c270ae2e3cb48a9921a7805076a6d01c6ae4e03e7167c5c9f2fb944860e0db7f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Size

1.5MB
MD5

9739b8e867594a52eb7d42c3c979f5c0
SHA1

6ca5ac39ee8b2351c5b2472a2ab8f60994c9685e
SHA256

c270ae2e3cb48a9921a7805076a6d01c6ae4e03e7167c5c9f2fb944860e0db7f
SHA512

507af1c5da135968d8e76a206c2d0d9170ccffdbd5bdb434b97b50b15a5f43745ad558475ebecd9cd748a9c7b90af99f662630b9a8395afdd5df6b270fe5b056
SSDEEP

24576:L02WHpORVldlnXfH9gPwCn7vOb7HHcp/CGXQp:L5WHpORVlbnXf9gPTTW7H1GXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1480	alg.exe
4352	DiagnosticsHub.StandardCollector.Service.exe
3456	fxssvc.exe
4376	elevation_service.exe
3184	elevation_service.exe
2624	maintenanceservice.exe
4292	msdtc.exe
1052	OSE.EXE
3128	PerceptionSimulationService.exe
1248	perfhost.exe
4956	locator.exe
3292	SensorDataService.exe
2064	snmptrap.exe
888	spectrum.exe
4880	ssh-agent.exe
2836	TieringEngineService.exe
4304	AgentService.exe
3616	vds.exe
4220	vssvc.exe
848	wbengine.exe
2952	WmiApSrv.exe
4924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cd652ceb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024cf7da6a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000227767a7a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d6c9aa6a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000587748a7a8afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfa16ba5a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2f23ba5a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d59563a6a8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3456	fxssvc.exe
Token: SeRestorePrivilege	2836	TieringEngineService.exe
Token: SeManageVolumePrivilege	2836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4304	AgentService.exe
Token: SeBackupPrivilege	4220	vssvc.exe
Token: SeRestorePrivilege	4220	vssvc.exe
Token: SeAuditPrivilege	4220	vssvc.exe
Token: SeBackupPrivilege	848	wbengine.exe
Token: SeRestorePrivilege	848	wbengine.exe
Token: SeSecurityPrivilege	848	wbengine.exe
Token: 33	4924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeDebugPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4964	9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1480	alg.exe
Token: SeDebugPrivilege	1480	alg.exe
Token: SeDebugPrivilege	1480	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1072	4924	SearchIndexer.exe	110
PID 4924 wrote to memory of 1072	4924	SearchIndexer.exe	110
PID 4924 wrote to memory of 3364	4924	SearchIndexer.exe	111
PID 4924 wrote to memory of 3364	4924	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9739b8e867594a52eb7d42c3c979f5c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1668

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3184

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3292

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
78bcd491028059e3f32b3a3fbc3ac724

SHA1
1c2a28697ffcc377f3cce61d98675cf92692987e

SHA256
b056523022306e667e2472cb92da57a993a3228bbebb1a4d1038e5d971eea66c

SHA512
aa7ff1866160aa83e885e557c4e1441deb38d383c86b469f68a052b8f8a53a8077afb67649de256379439044dfdb5b470ad0e99ff039c0758b1c744ef4934065

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
853ea69bc4af4b5ab09fea3e2cc9b818

SHA1
bf99ef05e9cebbc25af8677864aeb17660f624e8

SHA256
b29fcef53b62a704fd9515c2425f658e543bd3c43841cb77e6e0290d900a0408

SHA512
be2a2e482cc5324a567048b57c8a1ac40689c3abf24157eb43672e2b12b317874fed81fd9963f82f0e984db0c8f20cda4500a4237b43e5f5b41f34512fea85d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
17ea6c194bdf6586e7bff7b7e9a0c8aa

SHA1
6b3a90ac2fa722c9901e1f7ca9e0df9a93b48b25

SHA256
1342cbfed076d2c4f03d354c5a842fe9c6b484c346f0d30e8c4aa57117215a0e

SHA512
31949de7c67ea3e26f45db855abfb2d12460be72c5d16ad75e2a79abec4f57d8941976a00d842e4c07bde6acda2abace0c5d3035f44e7019856087125f069802

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9335b6446e7ec4fd6fff8f03cadc097e

SHA1
0677dab917c8f8d4e68bc7152cfbf38daa81b92c

SHA256
fb7cd2b427e9588a6bd393d2dadc943235956f4fd752ab926ab519627a5356f7

SHA512
c122c7a47f671cc9943822b1aabf8ce25fa2d7213e6a8ae16cf839b2803aea599f9a48605eef625fd56257bb9da9c41c3f41d706dcfe1e8a54e5298e2a25e0fe

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
abee39c94b6de2ca9839bc8bce43bfa7

SHA1
ab6463130b2c0c67b7d2b67373d8b20d29b32034

SHA256
374e53a69be1acbf41087fa59005616f7dbf0b854e906e56d61bc1fa7ee39c8b

SHA512
f0d9bf55d86cd16eceae28f5cb76b1ac231738da023ca039ab3059943e45fd58236f451dbdb314f366a114ae7a3ae4c029bd4b2643a06a8c736975db0479b503

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
eb5aa00f36339cdcad11531be243cd42

SHA1
3265b7559f18e5f3fe8d067d4bc4b0b11bd4a100

SHA256
3d3baed6a7b12122619889a6b3c5f9df471f4f0715af4dfcea5e2529e5abea34

SHA512
e223a1955aae1f69e027337658c94d753186e967e698bf8abd8686e2624d4adeb30c90eaa1d981a69547e2f538912209227a79207f39e50259907a7548df1152

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
18e2086998f8d4a3ad05b4f832a066cb

SHA1
f07f4d357f3a887f51ae23ce8a5479c2ab2294d2

SHA256
09ba3c7394d6e0bb163845a7275e394c9a4c65c0eb937d33db1c96b602cb9ac5

SHA512
6611afd77fdb54291e12a217997a9c24365234b78506b73696211ac71f80071cacf3fa9dc8adacd8c719a7565ee0bd24ae77389827e42dc6a7e73a715e2cc46b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5be36c2027eea4082617abe4a5328729

SHA1
40dd5db5e9928b342a56d44b8636d7f34762b33b

SHA256
af9bd73a70c0e073cb4e4483ad17d1eef06c2d4e9f5eba7a3b82936502842513

SHA512
2c0c977690e3c2a8a7d0b5966af97915baa169882eafe18c666c897db0c4d93d238815479e0effca1bf5e818a266c63cbd2fb2f57818730f4491027d3f325273

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
38f4359a1329ae8ae018b4fa86cff458

SHA1
c08c0d06d03ff6682805b8d99ae35259040ccd63

SHA256
73b48200acff88af9a1a414b8f6f0719cb393de69e844a934281bf357c2e4660

SHA512
9d112694781962ba451f81ec67c6266fde4d23043bb237bdd0e8f2313b1edc5de1be0e18b482820449d1721106f406b1189c849f46cf3cbe9a507e33afa807a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e3362983856edaa899fde0a5688ee42a

SHA1
b8d2388954f4581e1a3625b6da253d907be1da58

SHA256
83fd2140ee35d77764f6d04e2dafa7ac6e474ff087fe5436d345f2a5a13ff9ff

SHA512
8bbb6078239ed42af507119ad80879999eff9d2f283117a0d1b71158365ca756a12729d0f240685d348f8681af247161f956e4020e3161c338174d91974f30aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
19e453d2c14b2bdb0c147a383e264f2e

SHA1
420f3138ded43b2ec3f2d6eefad75c248c3a2bdb

SHA256
0e06e178d042a063bd65a71d082f52bed7123d347c9bc55f4dcea488a2a1ed1e

SHA512
a6b29ac9e0fa94b196b32ba301aaa644fe4a79f315a79bf3ed90a675b2dd2c48060b2a8938aa8465cbf44f43d0172732b8fb6ab6877dae9ad82cdf5164a9ed4a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ee4eaf708944d309777d683e7b4bae35

SHA1
480e1d2e14ea9b665850d3047dda690cba2b5037

SHA256
195e487ad860eadba91d52de57187816db9afb1019fc2195f340cf907545461d

SHA512
d0b3a0bb3cbfddb8f64a3faaef9436f55494dbf6468bc31c09d2fb83b6cbc74c8ff0beac239a5ad0db5c370b113445835361d8e22bdb003334159168a7db9a76

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
75e14413620a1bee12b86f017c3ae830

SHA1
a25e936771b540c4b7b47ed2999a22f7e2a9572c

SHA256
0f4e01fbad62e25bd187740fe6ad493516ced807ea34f56a089ae04eb83be494

SHA512
4fc2518b8b5d5dc675eafc02347ab86f913ed9758570c3cfae89bbf9fc1d0c16679191d4eb0ca085b81c7c1617839bac2005280a81eda1ce147e802306731935

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
fe07cea92aa009f5c6165e2896f2f5bf

SHA1
a804cfdb9f8fc52d8243559739c16787ccd75cfa

SHA256
52a496224a74fe9acfd2a15646508feae74ec27f011a4402e2113bd4ec23cef9

SHA512
5679319476f595b85329694eaae4f03a4a8df84acc7a84a888df478f7b4bc1dd8dbafeb8f9db804ba74d5879d11c815cbd0fe4891138bd275a1bd9f2f076a856

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bab91a882b33df630cabf9844b55eba5

SHA1
a36820e98d336bb9ed9dc0d94493870b760bacbe

SHA256
4e00cf9c20badbb953290e3c2498b79b7be7de8d2c0e83555e44e7bc7e5fb6ef

SHA512
6431fe303f4f1a327427206538279e4c7e8f1a0c4f5be80e6acde63dc62bb0daa801daf3386164e1a7fbdfafc7dada4aab8430f9158fa92b1e30a6e367a6490d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6a79dcfc6274596bb0c48c8166993265

SHA1
d387b777a5f8b5862795a2922973382de608cc1b

SHA256
ec429f6fd97131b26ef20b1eb07d22101c07168d30cfcfdbe744e914c4ac66b0

SHA512
3d05e5e33e31ca12a910e3b7ce9719bbad054f24f2df53054a4122e26fec613ea97867b8d6d7b1d1e2d4644cbb942ea1ce7c8b1bb12566a07f51552cc3f9c2bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dbf45b523685f1eb88bb326913a0d328

SHA1
a8d445b965923f5c9d1b945e7d35caa6350f20f6

SHA256
c998f47e2b7260b7efbcb641c7d748707d912256a3956ac3b269643f32aa5347

SHA512
0b68e5e0e606f31efcc42808a26422a0e67f0f659b6971635639b7d315b2f69c278c7d1d4308dce3879feaa6642340c7381263790f3d4eb9152427d45e8e8d81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
59069ec7c1bffe8503f90ea2a0b5c5f0

SHA1
3288f1a59a78e50cd8bdb3e80ac67888e11c4d32

SHA256
a971f226908e35a95faac4cb105a8d1eb54ddcb71f774b79cd42dca55cb98a15

SHA512
23b065306c4d67a16a9cdba99b3f86c4571fd3ccb4470013c388baeec0b6c2c329ecdb55e75e29465172f9466186cba749561cea1afa1124897e501c525d746a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ae32da7cd2fd76398adc08193341bd05

SHA1
adccdb7f9252626b607b1751bdf3f335e1df4599

SHA256
19d259dcb85de4d784a3584e257ff5ce6dec9f076b68cc487386f972134e9ca4

SHA512
2450817c908e209cb9ce4e1126e61e516d7453559cf8b7dc0dc73b13960c151ad29e5ee5ec4e5de6dab30c3009acc360ddf7f403737a88d0149473935b7cba86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7fb8a420a76386697e238046d50d2026

SHA1
d0c356963327d6a94cbcaf0b9df5a20d66269ebd

SHA256
cf807764c845fafa9ec3371e456ce9314c68d57738ce3082dc4688f820859638

SHA512
b867b42fd97ff8a4887b43672df2d0dc9354f2914f9742056c94ab4c43ff5707d25ebc16dd5d8357699500768bda34366fd60453bbc9a9c3c20222a25caef76b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
e834b481aeea5ba5a28a66a3abbfdabd

SHA1
0e83c328c69d541ea98f35444f7646c16bb0e83e

SHA256
cfb0bce560bbbb6c37ff8d64a7348290e7d5af0a2c1c0c5d3674222d26333426

SHA512
c50bef1862aa24b24098a1e86bc809a928cbe59564a412a5ed961044a918d253474f002dff3ba3200b1eb8f4d2ddfbbee814816696803051edb7c82f79fd8b63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
e4e45a135c911ca3fe77094c269cc209

SHA1
86912945d62b635c8198e16d4a708bf5af3a2501

SHA256
400349543bc09fcccec51df1250083bc4b14abc15456ae823b4eebda7ef748f0

SHA512
6bd50498edd34afaade4a1fdfa8edf0ad1d4da06d1b0aeae604ef82cdf8b6ea0c748b86c872f8e4264b294fbc41b55d096cdffd73696c5fa24a416a3b7899e64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
a220d7d60bfc1cf73279ffb8695b1ad5

SHA1
eb3e865d01d2c99c036d7204401b6d9f9e9b47ed

SHA256
7c4dc33a61a201b0960b0b92a5af715b437e1407fa4b7207ac59b29d9be297e0

SHA512
c7ba07afef829ce34b4dde1fee2904b3a5e94197fbf1bd0d75494ca780a4ce4f4118914a5e05d607051d28bab171d09f45f4596f0d822075f2f81a87a32d4409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
27a05091fa8047dceb45701d2c391341

SHA1
8c4f44201a6305e5483f55fbf97076f5930c1821

SHA256
6eb003ceac14e01be9a73afede56dc2b26db7c369387e99c0cc6724874ea787f

SHA512
e90d058d2e904a42f1c5e87cdf8f3b57f9caa3a5c2026e200a04d3b72494528660435460e3f865cebe4c852c22a7aea35639d0a7322af97c3b1e8f5353b5ad43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
7f7551ec7816bef08416c3404c8b97a5

SHA1
f13bfa5ff28331a84e3bab2fd203ff59c9d1b34f

SHA256
9c9bd7bc929bb777e9bba285a8de93abdf652a024ef81c651f4328ab64075b76

SHA512
de1795e7b776e639f4cd8a1169edbea65854a1cb8f8a184d87f9d0ca4b4d908b64305ed095de56263df31ac098901c792b90e09d4767a97a1adedea2351ab074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
cf14f3c2b512fa765d6209949b2a903c

SHA1
46ddc8db37ea2e2e818e0af58dc464e70a2fac63

SHA256
c6b1bf2b663d9ae3cf4b9be2c283da1bb3987158a974ad4268ea7c2ac8559099

SHA512
38b85c2d9a2c02b0611f70f3eae176664a6d98752166a5e6233e84da979e6bc5e1417d47d3cbdff3adaa694a212219822995a963cc6c6b653eff715645862571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
96a13698f45b1a8e03873c74f62c607f

SHA1
a694ad1b51a05f3645d2a044dd0ff17fd0bf0ed7

SHA256
6897a7f779d31dd37f101f7059bc2b50fd06ccf0211afe4798698a102d0a5bb6

SHA512
7a92073c674799a869378f20d9173cabfb19aa640317aa5fef4eb35241b039a11f739f765889458d5a7e802bb59d9d123cdbd02a7201c21441e493869b31f3b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
9270112e6f3b88fafea2c014d8d3dfa9

SHA1
5e547771badfbb99d6a7bad83764643052aac9f8

SHA256
a8a0e6531747fdc67e875c2d39e4cae89d52821a62faf4538d741d2801485baa

SHA512
489e4e62c8a6b7d1c5dd2916cab81bf710f6c4942f1eddc1e92ab2fd7fcb7f70e1d027456e53c0472f7f0c8c49bb2690f97e814c1b465ec78a56b7ecf77228bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
1c4c047b2769d2971bef01b53e108f20

SHA1
8ce9a99eaa2aeddc7747ef2fff23cd3d8b9059d1

SHA256
d5d8b3c7e60f9805fba1a48f170a66090b3b89e3963da30f113c755b5c3c8b87

SHA512
5e101fa556d291fb38367dd711514062c74fee16d75136584659b0f1f80cd46edf6ff473c78d87a767028d6d11ae47b89ad7791ba3681274b8e8ab070d8d95ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
9b8ce82180c1f43da8847062ab3c18d2

SHA1
729f6b3cc2b270b18d490670f6b7cb507689966f

SHA256
8502ea4087bc9b78846cfd525ca978f18a8c2eb97213e29cee2523b1cab7ada7

SHA512
fe5ec6e1009b2a46baeec04320677db0b760d884b2180d1c6c57a1c458388a9d75d09b7cf14f0b0c4613bd93c0a6cb043a5df21b54d9171ed8e54563d286cf51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
00a1487d22fb63dd4c055666c502c6ef

SHA1
0f72176801d72cb4ef373318a553957d7fb03415

SHA256
e6f7ba591061522d7394508238a318cc6fb9279d92f4be625202e957637adb26

SHA512
41de316b752336131a737753dc2c2758b838500d7b046411ac90ccd60730c20e1e181ac6bd33fab68eab63ca3c1265965dc1d2c1982a8b2caaeb865478f7ce4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
163b4320afa9e055da802b04b8ba5936

SHA1
6a595bb4f6b6598a7a896d51d918802de15964fe

SHA256
750a94966be6de3dd6f5fde668a1e79a106552cf8d5a650bc00db6f40882af72

SHA512
e321f92be2ba99f7e6d98ff7fdd0c11da249e54d67a02e19fd9469084efa675ba59bd34cfb0ac0f5732cca4a58abd5f8b5c714a05894b5417be8bc752bb01005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
37ef9cdb900f5dd2188c35190146413b

SHA1
e5ae29c7b9d0b1d40c61e78bf8a9e96696cac8fe

SHA256
792a849ac132223c926803bce2701bcbe084a30c7294b79e6c4b6b6759d92313

SHA512
fbc06f4d6d508694dddcab5dde5db13763defb83826705924f16f24b720dd8cc571204902359f37e1d16141066babd9ddd39622d7c3cb21d3833c0cdbb3c42fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ee07e4695729b5882da87e7651bd01c2

SHA1
11c1be7fd9bd35625a49c31d79bb457a28cfd609

SHA256
0d10decb4bde7f863b0b3bad7907d9307235083c0a5febdf567e6032451bc361

SHA512
2279b12428222561011689b4915ad4e4666e6bcadd6b0f9cf935b85770155806bff7661f4b44bc8b4f78941e4d27851e535552439294dc9d258f13e30420b8ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
aeccaadbb80537999a78803453d940fa

SHA1
07770b80016d7fd103be02e7dc20423085769f77

SHA256
b8be9331b0378e55ef36272e931d7e32e9c9f77e05ee80a659984476d13eef5b

SHA512
c5942ab871b5fb1ea9b729f904134ce9e310064f0db1b9294c060056f779202e46669c78feb6b8fd01434fe19f267c81f4d59f4b31213d4efa8bfe6dae5f285a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
66ef2458794fcfd0ed91317cbe1b8ce4

SHA1
8c0da77ab4d6031b9be08a3699e9c65c7b114afc

SHA256
3a3325f439729729e458bfa2a2d6e9f244f1351c27f58153859b6cf532994cad

SHA512
2c94e5c04bd8586fe2e5a2f301d3b61670c5667f5a77cad8cde349698a17f8faaa915f9d9d7ac6ab4991ef3f59cf12f2cb69316d59ab55549d5c503ae41b9e92

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4eb7801c4ad97c8b01cb28c140384c26

SHA1
2bf681f41641e4369fed56f39509adcce3a67372

SHA256
6ce33241570e20375bc1c3927183a4ea82fc0a46cc9c1fa69fdc50c8817f2920

SHA512
091aa0c803dc2fad4eeafdfffcb2f72081e2e8c99c352092fd6aaa5ba6607ad4ce142be906f2faa3f805af1e2093d01223413c727c87232c2074b010ae71f308

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
4bae24797c1e7f566da95d48162c5b67

SHA1
d518efc7ad0a3f4c4f634af9d56b81c7abd29b67

SHA256
3d79278ec1a1a5cb6bd2146282901827f4d55a1e5bde6ef459aaa294412157ac

SHA512
4c60cc4a1969404594b5061790344b10da36e388eceff2fb264d209fd94e2f701aa735313a61892cc7a94e051ad443197c19e44855ce0d0455e2172960ddee54

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
36537a6fd62e31efdc138b4a062f6c9a

SHA1
9afbbf7d902d8050a62bfe2faff6f8cd0180e359

SHA256
eb0e6ada6e64d073e7afa8f75394d635400d88e65251c03dbeddb90abdc480e7

SHA512
3e18b4c6f06a0d93e0935dc7011154faca465b5561bccb4e00b0297572bf72c5194bc117893061352abe7c95722fb2d8bdf1bd3035c89b9b821641c4636c501c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c1e15580537c4208c5c597f16d5ebe90

SHA1
fa3309e934df1e46b4fcc76692c223afc8d20121

SHA256
5846829871bcda56bced1c56aef036b878e50cbde9bcf04ab66d1f91411a4d6d

SHA512
e2f98cf53d3b2a4051cda8e994ed39e4ae5c72aeaf1726508978356d3ee9926be21bcf9a2a3416147d1cb434290cc6d7e6552711a92da588977d4231866ac805

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7fc677f2ba6496eec5e2c3ed2f934336

SHA1
51e16aec3c5ebe7f4f16dfeba3f46d6a873e57fe

SHA256
1af4efdf5728b92baaa1bd60f22a1ef550ee0120f3a55e9ae6f607ec16fa2c85

SHA512
713c185fbc20cf1971502c943d21cad8dab10870d64a29705e598430b56ab9f9f30bc04941f32c52cb54c37c6d9df11e2fb334840e80b5f50b350b0a5139568f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
26fc36a16dde9b13fc8b59e43f8217eb

SHA1
46de043ed4047f378a0f16589d92c83ebd8a6270

SHA256
2a24ae88821c21c3b8e03d40acac591199a4154a0ba799c8aaf936418b3cd120

SHA512
149627d6bb40fb835860dd5de1b77bd298860568f69ce909a04c5ceb67b99266e597cb0f250d4350b8e0628b2b57abdc2d390dcfdcc8c41c7005614de30ab7c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9c28af7e313ea664fee07c28ad4f4412

SHA1
15066f72a8078c6e90655310dd3ac7f153e72044

SHA256
3456ade7a4104724aba7f76a59b30faea95f8a00b77ea3627784a7d48e761627

SHA512
e5bff16912a553f3c53be808a828aefd9e1356723322757ca85a834dad0c46d56306301d3141fd1aec4988ce9d8d496cc00e7df50eeb88fb1e085c056ab611f1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2d3b24c151f52bc4154609146d119853

SHA1
f11d8c4c9f4a27748007dabfc0768230e200e737

SHA256
58982b2c87455e58b85125a859429bcb8c28fbb9f3718be4c0665e893a3a6072

SHA512
0218bdcbc568d6b400121dd829421370d6544e2efc2d6d099019e83050d49e4b219378180422397d0560e4a7bdac9f1992e224257a82f920c2b0d84dc608a878

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
550d0286500c48c0f6fbce726a69aa7d

SHA1
3de242f5695ff47fcc4630c2d181503db56a7bb9

SHA256
c31fd606b19b8e9696a4225610f1b0f0a33353fb7874936c9ab052c47b489911

SHA512
1d3f9c1662499f07b71ee672366e05a3b8530662a5e0051421283c51e98ada2c5eb799f2e2ec2c5010480a4dd460e67ee3544b18ac9555a2e603bad4f3c9e875

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
635d579c19a26aa3d25f01fe22d5881d

SHA1
585da3c1394829306adbf57dad3a9a144c251326

SHA256
db5acf3ff700fce8a5d71973eb1a53b8e1c29fde7cc55c3a969bf061e2c2c7d5

SHA512
dd926ea42cb383bab938477c1e3b91ffbaefb28a12b00f5c3e5dc150b93240561b8cc574b6ae57812fe759748bd70782edf948e81d01da23be326067dd602783

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3ef17cc63bc41804658b96f82f311eb2

SHA1
1f3964438ebce064a69b40642f2e2860faba7d4d

SHA256
64abac6d1f9b58966a4cbdb2090ae4c2fb50c06526b83f6407a543edb60410f5

SHA512
e965c0671bd4176e2b018079d8f048fc64e31d09dcc5ed2c063e2325e8b21158dced385a09664d23f33bca47fadd59c67bdc904dad79dff59d8d9c441e5ed7eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50c36d69d46becf249abdf28f7da423b

SHA1
240415e58952626de167c5f6a13f3d33d1f61484

SHA256
d250401cbf420cfcad39e1526aeb9b6d3638d6512db9a7db8ac80c261741b350

SHA512
e325e9d7e10c0277e3919912f2fff799401adee895baf598386f8d3c0625aefbd5bc121f7052fef6da79ad6b84b8787a250648690abc6fc08035db60ff9eddc9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e00e6b4b1d81d0fb9931cca21c6f3bd2

SHA1
18b553ae3383c02f8925b48e23b3d78c87a2cec4

SHA256
794b5a6117644e43e7b0681e03e824ca0e9daa5f25ee9becbb7bbad951599975

SHA512
5e616cfb0866aa3d401c5d158308352c40343b86a627e80b1c32b6da1bb83d83c30a9cde0d815545a7fbf5445aeaf6335ba56ef4df5c6e7ef76d559340bc3116

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
be867ce96690bd397d1541e8839ca389

SHA1
187232ffcf43677bca0f90b679f0d6b744a2bdb0

SHA256
43802bf61cd52f4f389aa8f628a8a84f980523891c087b8f30887f40bac3be53

SHA512
06c48df3d9485316ec21697f710114bf49adb985c92823f21b0159da926f73420987f8daf99dd228efed85649ee34b1987cdfcf4c6bf27ed6fc6abd8d0145e9d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b5f249aad23d48cacba9bcb0760c3bc2

SHA1
4fd25fd1e9a74f709b083d70410d27942935f020

SHA256
53058a5520d8fa47ecc5bc5f93e60befb585b5809a46ae57f6c9b7f0e1585a1f

SHA512
1ae5d749f3c9f45829f6f56e7d796de123b3bce8fe8fa3531b20af4cc5f0acffbc5527b79cef9cb6ca832053d4d6dddbcb148003cb1cb73b6351a2c57e64e3f0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9fbe6badad0ee2451464e689f04cdf9b

SHA1
30ed3988fa7d1f111e4d7f6c4cdf274741f338c0

SHA256
d76243163c7fc7bb936f2ea3ab407efdedebe454e8363185f8afd5edea14bf99

SHA512
775ebdcc6aa0213c71b4638e387b0957f83167e437de8e5b59afbcaaeb43e3ab97955a225a21516843aa31b361996301a59c9031aafbdba793b3a555635f82c4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
e8f8836b8f4848a5f4705a25902d9fb8

SHA1
92dc8a7e07bdad1d6826ea78aece624354577520

SHA256
cea2b6744721db3bd6e6736bee86c43a9148357608fc811ff61ebb6a6c7bfb11

SHA512
3881eecee29f461c198a2fa37b500aa2af3641f46100a179c4e8f53c2d874fb9dc29437f34d3d42c66058c45811ca6789b6e87c25c067e4ebe7b57bcc1232100

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0c01c0f4fa5dc6a54e2aa953d1163243

SHA1
a11853d28b1d6fa75d1f5f0f1ae0a72b2fd271d6

SHA256
308c834b892eed936001725c3ed0230ee647c60e7ac075f3e9fd88a1a29f6e4a

SHA512
7efae7fcdde78df6a543405152c101bda4759c51ca7f44923acbf135252352e4f765519f57e8d5806512586dfca06394500a08e62d3e0de2bb8095e19c2a98c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8f2d95526d5b068397b6711d1320279f

SHA1
840b4a83eafeb2b9bdb7ab4f0bac8085f595c3c0

SHA256
c184a23156f196943eab02dcf67a85a0a542203f6830dfaa6f74a7dab6f66083

SHA512
e041b8ff21d056af18274b0f472f06796028820ea92ea824b494192ba5cd7957bb2f22dd4624d2ac093e6a96041394b562895c636941a380bd2522bb4cb6ed45

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c72ba862314f86442533190a55801c28

SHA1
06e1965ba825c5c9a947c6f1c1c87c7568a37f22

SHA256
a2789fbf85dc938ecd9b24f44718775a9cc30de3179589bc2693071adc3ddc75

SHA512
e15844c51bba2c14e870736d4fed84be945983d5e6f068cc0bdaaf84f0f01cefc20ba52eae508608d88aaebde988002c445c92d38d84dbc781dc06746633981b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e8a8264c56905d736f21bd58bdd2dca7

SHA1
b3df4a8d55b0b8d1e61a1c53b6772359c8d55eb7

SHA256
5f6f43be416f381106c8c54d454a52f76417a51af4a1fe4dbf2bfdb3f986ecc7

SHA512
444f9c3bd49348766d6ca7ae539314ba1c381e0e52b4f82775386fa3f9d0f2e1ce478e167be3590347fdd706d0c28e41f563ee724ac47f38694ce36bb84ec671

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c20d9365b85578ea10ad19e0ea4a1ae9

SHA1
f37190ca08cb7d4527d10ba7838993297acef335

SHA256
46650dc8616e2681adba59ed120822ebb05472a67fba5a10e5e6666c44885e4f

SHA512
0b059d87472befe3e3311349d75ea357d4a9655c00fbb85599072e218bc22ef4f7297a2258af05bf9f31c151604007ee2f9fb97781ab056cfbe66b8868c90350

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
c05ac081640028fdafa7bef458b0dc39

SHA1
7ca2fe65debb543112b4d42d1fc1ecadfd4d938b

SHA256
31d7a27f09148b499d6e5a171b91937f6e31288294330bcc7258913d2b644b78

SHA512
731a2ad4551535b61b400b503d4fff40927e0164f9c2be6371696daa13ac8435f79f44c76438a90efc0e9c491a2c62c40ed8b5f9fadd54047f6ea3dbba4cd3da

Download Submit
memory/848-374-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-311-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1052-305-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1248-307-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1480-440-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1480-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1480-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1480-12-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2064-310-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2624-87-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2624-79-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2624-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2624-84-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2624-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2836-315-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2952-375-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3128-306-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3184-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3184-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3184-603-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3184-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3292-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-485-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-59-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3456-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3456-39-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3456-45-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3456-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3616-316-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4220-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4292-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4292-304-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4304-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4352-466-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4352-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4352-34-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4376-602-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4376-56-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4376-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4376-50-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4880-314-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/4924-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4924-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4956-308-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4964-0-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4964-10-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4964-6-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download