1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
Size

625KB
MD5

ed52e4417081f0ab8e3a1b42087f17d0
SHA1

f7136c24a0e4aab9eca6bb9524c90023c3d47bbb
SHA256

1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c
SHA512

43d535d7c9e396a34a4e77024501c5dfb822bb260824d3b5024bc676f12e21b420b72f57cb731746586dfb8c91604f1fc126de5f7ba26c2dd199f2d865aa3faf
SSDEEP

12288:W2c+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:zdMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3176	alg.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
1600	fxssvc.exe
2216	elevation_service.exe
3876	elevation_service.exe
4700	maintenanceservice.exe
4252	msdtc.exe
1060	OSE.EXE
1740	PerceptionSimulationService.exe
3168	perfhost.exe
864	locator.exe
3024	SensorDataService.exe
2980	snmptrap.exe
1624	spectrum.exe
3852	ssh-agent.exe
4628	TieringEngineService.exe
208	AgentService.exe
4444	vds.exe
3404	vssvc.exe
2652	wbengine.exe
2632	WmiApSrv.exe
4676	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5de264dfc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bdb5a0c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a9bdb0c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000458f4c0c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8afcf0c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000980d2f0d36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e7c390c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad1a180c36cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002667450c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da52510c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008255130c36cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
3016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1344	1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
Token: SeAuditPrivilege	1600	fxssvc.exe
Token: SeRestorePrivilege	4628	TieringEngineService.exe
Token: SeManageVolumePrivilege	4628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	208	AgentService.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe
Token: SeAuditPrivilege	3404	vssvc.exe
Token: SeBackupPrivilege	2652	wbengine.exe
Token: SeRestorePrivilege	2652	wbengine.exe
Token: SeSecurityPrivilege	2652	wbengine.exe
Token: 33	4676	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4676	SearchIndexer.exe
Token: SeDebugPrivilege	3176	alg.exe
Token: SeDebugPrivilege	3176	alg.exe
Token: SeDebugPrivilege	3176	alg.exe
Token: SeDebugPrivilege	3016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1620	4676	SearchIndexer.exe	107
PID 4676 wrote to memory of 1620	4676	SearchIndexer.exe	107
PID 4676 wrote to memory of 1848	4676	SearchIndexer.exe	108
PID 4676 wrote to memory of 1848	4676	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bd08e5458fba0f021bb7605f6b6e40260a59d2152a04e24804b082754e95f9c_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9d1c07cee5f279beda883174d6107f54

SHA1
12469bec20b2b89e7ecb5e2a6f234716181c2871

SHA256
1733ae0825db1f8b32645981aec25220eaf25fdb793c2be0b0095656c3771b3e

SHA512
60391f3b035a12ee98689f48ec5609fb4f6affda699398fb2acd13052f7000871eaa808f40bdf1bf01493969aed783c1491ca9f5675bf7d2b11ca28a30f9c475

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
adedb449e29529e9f6faa2e1e4badbad

SHA1
4414e47f74c6d1e69842c3183f35bdf0278d42ec

SHA256
ac39fb5fc199712bbae3ff990a67160831f21d5368fc01688bd4f506681dca53

SHA512
a812b87a00b8929f132424126ea4eb4fe36bb4aa3166f566e7e7571b7fb7af44590e58c5f0e691c85cd858c51656e2df1adb7f00c208983d55f06b03f01f033f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2da9a78e556a16378e51a98d3231e6d1

SHA1
cf06819f1b94e08f0af10b4840425fb7a57addf9

SHA256
7b649a06746be9061118737b39e84a647e597cac66d836ba461e6d177df19ddd

SHA512
1491a8901aeb386bdb4bf022b49e31e9528f36773480a9283cc9089204033a864f29859f6b9492152290ec18a11817b546d1df64df0d0bbdad60165ba8964840

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e337cb73769ea6fe7fabb534b5273aa3

SHA1
3b001a28b1bd8476b837539f6399432fe50537d5

SHA256
dd4cba434955339d9cffe5f4fa1b3c1ad1e5c1dc18f101b98e952b42f03422d0

SHA512
5e8e865e865bbb49a5438171246d27a66d476c8b342183a73fc13ebe4f2793ed14a64fe3bdae0a845641fa147ae9c9f700cc8b2da9cfb44ba67b9a31c26b491b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ab8b8caafde1ae3bfd9d1615c3a462e7

SHA1
4d6ea6654d3b5a73a5608751e9e10ea5caa45108

SHA256
1c5db43cd65cbd98b0ff956602a10cdad1c2d4851cc0dcad505f3f446a95731a

SHA512
1ebd859a5a8714747935602bc32b98d61241b909f4ed9d17f7469d7b780b74df80362b68c77552768317ee9593fd23fb6e620c701e03ee0a6e5e794b64c8edd1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
378140009b2c1e29f6063f517014e799

SHA1
963cd49cf95687bf659bee1f5642b57b0ca4faa7

SHA256
adcfe59b860c4f7f531610d241ca9ec58efc1b64fff37d29447cca89755e827a

SHA512
ebd24767a12bea56738cd5b91632a6efaeabc7730a21c7842544cd0f497f8de6a3c427d9ac1a52188a3b2cbfb922ef9e026cc2d73c26d8ccf66cea1ca45dcd2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9b579f4548ddc8c943ee8daecac9501f

SHA1
244186cbdb1b800edcdfe908e4a6585898d66ea6

SHA256
0c1492bcea9df566b061b92d34fa4450a47c3aab81000ba9dd6cc9d68ec3c437

SHA512
e0f3bcd933643d2ea280fc1624e6d6cb7c1b09d3e6971e9e9b926a523769e55c86026a382d4a1e9d012ee53c44f24b7e08012b72c423aab9edc0c50319589db8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f8914621e2674e6b9523574b235dfc25

SHA1
d79847806e92a5760830a5077a88b9b9eddca640

SHA256
586bca9ecf4056887f6db8ebfd2fa563b39e6eb64c01df327ea3dda124dc3cee

SHA512
7b844956274e5246ce75f96f82e8a54fa552da34d8bdc2b30a9b4b0818d522bac09ca2829d35227bca698293b40cf547e1d9e4667ca55839a9357b60dbb6703a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
51169832fe5b635c22b78db9ffa3b13f

SHA1
7c50f1bcd1cffbc85855af234843a41afafb8dde

SHA256
e30dd425d028eb29083b09238f100d04ad8537745ddfd3b8c1a2ebd6b51fe07c

SHA512
4877de0bbc3551a6ddca4ac9a86e0ffaa150938c4c0ae75471f1161b44e259352ca656fcc969fbce5f09efee3fa2ede79846cc361ffc19c11400abeeb4d2df5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dd17e1f377cf23cec6f2ae8d7cffa3ef

SHA1
979a21de26df3e78914ab32646d0cb44d660e94e

SHA256
de974c118fd6229b96f5fb468939e64914985831745bb9740c9a607b5efa7270

SHA512
4cf60c0e48dcc9d1bf288c4ca652656a85468cd251dba87a7d735f5c0ae6c82a462a5a0f698060ae53925963483462dbe1ad705333aba9c9c74aabef8dc86b8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3419b84be7f4400d5a22e23636fcef28

SHA1
0478873280b94bc9dddd1f050d668871065d4c58

SHA256
3ff6ca7b455918b90345499f3b5b77ab66aa3b723af0962f943f7386747e279b

SHA512
27c421dedb2984bf74f7e3210fe1ea104868e41c25d031dfe0bb1e61b7d5a96b3d1f26b6e6d599676667524af1081501ee9aa39a12edab98939cffd55d26bb96

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3f324c8e07d62c061698ebe5ce85f3a3

SHA1
1546f525bef44b1f85c8ff2db692bee3f5adf7e2

SHA256
ceb0dc1e95e211ff90f44f41b31e080e9593137fc82d377f049073d072e51a5d

SHA512
825b49f712be73cf5f7859d18949dadb966009cfe08fe1ca5c527e25a02c54b41a986cee179651165a3016092f9720900ca287ee52e87128eacdbca9e7f2ac7f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4379c238c0c8ad2886059f5e8ab29904

SHA1
926155481631ba597fe6058911d9091349ad5c8d

SHA256
9d4818e2dc1ad20fc57dbcfa312d3625a3dd5ea517b2a38c4c0031ce84260abd

SHA512
68eeb55bdc7a556f2c135b69c04147605d76c6b327c24bcadf0551159bbe06ed2ba0c391b7b01ba65d67e0aa149e84cbdedb19f0c1c6bdc1f27eb8083ed19578

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1130fa62295edcac4a01867157390ec2

SHA1
42131bd851099427faa9afa5db24bc5b501a27a2

SHA256
e51d6adbd69adb17b57d1f6646a33e718b070a459c8f6eecb222aa957afd2af2

SHA512
d50d6db970bc8c801305b31814ae25f388b5c18931cfeed1c5e7bdb381792e75dfb5559e806b1ef144c8a9960c48b64362001571be998bfd3a257f9833a0eb66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b53a412dc692871eed85d4a7dfd6b5cb

SHA1
b13f97d9ed1b789a47a46133db107842dcaba6c2

SHA256
eb2c76d1784e7335bb3ea363f7e7d4671b394301035cff9ac6544769bae4ff58

SHA512
6522a82ef71b26a8976f6e7da62a0bbc814b262e8352731c461cf00dbb7314f79844880772f607b28826e3bfc3da853a64c5fa5e56f0ad1792f73abd1a822881

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e493702e7f609118348ee10743d32d4c

SHA1
90aa83bf875a700aa61faedb279e2c1913547c60

SHA256
9bafaf10d1b9f68185dd68517cea0fd28015b76c490e9734f9b074d3ad319f7d

SHA512
d9e3f1e61079ba249301579a88ea0db3867fad2a3b382562ec67d20d736c5cf0503e5dffc9482621fa50fb6e3bfb0fcec1854ebcd8877c890bae3a94785b13fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1faf915e26a29efc26c32e68273fc84c

SHA1
b5d6237668605b5b0c7ad6e7334644949f3c98f6

SHA256
856338d171f0d0807cadb1cda30abc9e741f9fbb0c3b665f51b3ada52d229c27

SHA512
0dc74cf1986dab419c6ded16044ab356bc92166415fae613c7a2df8c2a90c255938b6fec37bc95e8660a16af507da1ac9cc21fe8cdfab6361c0338e05d68a09d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
58bf13b02309ed8b9ebef5a659ea47bd

SHA1
f8c8b952ffad05f719537e3a2af2eafd6fcaf2e2

SHA256
16092bf75657038d55177d05a068d70d52fb2ec2e347cd269a94051953fa2c98

SHA512
009a629c70364e4aafad33b490ff11f9bfe0ffae3bcad477b814f68ed18b2ccc75f28fa0d74cadc73e1d6e847e319e31e3e7895a1b65f18aaa978e51dea3d268

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
20149d32b44df25a07804e1fc7c8220f

SHA1
d78ac9cbdcd3eb43164b0edd6667aefc09e1b52b

SHA256
2487210a7a87c4dcf298a3062d45bc795dc6680dba301553bddac1203b097505

SHA512
d6f5d7e455a10ebd538523a5cbdd53b20cfacc1434cbde4049bb5c0e5ee7f69752843a44bb080d4e3e9c4f76a9aa3c53d0e3c46a3079b263c419c63cada7321f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b2099683a3091fa5ef1c3fa4e50f23d5

SHA1
d8b94c1b5cb1892ab5b616735c5cb10790dd1567

SHA256
be100706847ed19cf27e4b2b41d27036ce4442c2b3b80eedead9b5bec04ce280

SHA512
5b121ed0428ad27290c3dbf7d8f8dd1b06f563327909a52c897dae6436e1d6410da7c3e7cbe5d713d89ebb7709f93c2d20f9c1c517560f18623fd52190977adb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
82a7fa7c8373d200996dc91be9377505

SHA1
487a45c9911f3943cf0eb04e4e1cc759405bd5d6

SHA256
d33db47dfa18236eca4cc267dcbe57f7346055727a693100db1695568524635d

SHA512
94f317330894c0a525f6134f3b1b9bf452af1a6c01a3ba8574cff564753fabc70d886a834d183b94eedda9b184facc63622be5cc3fc2b34153de0e6c99a990eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e27fa1bfc34c57437b84b34c700f4b21

SHA1
7a8b78073eb4f511308d7dd2e469f98d509e7073

SHA256
6b81a7507c9fa019747da9bf3d54319f88792e58da6bd00c15853079476119e5

SHA512
e6702b41b077bf2218d25b303de3e3c5b039b087a85f0a51a33741081becf484aefbc6a92b43702065221b5ee815fb5d8da92a09a0dca6f4447bbafc8ea11cc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f8528a14b46654332db6e75d3e4cf969

SHA1
bd76034ad2a5026dd9647b0899fc5472260ce3fd

SHA256
249dd602dd403ab04854d0ea4cf49aec4f5e8983f2cf60b3cd826e1e24509b46

SHA512
2ed530c660b75cd3b9d26b8625581ac4653e4ee6f75a43ca22d56bd43d48a4bafefb40667db0c5332bd68e6dc5c2ad156f984876ea64f345d4b7836297f99469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f89e4da0110d027022502ddd84236d14

SHA1
abb622519899c9ccab3ba038a4e4faeaf3973fa6

SHA256
2ce4d5f75039a5894088f3526cd4e79665f5c9a1aeac18c9aa0215d3b1b55bf4

SHA512
6f7667617777f92a74ca268fc77ed2b44075f07e55a26077de96ae4234f4d89f4b5af4a12be40ce2ccb620e397760146a14eb4fa25dd4dc3ea49736b1ae3b83c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cb7d0dcf6c08a9dfdac53f4179015395

SHA1
7b445e538b8ff78b127f4a2e58de9727715ca04d

SHA256
bb0dc01de771828097fa3be56fa2905af33e0ef7edd6d9284954d4d870405553

SHA512
cc31c48bb7970e178c286c5235a33bc52dff3d9a8a7ead3002640ef70288a054b4d729da533868604cfda6bc7596a0de3a99fe66a5048e4d428ac6115021750d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
05a29ef8f87f20d9a340c383157f5da9

SHA1
5f18299958cfb72ccb6125bcab9ae128a0286eaf

SHA256
41d9bfd59c54a92ff8320f810ca1b15b65a055307316f9b8cba7d34eaf70ca37

SHA512
4382ee899c11382a41492265fa1bd7125e5db52cbd0e81e499157094ea4eaecf8b7d90f2be341281e7e7523095a56981449eeb62a00a70bcc4948e0407510e54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1b1df2789a8c5ce00588aa6ef4a7c53b

SHA1
a467b7ffeb23fd014820334fc55c39b29319e64e

SHA256
01656c9a41995fc66c21964f5e6bcc20b6ddcf6781c127991c482ccf3e22cdb9

SHA512
b487183b0132d657351701fede9ea83c42f24cc0c766a3d881d5bb4a9e7aeb5297c32ccc5303581804c2ebaaa06002f2d6caf53c1b394ecb93094d8aa6b4dd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a8846ef3593ba4b403018fddd77e986

SHA1
c6cc7817c28cf9bae2fdc088558bbdd4ac4c811b

SHA256
5d3f424ab67fe507b5d3acd8ee8e4696f3646e16a85cea94447cd3982ae55ac9

SHA512
961e3be5f243124a33c302f351d5ec4b758d4a6e3d3fe50a41c6ee3385928f667284a9ef78d1eb2d554b2ea01059f119e2a8065a07beb74461e1922c49265072

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1cd9c16a58d3142beae2736f3a4b160b

SHA1
60797f7f742e8cd207fd8e22233d564d67ea6ebc

SHA256
34bb30be1b51ea0e4b57d9e7eb1999f3dd5d2f7baae355dec19e730a987915a4

SHA512
0405f7d014db9bc06f49fcf4105b6cd8a0ba80fab461c0c885f9f5f4a84e7dc3944600395b74e39e038edf5bc8f26b8f20b7f8f63b6c3769360cede5085d8efc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4d2e54443d965e58f555092239304f30

SHA1
f88cb7f29b337f15ac9da30cd0891d1bc3d02791

SHA256
ef075b0ffa844e1958545e53c26b7b9690bf14efdb62ff1642547742ab1db897

SHA512
ae48c0f606806f8c16720ad79bf308dfc420b42c891e9baab40eebbbd6b1af52842e489cd344be97a07e630083da20e97e43f8d4f9eeedc42718268b1bd21430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
18a943d02fd246574d0cfd601526fa4a

SHA1
246ae69306ed3660c7a050b91e84b9986bdb9cfc

SHA256
6625303002c9e19eb2005a7177e91d80ee86161e23a8d3dcf6d90a05f3be93fb

SHA512
626565aca238aba41f0d37270072994351d4f25312484ac099fc1102fe3fc371b42577ed6febc3d0c9d6d0d7e4716fc485b0bbf6316b2e9d1cdc259be9b83dbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f8175e1bc0a690e76602489c7a6c73df

SHA1
7f335b5246be8d6ebb03e36b0477da535a080455

SHA256
73610d02f7e2e8ab0436536fae0c092b6a2a5452b807107a06b0c658fa8b869c

SHA512
a69539ad285dd99c7f95cad34ea54f80010778ab642f2d4db590dbe99e2e121698935845d317e5a7e40d2eb828df04dd8e826788dd9e75b5cba2e58e210d95d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3209944eb562a985c93b8a0c9b28f3cf

SHA1
f83dd1de3ee681ba15b85517731a8c9cb3aec8b8

SHA256
2eaa594563ea31aa51fe3aa3dfd59c7763fb7f80b9d03a9bc4be8f33bf3a4f7c

SHA512
91ed4c438883d4c763827db3590b514646e075ae3455c37c8ea40d62d44682ea9154ec45183da0e2b948cdf44cdba0de0a9e4fdd0af3890ae43b585960906643

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dfef3c460cd1051820ca7fb8156df121

SHA1
a093db009909c0519b5d147cad14ff08942220c0

SHA256
4339d5d9a2310a9f46fd6a7784d5d74eef0d29166fd489605a8b81e4b9dc0482

SHA512
91e08085655a358bd6e38396ebe880c1ba38ae9504a82b8b48da7f7ac9bc4e7dfe45b0bba91f4a9d59006f6e3b167987c1c3674df25e57a5eaa734c9ba5fbc0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0718d63125b5c33f85804d4169ed7a64

SHA1
d266adc790a9e2a205e21da888878ae93fe15365

SHA256
99218bf6bd645a57cc6b0c06e0fad4e7992ecd10ff8e89461e4642b927b204d2

SHA512
b72f55e9a0a88d8e10ac6341820d157ab90021d66b8082d6057381d42128de0ee2a6e215d11395fc2cb09ebdf999d76b9f5dd11b643cf0ee50f48725aea5bc6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
93d70032145fa0a523488664b1770dbf

SHA1
6fb4a973a71b50714f952da7c1dd1ea7a324d30c

SHA256
ed3aa9b11e3688b9c569bd30a2d75432cbfb79388b7cb53a1a5c983492d88bfb

SHA512
e5f4ec2ccfdd9934a180a09f196f861da61610f9a48e11c594091a7226e4b4b10a4027f13d455d14a5951657e69462c26967cb8806b571c0e4358705f7afb653

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9fc3ac2ab02f0a067cbd666dca9dd9bc

SHA1
9223fbc4fe64585acbf4ce8a5105f832d2c64788

SHA256
48878ceda35ea076264102a7a7d646319af29012500a88afbc58c471d5185647

SHA512
b70531b211ee1751cccd5c65a9a90f5a453de4ea0934a1c4b5f1da2f51e76545e4045d688aebf134acd0dfd67f4959c33a578fcfef1deb80670f9c6a39d0ef65

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
36e03a53a0bea41b581d5ad1ff7a69cb

SHA1
0bf656c196b2f76f0dabac4437a8918b0504efac

SHA256
14ccb31095867584cf98832a1eb48ca5367e3cbcb0718ae402c392eddd50e953

SHA512
b20149fe97dd34dc946de5e4433311aa54cace2136891788ec159336edabb32bc6ec92ff583541569890f92f5d3ccaa6962e58fb686ae6e69ef6f594e1da5882

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
add0dd715caf0509ed03a6429e306d35

SHA1
f4453a28ee9378df0db695b47272fa7a4292eed7

SHA256
87c41b114d8122e1410e11ef17b6ef08c71fc1aa336176db07c5c756437375f8

SHA512
d4820db1f2ec1566df8f87b525a97bcfbf68730a616850ba71fb4b93ef476af49c2c691869cb74d2eafe7411acc54027724321f9e65678b05122a492add214f7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d4105cf59998261c7ce4cc711f5e3a0f

SHA1
eb11632c19af8509f16288eeab4bb11e86eabf83

SHA256
23f62daee72360389354235df4939888ca439a32e45ebc23f876aeb71baca420

SHA512
97e134ad5e1efbcabceed6123cd88b5ab3da57e3ec07f12f7be08078afe79c0ad952473d19708647e24a4389aa59689a5b0c40cf8fb6f064538bfe8253f80d35

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0d5040c66acfdc1c0de1d6b3bd47b6fd

SHA1
e152d86745487321d22b05b48400c31bca7f424e

SHA256
ce4b961db92cce63cede1fe4e54cc0858a0f71bbcee837209c5ee1f47a3549fe

SHA512
4d60b5692b0bf8915be48e36aef0d691ae427c472198118e6c8ebaa6005d1fba694efd93bb64410766954b00d825decefd6b17650cc47918e12694de639e9a91

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fde239f4e3cf6e4e32a4d938f7de2aa7

SHA1
f4c2f97c7e3bb137396e38808a0d4c7d91bc6fe0

SHA256
e28a9f0fc39347018ae2edba243c545850abfe80d955197219af1475882c432e

SHA512
193fdc68f2a2d2d15ada4bd1d2405b776e59403c4b06b66e1ccf5bda1f55890d9705de2a0cd6724622e217dcd6bf02fc39c8ef96f70fe533c42615c5766d6c77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
13f09378aed20efd33e7e1c13fadc711

SHA1
e65f5f7a0948bcb88968511e2d9657af8c2ea756

SHA256
1505abff14681d7329e211764431d6018804cd98d7ffa57ccb7cf7ad60bb80cf

SHA512
55e65becc15d2a06e9a5b5e1288d07e56cd064b33a320466f5f3e2554ce79d8211880530f84fbd24d15b7cf678fe3fe5a73fb9d525e75bd7055d19b896fc9f99

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ebf2d1b79a6694991e7e12d834f97e14

SHA1
fd456696fdf98dc9a930f53e82f8cfc128ce1368

SHA256
023ecc45f3b431939aa7759319ece18badb9c5580e987c4be2ff2d5d690129d6

SHA512
69c4f7ccb06335357e2167a39b2e87a10089634e4a07d8fc94a7a00b72873b91f313559eca017ceb449f4ee78ff55316e5aaa38744412ea6e7e55d94f6e18e39

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4c54d248fb35f05c0c61f9fe6bc3a8e1

SHA1
d9b46e546ae2458d8f1f2af9f3cae18a8f0bde5b

SHA256
4fb87024e601d3159b1833277ee6e1c561c669fe92f5378387afad789bf75b9f

SHA512
16436b759dade3740bf2b63fbe7599ea0af4a3400ae8cb5b429f7c6b2f04d0da5b0648eff1e021b931a7b841b5edb6b0f014b29c4e8519170bf4cd9aae5cf555

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d0079e627c4e345a39011c5d3a15eeba

SHA1
492c9e493decead5887b1ea378c16c1f89b2bbd7

SHA256
750fa45dc62092a213aea4d8ec2d6c0422d7ce3701b31441adf7609faa8c2021

SHA512
36298e88b9d618534a82e51356ff8e5de58b3f006fa3c1d13fa269c84f66addd85b36df99bbaeafaaa07ff5e100fd7af6f038e34818058b19d9da57a35841040

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9c17698e1247b5c2bfed35b0bf1dcedf

SHA1
cb0d085b522b727640753d6a03342cacae008e39

SHA256
46c9b5086a1232dee03189ec095168bd0461b7826146350270248b251e99ee35

SHA512
e151c4a05172070ebec685b8a8d90e85b4b055680565c0e63874ee3216ae885ea1217548265da862a9bebe394d7abb68315aaa07cd9e8063b6f89f6375d51bb3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7acca40a9eebb74b44c03ce4af0c72a3

SHA1
8576f86bd8a61706d296da9b1085c0dcc5d0f473

SHA256
22801423e21d29467ecd0718c4a88e4536080ba08fd678b50b4547088fe6f3cb

SHA512
b9c1e2efdc6455a2def465193c62a19a534c1b5e0987e08bcf204c4a2691ae21b1acf6e7719e3a3eea182a44bdc003ee1329ac578d8a6082c4a5e03c82b7f349

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a5426ca425b843bafef9552f761eeed8

SHA1
2ea02d439d66a2a6feaa59d332d80330c535eb19

SHA256
544ec06ca274f7ef41701c3690ea23cdf407c22674ca6028d3a4906f7e5a5652

SHA512
0f96e3a304bcffc2cf867cc4db95f887b8250aba83dc04129dbfa02f9871f234aa0c91522a09fb1a2da192c62ee818e030c486723e26d8752913622f60e0215e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
172bf123302b7abba8b35dffaed3f1c2

SHA1
66c37d8627375f06a8b015db0325a7d26cd16548

SHA256
de71878f54b1e364700d4ed3d303803d4a5d86e3911c7bb6fe10960c07304ccd

SHA512
f00f86238cbba5489cbab03426b9d9c8ab55468f9188a36527d661707fc6664f8548378adf3f6bd24d41e2a4451e7e73eae473e4a6ae8b82ab767a6848ffeaed

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
85e86fb35f185d56d464f7b0b94391f8

SHA1
2de8699f6e130156c27c0c8ffa218ef8193bd701

SHA256
c366701236a06610ad64cb0b86bdf15d07ffc105169baa331f277e0bfd6c865a

SHA512
b5c8b94088820675e0cf2a4af09180a3a256edcaecc4807e3f643c5ec53fbcd1fcb7d14d2512727e233c7c388bab1586a3329f89817f3c7e6c063d9c5e60d13f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d71f3d7417f097298c8e39dae20e0903

SHA1
8ba703e389fea8f07f3984b128acf12079f7bc5c

SHA256
728d827fc622656141b067318f04bea14499d4c6f992a1f053eb05bfa11f20bb

SHA512
978daa4db23bb3581ef70498f3f00fcaa5d69aeba9fbf5723790571d4ccce1842401fca57a535e839a3f2b99d3e026132cb5e6507691252cc48a62276f47ca5b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
01a452afe8b3292391bb436a9eb293ba

SHA1
22b1dd83de3989037a93fe21fd7942dd0077459c

SHA256
5f1b57f29179a94b5aca85d38bd6276c97587d4fee64befe909b8b94c8bcfabe

SHA512
6436120c6bb7711f408471a546cb5343ff634eea8e794d1d07e47efd356e28ff1dd9d417d75be5f7fac1c5af359615bd56be10d6eef8a45ea747723642c8ae0b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
786818c5edd9f7ce0433fd8e253b28c8

SHA1
70f6ff97cd50beaf797acb2ce2987b75cfd46596

SHA256
3d47fa262d2dfeb77af15009376880876c53ef7cbbc7a495a815d24bf54d4c49

SHA512
00309f9c783a78ffd206e73861dfd95e4f7a4771f51f41cb20258570729c6b28650da4193b50697e998e9db6edba5bf9271754f92b9bd67223641a372e1c8c1e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3d4f8e133753ebc768753369c0351b0a

SHA1
30f8319f6994547492b0e6dab660feb8b27b0105

SHA256
1fd98841e34f0a56bf5c46dd24e9cf25612e948c49b52f831514104be1b66409

SHA512
fb132ca2ac5465123c083d67500c9d2413458baed8fa27d093a0a7f771a31c9ccebf3fe19f3bcb2bc2ea9c9e9060f71307b6c65d68950c8eb87b0d93f3036ba1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8cef41c9ac1aede4049b9339a46793c6

SHA1
8e5788c4a519e73e3f14879aef26802fe22409a4

SHA256
ad8b8a04b33df680d595512589a9f84afda8ea39840a8a092a9b40ece63f50b5

SHA512
ea442f2675be00dc5f1a23afc7b0b3e3ebbcfa3ebe30000c9736a272e9f3c531749fe7baaaf6146f45325b8e04f757aba737469065791e794fd9e769aabfca0e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1ee873ad2090fcfc342da33021fad595

SHA1
4e4ae94c08240525e9efa0e15f7bc3112e923e5f

SHA256
6ff853cd77880d3b4d23d858e8b4490107fdba7f48ea3fd690ccd4e9f534c580

SHA512
a62d89f0c708729e7df6bcae101925a6dc7c95192c82edce7340f0fc45c58b6b022fc4d894c538b1e1439bbba954e0485812c6d87c0ba77ea912a7ec03fd9c66

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5c15054c6dbfadad4959f5659d0e7fb1

SHA1
82abda9f104032e5dd98e54c315e0fcdce1291f0

SHA256
aa9f778b7cdfb2dbc8e2e2cfdd9421badc6ae17804e1bf1fd8f12c5f7c6e7a29

SHA512
36a5c808d614fc47b2fb04265d2ba702a5af2837a1d61306b9cae23e14ac4d101b47a5626f1a158468a4608bb328d7f24087de33df734781033b2dba04ca4ce0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f75490ac0172837544458513e5eb3a2

SHA1
39321e33df63c4aba475e3addbbbda5d67119fbc

SHA256
3fca56528dc7122df6e451ace66a0162776eae0d491ff934d13b1d0691a8e19d

SHA512
c94dbc30ffc17793b5a888dc09909f60f5a4feb6440a041922234f09674bdb4ff0176cde03cf6b6c248f4baf28a2b474babfbe45d136486c511673773c8a2c61

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3a3dfb94c6d4ef80c85a3d5e432b909a

SHA1
e6a9d64db729c2f97ec0f138436015848e9e8f97

SHA256
5f5c9958b6b8c91f473899c1aa0add27723b09485c9e38e4c3d01f3227d1d391

SHA512
3b93337b3a2c4027e37e2a575837d588138a9e4a82654224a29491284dc8daf2564d9897183cfeaa43d716e92551b2673efd247a8f76f7c9c25eeaaa973719b4

Download Submit
memory/208-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/208-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/864-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/864-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1060-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1060-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1344-551-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1344-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1344-6-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/1344-2-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/1344-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1600-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1600-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-54-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1600-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1624-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1624-593-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1740-113-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1740-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2216-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2216-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2216-48-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2216-56-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2632-606-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2632-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2652-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2652-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2980-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2980-467-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3016-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3016-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3016-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3024-598-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3176-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3176-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3176-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3176-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3404-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3404-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3852-599-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3852-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3876-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3876-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3876-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3876-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4252-90-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4252-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4252-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4444-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4444-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4628-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4628-600-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4676-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-607-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4700-84-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4700-74-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/4700-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4700-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4700-80-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download