b5036110aa0752832fb7a68740f08dd0d5b5c55a65402bb312cfb658951c27dc37f1331ac3b4635df77f99839fdce121fb52d7bda7d917fb25718a223b8cce2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0cfb259c8217c6e5ac8d0e3d2673e350

SHA1
7f8c626c2c989520c53dbf733cbf8db72261cd55

SHA256
748c25a26b97d833c7a23464a106635bfa64cd6b61c6dd2d67fa52ecd33132fa

SHA512
3bf19465e2f81dda089b559b59fdf06c37d3a478a7974d0389686fb4651a3db445abe1746b6ad9f6bdefbfe391f99f9a09b69c9f5e058d7f151edfbf7ec535cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
1938fce4f49339233af5a0dc5d1d48d6

SHA1
c79250774b30fa49a8089880a0d0275b1545421a

SHA256
324baa79e789cea9e0134d27550dcbed1264c29e477f3f27fb445dbe7b56ac97

SHA512
9524fb185af6478df669d1b61471b19720f6c6f1a6bb8ddceac47cd2a28efb07f31ea03b70bbdd1d6f499fbad5185f43dafaca2a8c85404b3329f1bd430fb431

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ae053155058be168a3b894db65a4c539

SHA1
2e43f7b6ffd335fa15cbae7f6cfb97549afbe536

SHA256
fca73b06fca4c735c99efe60f627f909c92e4530845d0340db3b5c80c7c1b56a

SHA512
85f083eaa5d5c4827773c319484b469e223f3da133de240ac2a6842d036a4c20ed49fea3ecef08b536ee88a6e8ab88705731ed9a48052b4aeafa191d43bd7657

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
05cb03798959bbcae6f9083991bed6be

SHA1
0e74e46c259fd73fb8ad0e94bf39dd257e4dc9af

SHA256
b6c92bced64e0a5a2f3727a38e8a725dc86d732bc1c1ba014cc39953d20d4505

SHA512
6c5e43176ee0bb83251ed33a3ab1c95f3a103cda672533ba54d756c1443921ed4b0f1139371db25d56e1545f2cb1c803ac1c4d296eecc355d96591048d69aebb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
60f0d2abf330ab565754850ee11011b7

SHA1
660cf157d4c52289026c6f00fb03b0ff9e6b3d40

SHA256
c059b994819f9b30cd015437be54b14489b5bb65bdd6ddc625c88339532e0660

SHA512
87fbda0b384f1cf26aeeb1f29e7ac746902169aadf1efa10213402fa56dc53af9f62024f89d8768257411294c4ce25334faf86a9d86d9d0b5a1a5c54839dadc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
024af3dd240e91b72ae5919ec121a150

SHA1
153d307fc39e304a864fe3043f5ee2359e67c5bd

SHA256
0368714b46105a75b8dd26be329f868606a65d4adaf34d5e140cd1c1fa679d1f

SHA512
d47aa566e2d50830505617f46869cffbe47863019becab4b3fa165f6005a5d067c955fb79f882bc509a5034cdb6c3fb0e0cf1347a0c2d4b954a4dc0e96dfdd0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
3a7dab33c955746d3bafaa949ae11df7

SHA1
20dfac9931eaf0fa82a8fab524946076ff446007

SHA256
ff1f5ccafe99f0bbf50f73142f5a1f51df072c13a215a7f622c02fbdf49b513a

SHA512
a9772705d4879aa580d31f5c9c232e1d84b6b7ac57c8b3420791c1b82a4525d0e24755e39bb4b1ca73f4654e5db3965fa562687aa73b067ed4f9a3ca9fe1347c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
dd6b78f3135ae3cb0d00afe8db6e745f

SHA1
26c9063d8616682d066e91f8d330f5a3ef84398f

SHA256
690dd0eb5801968a270e0a38d7eded2d06df28e0360ca3d25f4bf11ef7dcd97b

SHA512
e27cb25d253000d379afb07402be9625a1840f3e45ec131e4d61d74257d2951d834c25c24cc9ee468e8666daed23cf3044529683dca6f89deedbfee5e1934207

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
63e90251b70891ec8e90b316a7f4b572

SHA1
9a7e4e3bed1e0b3a112638c380d61a8dba90a0cc

SHA256
0658fb9f1dfcde28682588319b57b537b297433f95447c351f37cfc8e32104de

SHA512
f635ca558faebe4db0d637ae1f75a37c64331e06db1a46125a342106d8f0ec7a89e9711178f7047d10c280739238dbdd1b464c8bffd6b7d39877a749a6ece79e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.4MB

MD5
2396b99a354f5b9fb608d7412188c59f

SHA1
18c44e3843864b65219201111315f0949a35c98a

SHA256
3b093c6bbd4d2b5478e889a9d85fa129c126fd76236b181cc363349a15e033e3

SHA512
e34bd5025cca9ccb09560984b8f2bc8d69f8fac8913faa1d99f553f1eb950a99825ed8a3c7a852abe6a7a3b8cea1d3ac94313894b4c9e54786a34840e4478f49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.4MB

MD5
38f489bd04596ad63e8e758c215dadbf

SHA1
a5aa645a428f87f60603c2fa4e0cb16e22e63be2

SHA256
2b75c6b7106beffb3bc07012008a21151dd23fe38eaa61f5c6f27554d31ce936

SHA512
bcf7fba03ad0f7bab3952d67f3d28f39e1ab22da73b7b9bfa3a53c98cded005c01954c78ef962a27d06a086f38d5522b510b58b7e4dba88660e8dab58a9fe2d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.4MB

MD5
388564eabb2842712c3d1c93a3511404

SHA1
46730747c998c0610b4b85223f4454d5068f3a30

SHA256
8c94d6e16390fbdff798f3b03b8d02e8f8ad21968005af95daa06938f6185c14

SHA512
527d6776091203fe461193f7fa570d2924de74ab58c23ec218f3e4ccdf60f8e671ec5e42031f623bc868dca4ada10b36dbe3ec13779cd303a0d663d364eaf01a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\keytool.exe

Filesize
1.4MB

MD5
2722e4c78fec9d954a239904a2143876

SHA1
c8106376bfb4aefbade64756105f29b6f494108b

SHA256
8c38f0500fc0e809a69beea4e8d8a080250cfb6c9e93b5634671a155d575a44d

SHA512
d104a44cb7e3ae48d9ad03ae962ec93aa20cf942f729c4103bcec9fe41785b6815f4212000b5d07201f34fc058295b3d2cc2ce6e1520185cfefe9c308e5c8276

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
1.4MB

MD5
517f5a76ec0f30f7b51f2fdaa235f4e4

SHA1
79ed9073c5d508649ffc27e9a607a88027bf2332

SHA256
a2cfc3c77457c4d6d8ca00559a1dd5d7c52d4a845f0de05a23b021a829e66e8e

SHA512
e25c540ec5630289e75ca11f3022eba6a65beff4f74ab160798850fe8a1a1983f5fef7b004b99e00dd8ecef562ee54587d0a6f3a167da0b65ece69eef7a891ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
1.4MB

MD5
691466d69459a7c5b1c21b4fdc1756ff

SHA1
ca8ba5fdb28c6a5074a2edfb7f8982cd74bfa603

SHA256
cf773d763940cc159488040648de602ad4b5734bcf91f2994e89e5fa1e72866d

SHA512
cb402ee8f08a17241796104b183f8af3136f17734787e07b44d6463ca1d048cd742893152b424475535edb0946e6bb6b44af89f5b5416e72926ebdc6114cfdb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe

Filesize
1.4MB

MD5
6012f2760861438fda2f5a89c4b845bd

SHA1
6a6853fb425d742ebb183052adc31eed5274a830

SHA256
4d066a508e192401e116ff837500a907debd717a03f00ed0044ca262d466fcb3

SHA512
93ef1adfe1a55bdca62c477130dc28ea0a9421f9c82650f104e534101fd7c0b29799669f1eb3e2b32b500372e80cb443d0ad9613953c32024f7273ae31e55c74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\servertool.exe

Filesize
1.4MB

MD5
901eec9309f8e4052a4eb78fab2a589f

SHA1
f0b51b87fb06de4edff906ece8d42747ce33e89f

SHA256
3533a6fc5382593107ac509b769c26311253562f059482c651fd9493bf0f165b

SHA512
7290273ccd12a45f2f1ed37f0ad11030a6ef348d3711d179e3d2a2829539ca87ed25173a679f10cba9db272a35f498341d6542de666d1fbb40b5f54eaa6098c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

Filesize
1.4MB

MD5
b27899bc70d6f6c02072c5456988972d

SHA1
345b5a4ae1527c9d2247cf0e10b8581343f84ae5

SHA256
dcdcf1a76b164983d3f7c803c29f36616012175d41f7dedf03846e24df0ea83f

SHA512
2ac342e68caaf6367dbba3f075d6013f900fe168476d3e1948d2424e717e64032a4d21e062b5c7df4852e494580b42d302b7c53886c0828967e21b940da2f65e

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

Filesize
1.5MB

MD5
5cfc24a47241ae28999f9f72e7c511fc

SHA1
69e0804e0a37c6dc54caefadd4a5b954dcd3af5f

SHA256
e2c301e6cb66981f511591a5a44da54386430ec957443d33e6f7ea88f2b3d0a5

SHA512
2d79d82212072a184fd6cd414ad6f7903e34d81556369527d542e72535fb4a1d11fb70133ee45863f216b38a5bc371803ab8afa90d3007120905e3c2a6fa6bf3

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe

Filesize
1.7MB

MD5
440f17dbe652711ce6bdec47cac297ea

SHA1
b1f58152c1273527652d9ee3df4c44c832462ec1

SHA256
3394b08f33aa3f6cfb0dbc2061f62e30c793e36dc6fc225303e2e1d21108375e

SHA512
ce971cda92b430d6b78666072ee19b2b94611b0c053ed6fd4a45d4239de309134bec36d9f0afbb2b83f43f97601a395457a6742369c663c717a43d675853b6d2

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe

Filesize
1.4MB

MD5
54692dc6c09ce8e5a0d8f840c35c5b0e

SHA1
c75fd832a615bf5400a39f5dc9eb4e4d1a20c5f9

SHA256
1ff262abe6c8ed370e2f8a3611746c433f123c2b4cdfe4ecc212b9168999b094

SHA512
b33e44e2d00462bc36dc300ece6f50ebb16f3528fb07a5ebcc7d1a0ccadd8fec392658aae472f49fedad0bc5906e6e026cc09eb6e51afcda0dab1fa9f1cfbc98

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

Filesize
1.4MB

MD5
d50fcd901937a8908fba4d1247436756

SHA1
412209f6ecd8af55beb91b6c3ac1fdf12db0e4b9

SHA256
72bc6ebe8d6d0fa4630678761a6ac190b8af50548e1fc12667bb0809768b91b0

SHA512
cb6cf296619f5881bed88479029cf4371625a2b9f36156f9baa94e434eb668d2527fd5539978ba90ace8dddaa91501f31df09d0502c254e64864df989d45bf0a

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

Filesize
1.4MB

MD5
8814eb0116bcd93653bc04cb7f4bccaf

SHA1
f55903f1cea0a8b552a0cadfffff5cdc4f249479

SHA256
bbecf863ebe96d8f98083b6d7a21be23487a3166d2f412dc1c7d8a47ff3b991d

SHA512
aff2b46170a06fb970e1ce8ccbf98f9667557f2de55659cdcc01e311ffb02c1178764d6a22bbf3587108ef31d5037b9b02b78c775deafb930a86cb69e47b39c1

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe

Filesize
1.4MB

MD5
46108300b68e170969607682c1137e63

SHA1
3fad8159b7eef12f57f2d0b4593b370ee2b7cc92

SHA256
a9480602dceca3461616a0e0b398a4161b2867bd45cd8ee14eb1fff14f2f5201

SHA512
0ec337ae4098cf3720f42742524087c23c11feaba3d4ac6ed236abc376ef96f3fe7e7a7171c7a7ec9bd3f65e20ee8417353f716107da84449f2d618472e3b4f6

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
1.4MB

MD5
aa978705e0565f530d870e06c8ab7861

SHA1
a68a78ffef86c482e1be060709d0f400b166c371

SHA256
2a46ca0b8a17561f50b266ec976db0a42f8d60a3b0b00354ba2497017c6fc6d3

SHA512
eac780378ced0f66d1befa1ff7579255eed2aafc96ecc9ba27674fa9c943978365bceb60271cdb2e7e0e1d1604673975aad5bc04504e1e1ee88ed05af2de398e

Download Submit
C:\Program Files\Java\jre-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
254677800cd5aafad72e5a15fe7d8f3d

SHA1
6db38f220e1dd1d2095e9da1a5a8ed59c559f393

SHA256
4479510bea491e2d24f41f0922119d6ac896d570dd015ad21797f9fcac911f73

SHA512
6998ed0526a8be9f73600471fb791b063897c6282e4767fffc46545c8989bc927fe3f998ab2f2d8c00e8c0cd3b2b0b301e378d5d965b28ccb73303d71db7d3ad

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
45bede75b197f61e5843a255e330f3c3

SHA1
c4a6433a5ddc2fb7b7647253ede0b574f28bdd05

SHA256
96f5f8e852978874401a2d64296305f06829b593b5f98a26eeefc51e483463df

SHA512
79d9b71d6c59b7c42ac2d7dc4c43aec5cf24213c42e2553a8942529d82b2aae8cca3efe314ba23f99766a033566dfdae6513bf22211244f3a3da3ae7edc5d515

Download Submit
C:\Program Files\Java\jre-1.8\bin\keytool.exe

Filesize
1.4MB

MD5
3d2f994e480f6d77088ced4d027a10ad

SHA1
5ff26fbe3d4d4358ce29e510d3f39d1407bc5254

SHA256
d4234d7f8b19e50046f633852cc78158c56e45f984e98f8077e9a154e8f43af7

SHA512
aa5d54177b9ca71d4d838196a3b65da4bce0b0d6d26c3c8bb390b1e7032f94cf95c84c3d887c533347a3fa2b08f0cbd99641668c63e0df292c365014a1fed60e

Download Submit
C:\Program Files\Java\jre-1.8\bin\ktab.exe

Filesize
1.4MB

MD5
b4c240d606cdcaa7482332c27dca16f6

SHA1
323bd34cf61b89a0924cefc00d34777b76198134

SHA256
ee0d19d08b68c224d5736f0cdafa725eb2be61741f7bd4dbfe28a5818c579cc7

SHA512
71bf85836b6e19e9a360025acc74ed3de289b28a1fff8a04db0a44ce521cae4cf964d2ff5533679f88f34cf148bc1df7b298c75ea325a610a3c0ffa103b51ff0

Download Submit
C:\Program Files\Java\jre-1.8\bin\pack200.exe

Filesize
1.4MB

MD5
edc20df46e3789ca0ba90204d03b5d1a

SHA1
ce03dce9a335d7e50d149aa4f20e5ba087df4457

SHA256
279d5171569c6ccb747212ad1cbe1b2705cacdfd92c92db7ad0fb4c12afc2476

SHA512
e8f2dd219ab143235a9ef107838e38d300d582e42e17d715522a28c10d25d7befeb638bebff1749a932519317bfdcdf0ec091aa87f836335ff0f6e4b309d0cfd

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmid.exe

Filesize
1.4MB

MD5
6468795b4e8ae7a8750b467cb13cecfd

SHA1
7e1766b8bd6b4658150d232457469082d8c52115

SHA256
2cf4a93d7b35d86cfcd3a34f157305c910ae31f86f5be7e2514c34b76ead01b6

SHA512
5517e568d0c69a715163633a151594d6f90c8562bd1186893b585d14424df510bd0903019ab50c262efa0a032a2e59621ab5de50c3afef5a10e0a91e7209ee18

Download Submit
C:\Program Files\Java\jre-1.8\bin\tnameserv.exe

Filesize
1.4MB

MD5
17b81d9f0e1665c9f08bb7a7220a3d8a

SHA1
53bd59f137b0d497f6d3d63c10fd5e334c82e146

SHA256
53c276b447dadb7376a9ea4c76038d29e646e64bc083c37524237fbe5231da06

SHA512
c2a5af4060615057addc2cae97e5bced1520acbacb0dc64039c98c92a04f05dd458ba526fa37bdf5ee6b3d2713fe9194bf5c9bbc47e74fca621ade6ed0262675

Download Submit
C:\Program Files\Mozilla Firefox\crashreporter.exe

Filesize
1.7MB

MD5
96236fc8cc30f8e1d5b4b98515407cd0

SHA1
1ddacda1858ce0557d747e67cd364fd830420d52

SHA256
89d9a7d74396da75599746411a2f963bcfb8d9eb0298294fb2a99d577e2891cc

SHA512
68d2349d2ec488f29f7c589bc26fa92ce27343a861fbd5df11f63854f73a81f92d89934cfc21ccf4df51dc8ae1c580127e4abf5b1d7a20646ed30b73f93a359c

Download Submit
C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Filesize
1.7MB

MD5
5874da80ca6c1e2f43ab14e94333e2c6

SHA1
e55682aff906c4dff93442ed119d9724352ee4b1

SHA256
caaad83df013b285521c5a8832eec0d04c499578797df4830c1666d2356cf79e

SHA512
f5b102113469fd5f4cec44d2db30284a516a0f7774aed0e0cca6ac7e9957b671443c311751dc369d1dfa77fb35dc7a0cee9653ac5b56820778b11d6baff95a6e

Download Submit
C:\Program Files\Mozilla Firefox\pingsender.exe

Filesize
1.5MB

MD5
6115b40db52fa02c74f5530180947dec

SHA1
5654cf0e62d68f5b4d8fc45d7cc5ab27a6ac8281

SHA256
5593f2508c5a15f39707f9881b37eed3f03575a4f3316e71be06930588a1f96e

SHA512
419921096edc086346a7375f21038b3d41cb6fb8077edc0ffa3ccf19a211705b8c23bc14491d3c2d854891d68eb4fe9f605a6a8977df72c555fbf55b7bc37001

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
64e4f6660f4eaee399aedecab4a21788

SHA1
cfbaa0a6946dcd1a1426dd7e8c1621decb52720e

SHA256
9e607e95280c8c81da937dc3b4a1da88b8b131490bccde47d82dd02f7796d880

SHA512
e936e8a57a3b47c8c44432c6aaf8bfeb4890f6919eab8e3b6d39035ea674696f068970a1f56d8f20df10f63af93ae03d3c6c3370aaf6fa629169218ed7391ba3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
fcd05b6af17f1c27175eb2e0abf078e3

SHA1
f01fea38dcee6216d9c6926e1cd8f305198481ef

SHA256
ca95969951d8a16198cbf9ae0537acba070fb9ef5687f446b7d2ad294ae2d310

SHA512
57f7daa3cea44c31db5d14cc6a4abff587b3242412a7697a68bb29be604d3eeb8d45d174deff9df36624e05780d9715658457c83fc9d773bd94a8fbd01c03b92

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8fa5480750c43f3ae17c96400f0d2fb6

SHA1
70f6bd2bc632b68a04f57acdff8978b7f9ebc17e

SHA256
1a099776baf0cc298fd90c736baa588065b3483fd5c5e0d01b0168e84f464c7e

SHA512
7832eac634911be08f3655f95979406f148a763c3bc08cb9cbcc06f3c097986da6d17f9082282d357c33f516fc1df0b13d0e1fddc4289a2659f82de9d82f534f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
da2a0f43f379c0bcc60096ac9773069f

SHA1
aa8a45cd96886377eb326f59055335a1b18511c7

SHA256
2eecab0b60e870f83d6cc80ae71b156694bcb25c6be8ff1c5965a3edf483f8c1

SHA512
e73c0ab3cf947f0a916a59e7d2c26a36496a167f637a9674b89121e7c2193dfb402463ca1e9cb4101306ce798f806c104be2d486d0d4a7607edd96b73a786fb1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
535c73e65e9b5a00c47f67c70ee66bff

SHA1
3c77d0ea05ce1935faf898b58fe797f921b98288

SHA256
7b8d0114b2b6f79115d34ceb2cd1c706ec720497aa2c4fb364683bb7398927fb

SHA512
cd36bd7b384203ea6d1c608e5d609c9b511cc0e036e80a228f533c27bf517d7a28ba12898db5eeefb3181e8a2ca5927d47d7a4293eb214894dc199156001d51f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dfb459df5cbb22a1e4861998ee4c53b9

SHA1
66690a40fbfd73c1afa2ee3076e592acf0d485bf

SHA256
646b30424fddc50e4d7ea23dcd550d85ad4e620448347fd242f6f3816b3e7956

SHA512
6c38e1e2f1005aca5a1eb46504a2e3bdb6ca47f186d47725adc31e76135ff51f2ee92d52559f0ab3f5c1bb1bcec3ba234ca79c656533cf1c3aaf1a14dddad4dd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b8ef270a23b7d7d1fa24a26231f519cc

SHA1
ae59ae36682056cc614d9e03eafd7faecfe862b1

SHA256
24b8b33be81657837bb06f5615f44b5e188cdf73c66c78a002f6565501ee1238

SHA512
81fe233e7b50670f5ee0dd35f417461b0f2d38f6987aaa6b66fd15cd3e4ed2fa276eecd2627b492e8abf6a30fe2165badcbe1097aa3fdc58980cc52deb53c59b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a4427a9387da2606993ad75102b5bc37

SHA1
43aa44f55fa29dc74b87ab22ae09a53385364249

SHA256
55224abbc23cae34d47db25f493fc8c3f500ebcb407349f0b8f305f3b1582647

SHA512
d6ac592fbffd207ce1cf3e5730f8f89b08a5d5e76fe75fcbaf6b14d100e4738957c2ab42be7fc4e88aa0f95b7a9c31b4b850cdcae98d76a6d926750566f8bb81

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
989dfcf42a24c5ee741d57332288334e

SHA1
85937d08968e75a9e09b0c9564147476f2b4b29d

SHA256
7df7bf972773e16f77a7dbf770ac54f938abe579ce7599989e42e9180abf22bf

SHA512
2a8211377cd1997879c3096d85b7554bc79cae83d4fe324aeb08ee1e97c7b00d686647619c192836185fc8c67e50834cb4c14b8ceac686687646a6ca6ef5522d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ecc3a65acd012331a97ac372ad30af63

SHA1
f48dda92829df664435234ddf27b1684e033271f

SHA256
1eca674568c065671de76a733fc6a515445c8be60f29abcf3852e2f48f56c05b

SHA512
7a89c3199b31d370be104e8216cfd4991a50a83a3c0b4832ef73b421db823fa7541cb6e4d4074f96473cf34776d229a63d94f5d1c17ee015e6ec1730876ebfd0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b54b59a9ef6184dce0f1338d6f495d98

SHA1
814226b31466176bfc27e2e609ace0446cb6ffc4

SHA256
8b3a3a218193716acd8077542d63a2a1fa9729f23dce1696ede88070631927df

SHA512
1c77cc3a75e921ecd713caba1f0614a7090f79bfa3cf30b94a50f77d82b704617360b0543072cf73697fcbe149da0f2fc119abdb886bd3befc91337b6398893a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3705d415aeb9be0c9a1280e717fc5f9d

SHA1
b5d79aa3603f83bb0e59eb83f93f3deab8cb2b96

SHA256
5699ed211b015dd2f18d5aa0146c84cf68be1c226a89daeea14f198413de77d4

SHA512
9e5de7a16a5ecca6b47374018f7c7e537e63a6cede810d73715b3e471b4a0670e60f63a8a22ca1a2c8e087b8f2e20cc6e7a66cd1e514455738c0bca57b8b862f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c720a94ff5cc31b96e933654abe88735

SHA1
f9cff0651a1df6561c123ed7d8d656163014182b

SHA256
7fe0539aad1d69b7b199cc1268ae4c4825591661f66e2c5aa8f23876864d167b

SHA512
e73a09d137636dd6d80082ac2d65838b1576ad4de3227984868a2dd7aeee06c5f842d319dd9f9b7be9b9f9a79467f413edd1c29041701a5b800ad764296d88ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c56616f22881855b51ee0fb9e3017a1a

SHA1
86e1f949455584195093f0b1bcf4da2fda23b67e

SHA256
de5db48d3c8dcf7a031e9d66d8053d1d572286ab2c10eb9ae07e5f8f0db9af92

SHA512
dcae60f0d9e54f2538844d5896cf1978b421d6153b92e5b70e320acfd2f55a694bc12bf34e9331be4b32111f619ba8502fc71d31ebd8e30c74d051b93ddced05

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5b56e336d276b4e56827f4d933eedc1a

SHA1
1bfdb149421e2f145dc2dcd86cc6564f59687130

SHA256
9afb5940ba3957d65fabe0a4f31a435e8ff17b5376ca9318d294195717cf7239

SHA512
f3b278ddf96edf2b5e028aecba88f7a7bfa7754382b0ca47b5e452968a7e8c2d4881d38a8da00e4719bbbd5845f25c547a89a70ba2ae5c4f47c3561fb8839bc2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1a518dec16726195dde97039f2a34f25

SHA1
68c38c067cbdf26e20921c5e76faae7c6cd24b8a

SHA256
5b72bcdc3b2c39f911737c4a416b53f23821a1f96f6bb128688b261106892e23

SHA512
1d6a49f5c2d7242b425e4637db2d5dfe461aee0f002280442a8e8a0018ae4a7f4969bd1ff3ba66b5062e98f0cbc006cfceb38a4e4051ab3212b60fcf547168db

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
8df96ecfeb46e4d28b46c2deead01f8c

SHA1
7b6283481011bd28afda0c45b582c5fa2874485f

SHA256
f69097dfa43c160db7269f8ba503dde93595710a482356438066cdc56d9b7b12

SHA512
8a8158c29466bf8b38f9678750abdffe332570e5e99abe5c1d991c340bcccd7d3d76b4245dd222c7a7b099805ed872053411148b73d299136a9c3ce5879ce84e

Download Submit
memory/320-529-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/320-186-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/1160-0-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1160-7-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/1160-342-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1160-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/1160-105-0x0000000010000000-0x0000000010180000-memory.dmp

Filesize
1.5MB

Download
memory/1160-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp

Filesize
412KB

Download
memory/1332-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1332-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1332-20-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1332-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1556-47-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1556-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1556-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1556-53-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2700-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2700-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2700-43-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2872-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2872-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2944-248-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2944-115-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3040-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3040-96-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3216-525-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3216-167-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3356-229-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3356-112-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3384-533-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3384-249-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/3468-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3468-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3692-530-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/3692-205-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/3948-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3948-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3948-25-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3948-137-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3988-146-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3988-428-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4092-134-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4092-261-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/4108-262-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4108-536-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4112-534-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4192-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4192-417-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4568-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4568-532-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-73-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4800-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4800-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4800-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4800-85-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4820-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4820-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4820-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4820-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4984-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4984-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download