a1bf02083a3739ccde921595d7f5f25f0209300414512c93054f03e16857c011

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
Size

3.0MB
MD5

6328be693b23f0d9234a56b8d70356d0
SHA1

b2e32390b732620d9322d9beb136571d5b3dce23
SHA256

a1bf02083a3739ccde921595d7f5f25f0209300414512c93054f03e16857c011
SHA512

f6080fa59d6859300718de425644f570ba48a2006de602b55e6fc79686acf5961c9eb487e180747fb83d6d442a29d0e904702a924d6678ad1900862c395e2b16
SSDEEP

98304:4kac4KpyJ+++z0mnmnM4aqTPKrb4l4RQpe:Cc4KwM4aWyrb4lTpe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2536	alg.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3112	fxssvc.exe
4844	elevation_service.exe
2288	elevation_service.exe
1036	maintenanceservice.exe
2708	msdtc.exe
2304	OSE.EXE
3752	PerceptionSimulationService.exe
3020	perfhost.exe
628	locator.exe
616	SensorDataService.exe
4176	snmptrap.exe
4656	spectrum.exe
3924	ssh-agent.exe
2340	TieringEngineService.exe
3968	AgentService.exe
5040	vds.exe
1948	vssvc.exe
2160	wbengine.exe
4108	WmiApSrv.exe
3000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29e93f2cc3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exealg.exe6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6975507a9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098d25007a9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073e56307a9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd7ebe07a9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eab38f06a9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4bb9a07a9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022d08e07a9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2652	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3112	fxssvc.exe
Token: SeRestorePrivilege	2340	TieringEngineService.exe
Token: SeManageVolumePrivilege	2340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3968	AgentService.exe
Token: SeBackupPrivilege	1948	vssvc.exe
Token: SeRestorePrivilege	1948	vssvc.exe
Token: SeAuditPrivilege	1948	vssvc.exe
Token: SeBackupPrivilege	2160	wbengine.exe
Token: SeRestorePrivilege	2160	wbengine.exe
Token: SeSecurityPrivilege	2160	wbengine.exe
Token: 33	3000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3000	SearchIndexer.exe
Token: SeDebugPrivilege	2536	alg.exe
Token: SeDebugPrivilege	2536	alg.exe
Token: SeDebugPrivilege	2536	alg.exe
Token: SeDebugPrivilege	3324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe

pid process

2652 6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe

pid	process
2652	6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3000 wrote to memory of 4992	3000	SearchIndexer.exe	SearchProtocolHost.exe
PID 3000 wrote to memory of 4992	3000	SearchIndexer.exe	SearchProtocolHost.exe
PID 3000 wrote to memory of 1264	3000	SearchIndexer.exe	SearchFilterHost.exe
PID 3000 wrote to memory of 1264	3000	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6328be693b23f0d9234a56b8d70356d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3372

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2708

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4992

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f72c6d693d863fe72807ed67404b586d

SHA1
315f00643b9e7970e51a0a15bc72d5506be98f0c

SHA256
3c96750d77c73c03c413057268047b5131af032fb80dc24e18797b548f728b38

SHA512
83458443de773d5acb5b99224e1e5839f3e4c2533b59afc1b5143935d5f00d6f0c2f9a9e622eb9c293d3d958da3394482ec0d0fa842d0081e062c11fe03f1ee5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
42c80e87105228b0904e54cd5e11b3f5

SHA1
8a52d083118a23f07f75890a42728de274ae4dfb

SHA256
d29d856e7ae9ef4d0bc1cb1211348d6b5a9e4ef844f3d7638c7f2da8d21632f8

SHA512
42e8fb92a9c67e9178e68ae323f0de26ee8522cecc444261741f5f84778213a46fe540a4182641624a28f88171069ffa090a2359e88957205bafbc58154b55eb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a1bf89c0faf3e656e8d1f8454fc45130

SHA1
6ebdc22036c80d80cb87b65f201acc5d276111d4

SHA256
4ef9a2fd3523e84e91e3f9ab8a3949a01af10ecf5ee6e46d790a68c3e7a8d945

SHA512
522e16d9031bbda72fa468d29857f3da8126c0159a37be864b9bbceb945d4318de7777226da1d757a11e9d8db59c3a1fbac423e5025168e09857c2578d605a5f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ec8521908aac5a3ede695c0b8b017df

SHA1
f59d769f80c84667d6e42aa2c8506afbbe35fd0e

SHA256
f390b8646d69cbb0f77e059db95dd0e574a406f2a53f1afec79deb5ccfa31ce6

SHA512
6a1f93b21cc4fd46153eef3800c26385a509d89ea5c1b4d265c62967384c4d704cc62748d53100b61fc957af3d66140584ff846bde3b6fc761e5f27b7dae70e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8d0f339dbba01b6ea388d0ad07dfad0c

SHA1
61bf380eb9bdbc5e6d33dcc0e0b221c1058aab21

SHA256
0c26f0e0a5b20bcb4c87f03f294ae41f1e29c41caf2bf0300c1e2856246a465b

SHA512
8cc937ab6137ffcb93df747c6f0abb8ac01929d586623b9be2c1530aaf1354042d8ace1a59177daa6ede6f03d6904ea7e2c41b8d2beb6aeafcdf5b5e6f70affd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
15304308227612bd2b3c31e8869a8d54

SHA1
7f06eb6938b6abf025d1f53927d18ec7856e067c

SHA256
aaab0f274c156f1e95a5e737ae49a49f5632b18971a0965539cf15aee9bbaf90

SHA512
584f43bc5be51dd98f2f6293830fbaa86c77f9dfe37111eb5738022da758e297bf82ace3cfe0c26c91a46fbd301a385c7fcaa6617e34a2d4c218a54d55f00578

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
21d23d45a6cbb40d52419c7e778a6e0d

SHA1
439f524fc2974086dccea3a7a94119dbf8052653

SHA256
91707ce7d4ab8f17784c42680c1fac8cfc7a86ef965f392b6e8f839879c440e4

SHA512
1615159a91c5a0e457a84eae98f03a2fce389b374535da39f09bd7310714ec5837434758246b4091be9d9d9399eab97d9361a71973a8347826bda935f529d617

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
62db03635aa8f66fe1d90030617196b3

SHA1
bb96b4093be38543e92127a42ac846ff6ec4b132

SHA256
d3a8e13073431e393ed2eb2f1e4e268716e9dc4231ef2dac06ea5ec5ace8050c

SHA512
62e5a4ecf080b3397a3c8111bec695627c05a7ef0aa1f0de4fe03256db4e84532f0bca56d6e3d85928d79cb775edea23a785ac4a6241f0eae4854e26d08a95c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7798ee8f11adeeac9250fee11359f692

SHA1
b4bd1349ccdb7daa7e81a42c0e7fbda49507463c

SHA256
23cb3cec57e2ca4d4cf49ae9aff33e833a90af8d50b3e9a360a17e242b46776a

SHA512
c75d9d59c8f7c8ce0c1691ddafdc497e3986bf08d4aeb4aced38ede621ad831fc760ae3447799212e7993dde54c3e52342b8ec7c9228f70b9064e02aa380bd2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2372748e05194babfa36e226f8b4ad5a

SHA1
6a1f9bda8e6d0072e2e852458072f8c95d17d671

SHA256
f19b02ba60b5b1293c7eeccb76b4773ed14599d4d4b1600430807d4a2ab35104

SHA512
53a41de440d4f371a3d919b3b7d5c6b7f2e353cc1bd72446efae69a9b76ded643ea7e8427459558beb05d01ff54e939750c0b3f4d343c69b4c2ad6aa0e3cf07a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0201d897bcfe601e3e6c0c0b56c2530a

SHA1
0aa3a7b2b4be03eecb778a8b7757c3414abc32e1

SHA256
5e3d0cdf2f7f248a2cdf8296e76c62ee4dffe98f78db0d11886fe502a1762c7f

SHA512
3cf93cfca0d8c294faae6432e5674a3d5962766e860ac7ff91256dccf5e9778a4a4d37ca86d3e0192055d651e6c95e6042e6d385e6b367fddfad4cae5d0ce277

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d085e687d77e18bb2b0ec08b3f97a7c4

SHA1
32b35ae5f53a5c9c7d6c86ea4547b67349f580ed

SHA256
1b573e33307310528311f204fa286eb70a937780fb934813c61222b22f966839

SHA512
9731e8d7b448ac494e0a6d3ed13e08ce004adf253b57857f7ab2159f277383157662c7ad8eb2114eb41cef15b82e627d14fda17e2620a637b2b40a998ee88cb3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
be014cd168b9562904cea89cfb243495

SHA1
a0c5b4fef96e7dd115cf221755b274a7eb3ebcda

SHA256
0adc3a799239b92b79c2d23f5ef7dcdcf48c2640c60cc4198c201acc881bb965

SHA512
36c29340ec9bd7aec051db3875d779b86f8f3f98fcf7f5411e4326d3e9f1fbf0e6bd89381668f79dbc899efe5f3e3bf6589c11e70dbe885b3a153ed9969f3ab9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
f4e6249810b1342158eee18d0d685c95

SHA1
3350da829314aa9d6b4f10b15e1f31e356061ecb

SHA256
e4c8a1edc235cc9da391393a9666fe45e186a07e00e632dabd4b6adbb2045aa4

SHA512
51c7c60629e5812b151ffb10e1c02e595a5950a85019245f398dd4795db24542f41e7683e6476effa697ee0d293654eb1b3cf870008da370ee8475c4156e1778

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
960ff7de6503cd31757443474ca0d4ae

SHA1
ecf40ca65239c0f67efa3ea17f18bde2b73aa26b

SHA256
ae7c45855ba3b6d11467abab99529e2b487aa4ed23fb5dcfc420b9072d20c33f

SHA512
6aace16370efa07403b81d5fd2e74966ded0a724d6eb50686aeae4038c45d5f7a3bcd9402323895c44e1c26997691f6286d0495f83b0321d1fa39dd007369171

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
74cb17c7e46c3652bed758f0d68ad1e7

SHA1
4aa3d5f49c5e5f204fcfebdb8f148820574bac42

SHA256
1f1ca2e2480593d377e71885beacbd933106bb46315a3cba7cf6a9adf44467f9

SHA512
7db52cb9bdb0c06fffa6b6206fbd87a1c8cc77002bf073b3e6081c0464715d30ab869cf3c1e410331b6c9a3d4978052ec39c291e00cb97a101982cd1563babd5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e16c0d231b429ad4b83ddc7fcd5f3665

SHA1
84b04b47b73dc125b6e9a02bdccc2d744090339d

SHA256
68efb351b2918642dc02af247a14dee4efe0d7d16c933844803bab69409736c6

SHA512
e33398acc2ca8553136564e7cc49d4bfbe7ef981ea964b0a2a1aa1108e17df18d08dcd237543d9f9d4e9af148256d2fc7d4917a1b1b33e38ebcb5373fb4640be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
be2eec9f83a7f255c6c5fc41eeaa52d6

SHA1
5aede7f267e0b4add2d46342ee4cc62ef7886232

SHA256
7254e567dad4ff47b3e92518a60259e4ffd142add50fea78244bee8710e6f25b

SHA512
e1fc31acedcc86fe6dad153cfe14917fa3e7d79818091848813dc1d898fd78b453f45a83995e517cabb58a4c5fb42ba18f2f4f6cf6adc0d6d5bb41425bd9df3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
936c08e325aa2f710e82fb3b47643f49

SHA1
2e732a02f96cdbc27f76efc775fa99f3a5bd7cf8

SHA256
6b418aadda43c93d5d9e9fe665544cd0aa771306660cc4b5204d2db0f47afeb6

SHA512
8bf1c8df9d08f45ccff0ec41a31742943660fd2e2381269860e589d972d0d7b5f8b752aa6e12189c51e0dee26a2db014a72de3b7188cc317e6073e2bb645c2dc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9210d4a7e7de936f36cb7db4a5460cd7

SHA1
8577a265b3caa6bc019b4e74ec8b037a85375565

SHA256
4eb5989a4e1d22da718fd54ed05e3f9634812a8cfda0e722606b3dce463cb374

SHA512
9823e5cefd7bc78df7f0e5358925b884d898f687d0ea643dafdc4574e4892333ca7ae62d6768067cba584560ba45ea86512298d1cb53fc94b731a8eca371ff59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
9b7d736634ecfd47c462a0123cfee52e

SHA1
622b50a7f17805f892f00a8ec195a727b90eb60d

SHA256
0b50ca525f6e43a28467d7cc212b309496ed50e7b93f223f5b13d5f98d0b2e4d

SHA512
8fdb299769b60d0f3b6c10c79a12637f9a9eb1a766f3722ae6167da333cd222b56ad63507e7200a24b88204fee0e13a5a1e846dc7473435b21f7e6d27e7c744e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
379cf8c0ef18bf40e3501d3adf1cd704

SHA1
e987fa8c623bbdd6d83d4f2f41d883821d4f8096

SHA256
11961f3ed0e874afe078554f10b036c48ced8b27cd462f87d692c88995ebd87a

SHA512
4e2ded39c293b9ee86261504a13b3478ef4c68d66c709f33260d8154952fbc02641eb097314ae833410e556ffc5b583393c63132c3c93e81ba6256a01ffc3ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
19b1330c715f7723cdc80fddf0662706

SHA1
d9bce2914dd5e1b4b57e9db49d345a2a5043663a

SHA256
52a69bde46218225f7cfe60e7c7ea569250c6c1f2993df5503e0a9b56fbd1b02

SHA512
ca15b1947c6ef59c0ced41343c775efccb5248de7177d6f814f84ebeae8dd0bdab1caecd82d4a381cc6fff4294cadb41e3d93ffb9605df269257b8e272f25571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4bd5305542fbe6242cc43829dc743067

SHA1
855eba2064c81a078bcf756bdb9ce10a81f59c68

SHA256
aed7716a93d0a4c7812c668445a93f717e7a034d5a2a3e119009052fa311ece5

SHA512
108a883832118918a21c759332e0ca4008fdcb2dbd57a4330ce2e0b518b65149c347bab50dd2ca0fb8de1d88aacc842ccae1969008143fd7f377062c883d6833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
2f68974b22c9376f0a03d03e383d1876

SHA1
5297712db884cde0973ba2e148db323bb704c741

SHA256
eae42801955fdb686e4896a083427c8b3a11ecb9ba605aad5af93ba0ebc8ed0f

SHA512
f0b245c6c962e008f703fc6bc3c6fe0d3af8f4c9290e80146386f07c7e214d07892ea769efc70c2ffc2cd88c2a660ef9ac02a2883162aedca4814ca998bfea4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
9f87ab2cc3474806ff92776ff43b89b3

SHA1
5b85b0cff2ec772a6e14e2523b9a46e0daf27936

SHA256
5dabcb17c86779febdb00ed756dfba8fbc1988ec8f370a8a54768a9737e26cc1

SHA512
9412f6898d92b338912db44b6350eeaa0dd1bc8d0d00f9102250cd63f55df4b749ce0cf9358deaf926db78b4de3e96e2ecff6355ff416c774ab4809869986766

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
3699480b645cc9f920461096560b48cd

SHA1
61775eda7d2ceffd12ecf4d82ef441315dbe2f14

SHA256
38e3efdad7680c815562326822d54ba072cd4bec29bcfea65b207bfea017d464

SHA512
8e652ab4f1c2208cbe68276a1ecc7408c9525bb04072f96a4b51beb6553ea6e42eabc0feab155daa90e1b7057f849b39647f3213930272bb4c7ca34981f1f321

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
b6b02045fe6afcecd4ea1bcca853bf57

SHA1
c0b7fed4686b545c113c3ac71fc8a11e046895c5

SHA256
8d488a448cbb46238eef565c32a1fd12a0b6d973b84f57ca4e6b6816b15cbeb0

SHA512
c95540efb09078599adc8874c26d3b02e2e675a668a1160fc66bf13ad186745b07c6a842be4b2c89da37b9ac89e175d0ede4b20b2a16a464c089373b13e70827

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
403466cd708a87fc4b958143030dadc9

SHA1
7fc476411e464bc339a36a5682a2cda72fc54f47

SHA256
4d30dc4196627f638e2f78f3a307f02a2420b3d062c793a1bf355e365571a4f7

SHA512
db57fa7b6ca89f79667fc15cc2b409ff739ac33b24804fb2e0018206b18dfef30f62eb9bbe69c39068b41516cd71f472abbea88f899c2d81691cdc309fc98962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
16b964c8e7d17cfe1e544bde36332698

SHA1
670830de16115f3f20741f38adb8d21885283d49

SHA256
21c9cd1777509da9dba6689507281b44aca61f475391aa063b9a2c31fb0cd745

SHA512
9ae913a317bb8a2facd9fa5dedc09b69c15c4a08e15f0c365dc0f4d40c160bcd60d42096550a75fc6a9cecdda51fc4f4e4cbce206f8af27c6f2f5cf9b28e92d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
095453af9c23e45fbb1e7c09564b3bd8

SHA1
e70f641c2b7ccdb3e11eebf86e2cc2cf17136f2c

SHA256
c2241eccd5dcd1fbbdd34fefc3f6a1774cb02c197cbf1fca518ec483cd72522a

SHA512
a80b0f7fdd6c0ec8d54d41c80e0714266e75c2a93ba52d1634313798e9442284781ff6588928c85b6ca270548601f0bc62c2d73316dc846f93bb7e97fed55e1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
589de05669627a3c4dcd7a09926b1ac8

SHA1
436cc26824fe3b7f4b72372f823f0f68e8f62142

SHA256
9dceb09e3319a358f04ab2739cbd518c97532f4a5023b6266ebacb55ea2824ff

SHA512
4766406b771db6fe96bb061a818cc49d48ccbe59d220970ed59b56a303fdcc2e05b14b8ecb671d9ecd2a2a3e7c359782736953c57a0a856b4c5b404f38397191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
e31f08ff2f565c4addabbc9eec1a5033

SHA1
a6fcc7ee15718e0d55dcbfcc35f4c77665be5c72

SHA256
53616d4f7c5fefb927768841cfed42b4b1e011416eb4db0acd9990a08398c94e

SHA512
5fb3b9432ff77f52e165c76d9e6bde06fa9308497de9ae2060a378f2122135087693717f2c282303520aeced01d36558953543185f0b7cd7369a95bdcd9c84af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
d31222eac34aef596ed2cacfc0475d52

SHA1
b7ddfd73ef18e3a63218268a5cc3ab52b06a02a1

SHA256
fbe4421c8116313568037025ff251e022d1892b964fbc4d3454b97e49355c90a

SHA512
5ad7c99e45c4b3da360c3bef81cde568be2413110fb7b2a51f027687b2459de921ba148b144a18e4119ad861c37e507fb7c69eed5fd5c5b1e5ba5f1932ad75fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
e8c0c2977b3ecbc74a110f2496a21060

SHA1
f97e84bd0c304d33088cc13064048be8a7eab319

SHA256
bcf0235ce366c3697ea904cf5ead69466afcf2d3d1eb8de957db79b84931c406

SHA512
c2e0bb2aaababa4fdd9ff0139542261294fed3eb9196d60a7b3ca452edaeba51b261f6584640f4403816742173f12efc9ae1d8d5cfa6289adf3a4855ad9cbc6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5494427b2ed9d1ab6332626c104ee573

SHA1
31ece7f1fcd21ff4b5172424ac38d4d49f502b6a

SHA256
7e0ca7b8d8e9413b52254f779ed287728702f6f87e0fc4e0d24887af085295b6

SHA512
0a8e4c60b3de439bcfafdaf00f53cd836019031d00c976e2c3e9432d225448e79b80c7b863627fce203574259d3464e429c924ef317eb9d7642e2a520ba3dd20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
9db16882b1540e52b1530b29ccb67be5

SHA1
36bb733ebd826929d72b139b969e25797aaf5bef

SHA256
e06d45558a99df8443bd19594d783ef7778ca946328382ec66ee8f88cc6a2356

SHA512
5eba9c50afcd1c82472a94ede1e1455c4d3bfc9740beb0540737dbb394f433f3efa299ce4168e5d17800e1e22ee0ac3691e64a3db3dbcef64a88550ddff16940

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
451d0d182fb9b7fd3316097ec42ba7bf

SHA1
def8810a8a02cf7449a0f713939adb0d066b2f46

SHA256
7d74c8f44093bb90995b55a084bb1076df3c9318522a038d5ed7ed6b0ccb275a

SHA512
94505d6de5103d51348d1132766286539d4a3892e983cbd1de0a95528c7bbc95db1b68c40ab32e9a1fc89de2f2a6d8f90d2cf4f391ab0fdf819f78f680966efe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
30eed3699e641f1cea93cc0447f8b5fe

SHA1
e121208628c3030d9836459e2dca7d301e4b543c

SHA256
6b156b10b0f954e8db86931c92019f7b1092bba113d9503083ede00275c04b6f

SHA512
767d5a946df3f1b6025fdc4ccfc97140a155d7ade16c6d521939d8cfc21da8bc3aa774195f6381f7206a8b13e2e77d516931f48cbe0ac16e14f8bfea2f52e25d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
96b5be925030ef4cd4fb94af0cd384a5

SHA1
703a0d7ed8a10f9f4d20003e73c0a1e0e3ca7418

SHA256
457522c2d8a5a99169b75a021f3bc7b9b893023d04c41c5bf1c25c9c8b5d6126

SHA512
b25d69b55fa3ac8203c23b2e9be06547a070b8ebc45e75a8dc24470d4315f6bc8874b8c969545b2d831cd08d9db96ca7d2d60df66e7fbf67a7f35ba5e813e687

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6117526448b5821b5f673283ccae8c74

SHA1
3e77ed05029a937a00c9077c10eb7fe111e7d5fd

SHA256
c5ae2d9236abc0f6a9a5bf8ee4eb7212cef335145b4d72cd495ddf3e3c9c25a9

SHA512
2c8d1ab24b4e5326460a2d808941725338f0780dc62a65ee53d3ccaaa290788e5fee3886878bfc25619d6299ffe40f306e9bea75745071cac3c288cdfb5017ef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
559ae14dfb19ac73018fa6ae2f408eeb

SHA1
6af48c0fbf256bb7e272602cb2b7db7b9a7c42b0

SHA256
70222a5b156af434b17c4bdbf9470e789708a9cde45d76482d268ca8bced94eb

SHA512
8eead33d69491d35d416213bece19e98c28bf28367e933bb780c3e8a2f7cb3b977d77bcbdb09c292a54e68f1430543600f73a17de1d0df483e2131fc1bd9045e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5475c44dd008b3110648591a026aed7a

SHA1
1aa893a04fa7a85c2e4d649269e68d1bec2e3302

SHA256
7927d333d7efdb6cc28e48c9087b500023059b15cc81043048c18093f1eb12b0

SHA512
2704d395de7bb2acaabad3ba3158cc00cd5e08e33f71d1cb3a071b72d578c0baba45f744fa68ecf5bc0ce869b12e2f6a9e51b864330b2d15d7824d7c432f4e92

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
779a50705a94d203c58b113e9f335856

SHA1
14e2a3f0f3aab6f025f996023c5d11eb869f504a

SHA256
684b096cf54630dbe84ed48fa59f99b47d83758c8bb42ca2e7dde2f770194dc6

SHA512
ca759795fdd591c6d58d6013a110e11ff81d95601a002393e91c770f369ff691e0973c12668b35233ae69b61695d6c553505e53b792321b346c01e0e4cb30ed3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
ee8b299c2b4c5ab4999dc7f9de49bad3

SHA1
4a816dffa0e3c44afd3c209abcf336cad704fa23

SHA256
c08b7d8f3006ad36bba482a2e68223febec4eaa2661abe6a93dab8dcdc2def2e

SHA512
85e6f9664b28f66133f92805720927a6fbb5f07a410f0129abc66c8730a5ad0e462bad8c5f93469567de97019e65f0a2db481670b6eb25d8c551ab18f2615248

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
2a189cd9e898bab8e574a67a937c1638

SHA1
236bf2f2845dca22daa1dcc9dc3a150dfc5afa90

SHA256
cf7ee22422eae032652cf34126b50176e604ebead3112a3a2e1f8c88ca263a43

SHA512
4f912fa2911b28bd18499a17a6246a876512a16e636546404546b889974d6f0e2824b5b62053d55986f7233edbe38976fa41dfb8d1523319963e90ae58569ba0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9b700fdcc2251c4a6688f62ca5ed7a17

SHA1
5bd75ea3741fe2cf5444971be4eaac0a29def001

SHA256
f58a350d600cf11c52fbdc9eeaceb6526e5e7c631303b5e2dd3898f60a9d6d3c

SHA512
70cd386fdc0007650be978bea5fd294644f614735f4c3e4363719fda62d29ca6fb30ae3ff0d4df594c0d846c33bd06d4dfa53cdf905cad3c036b30a276f63424

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
caf354bde1dd9ffd3aab8f9e011892b8

SHA1
d84b482b5a4cce7234ea005ac4e2d3359f2dc3f0

SHA256
71deaf5feb9e163b4d6304de311af43b067c43d8432cfec37ea1f88ea9febd40

SHA512
07764e8b13595ad5ae219ed094413c1cd078d1beae33e2bb9badad8f74b8d93c10c817270ecd604c27bc7d1c88d368c1db2709c7c363215116e364704d530aea

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
521846a5ce0d9524b86c394dec316699

SHA1
1eab736f510b37068f6053eadf0d5fe32aaa739a

SHA256
c8a1769cf6c0047ac7db8d123514547cc6e082523b5c3a5f9e4bebafabadefd1

SHA512
d35ed98ba533cfabccc9a5d0b4a336c2eaa48f3023b2a3f955be087e345cf7b86a36c469f42f1d6dc24a8577584efa67b90e4a31355e2b8fd7312fdcc764ef1d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
338a3252281fd560c6de6f70fc18faa5

SHA1
4834d94fe60271ccac91124f458e9593cd21532b

SHA256
df74bf580a05076707091a220752040f3f75d48197f7ab1b1fb57bc2433876eb

SHA512
70ec81a283d11ad17f4f56451f37140f08fdeaa2d72b7ab13bcf308ea23e7e55b22882b5565547ed260ffb42b97adeadb8d59f13db0e8314cd4cba097e64d639

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8634cb240cb8c438940872fbab520dbf

SHA1
b86b800f177be5e632d397d027dddeb3f452f22f

SHA256
4e49057d6cad84d604c409fa0a03530b87567c24f14e5536e7a69ec16e147fdb

SHA512
a27a7e87f84c66e512e755bf4e9a53f7ae6ee1f79a6e077b654d438a07720ac7213fb298178663ce7e84c584fd2b45e467d4a16543970f007689c150e38ed7b2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
5ec11fc2a2b0140a4acb8a03f63f7059

SHA1
b335723c51fd2b14edf82d4978c8328ed3575993

SHA256
add8ffda15a042d199220f8d685ccdc9b9b67aa648e05d9d6f685874b85a55d4

SHA512
5d53113ca2845ad0ee5fe382014e1d2c8ae14f40a4089b75bae1abbdeaf479e478f2c6b3b960a3f7d03b781b2c239046ba848eb3838db521493dbb7c940c2244

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
16278c6e3949edc0cb4af155acdba99e

SHA1
9c252c0ed8af9edf5fc17fa9949e86b32ad0a7e2

SHA256
8e7de3333938ef72d6f53c47ad5492dddfd4746ebb967f32fe34f2161afbff93

SHA512
dbf0ffbcdbaf7e7062cd1910aeb70907d3dda9f354c7b3ca9692fa537934e241e4cd4c887a771639fb98f0eecec36b1d78517d57a3796b34bb159448886a809e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
592dfd7e5ad45c2e360186fc4269860c

SHA1
2154029fd356bd7160c260a4a7b625d13d9e7352

SHA256
f508d78beb68eede9c4e8f0af1e38b53a5bc7f219ff922461461c4fd5b72eb18

SHA512
3adb45fe86790e7e2596d886a7173b0c46f688f11a853ebcad193721856c1eb1d2a54f02c623f3cb50916f6cc0237681a191ebf1be7ccb1a02afc6f37b9f4476

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f301f75f9c70e2772c0330a92d77657c

SHA1
1bfe9d888edaa559a854ce99bdff2409c7e4fb5b

SHA256
ecb293dbcde5c3853578b676e2ed45679d833e0fb5bb0d7c908fdbffb724df42

SHA512
efb41aca765fc304d7dd1274a5bf73bf479f01d61ac66a35c1f7ee10b1e9adbdbc55f48088ab5beec9f0e494b990917304bf44893bd52e5d87a1fdf4d0f976f5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
d4731481bfcfc056bbc713fd94bfb513

SHA1
a68e3775bb9d3c66c5e01ff01f946fe16f5a1f49

SHA256
4dd76e27dedbc6781b3791be25665a71de3a3a532713e6cb515c43745f495419

SHA512
6c022088227a83652f1b8db15c9e0798a95d3c96c16b6a5e64bbb8b04c1d86cc526488ac20662308c878f17defd27ae6a876515094af5e9849fe7a64515d4cfd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7b6a8b3ca0ae27b23f3444b4784161eb

SHA1
431f416ba6e9aae4593a3c333560392ac42254ae

SHA256
b45a9281508b5e9cd205f670558a62c2faa8999afca378cd065b9c0c8d4bf7d0

SHA512
6a9e346eca3966012eaec2c76744024524e320b21cbb06839224844883b57aa938bd787348f270747028a1a9111b8086a27035b25f86732ed2c5abb901e5477a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7be0f93f4b585deb924ef4f4f5cbdd2f

SHA1
671d148e5c218b5ff2bf39e0145204e629e6283a

SHA256
e1df1f4d22ac2284858e5227aa5115db0642a83c24f259d848820ba108a8252f

SHA512
e36bf20b2fd438b5eedb7411671c6805cc2b1d4c46d7aa2636d848f03753596980f97f7e2cbdd0a33dc2302a67d041674ed7ce5f77927813ae460c6c7f5d56dc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
23d18f2c5d873388ffda4876f787ee8c

SHA1
98afefd95e5235f9597c4e60d4a1994b8bd6f047

SHA256
f4e74a7db8da0513a32f4d98a540fd8f5d7a6f2f040eaf941eed5addecfd6ac8

SHA512
c2cbb2d2aac8e61bff844bf30399734c19e54efb390817cc2ff5685bf5a68cc994a5ea71a6d39e0556e826cdba0a7a51aa333c6544ec748d50f3b53f2c7a706c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
d81cf339f3167441cffa4e3519a78c86

SHA1
d7438e8ca1b74fd8337797305ebca551f0790312

SHA256
31d6f7d03947e7cd4d6caa0a3a10593347fafc6ede8dab898f2eec356a0a0c9e

SHA512
f94bea9de9e39c589ca68b3078a9341a2274b2887aba7dddb2e1cca65907c2d1201647ec18b6cf795235cbbe7d9c902acb5de7ebadef0015dc757eade50d7860

Download Submit
memory/616-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/616-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/628-552-0x0000000140000000-0x0000000140274000-memory.dmp

Filesize
2.5MB

Download
memory/628-149-0x0000000140000000-0x0000000140274000-memory.dmp

Filesize
2.5MB

Download
memory/1036-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1036-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1036-89-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/1036-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1036-82-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/1948-562-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1948-255-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2160-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2160-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2288-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2288-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2288-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2288-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-112-0x0000000140000000-0x00000001402AE000-memory.dmp

Filesize
2.7MB

Download
memory/2340-200-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2340-558-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2536-24-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2536-129-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2536-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2536-23-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/2652-1-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/2652-111-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2652-0-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2652-6-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/2652-360-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/2708-92-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2708-91-0x0000000140000000-0x0000000140298000-memory.dmp

Filesize
2.6MB

Download
memory/2708-233-0x0000000140000000-0x0000000140298000-memory.dmp

Filesize
2.6MB

Download
memory/3000-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3000-565-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3020-493-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-131-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3112-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3112-60-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3112-48-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3112-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3112-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3324-130-0x0000000140000000-0x0000000140288000-memory.dmp

Filesize
2.5MB

Download
memory/3324-28-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3324-36-0x0000000140000000-0x0000000140288000-memory.dmp

Filesize
2.5MB

Download
memory/3324-34-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3752-118-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/3752-281-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/3924-198-0x0000000140000000-0x00000001402E1000-memory.dmp

Filesize
2.9MB

Download
memory/3968-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4108-284-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4108-564-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/4176-556-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/4176-173-0x0000000140000000-0x0000000140275000-memory.dmp

Filesize
2.5MB

Download
memory/4656-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4844-58-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4844-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4844-52-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4844-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5040-561-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5040-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download