981caa535fef03ef13a8dfc06819377adca92a63ff5438448309936f0bdf26cc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 21:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
Size

1.3MB
MD5

6fd10a1cbba1243e0cd8da88e3d1d0d0
SHA1

9a8a99be0706dc344410f9e927473e7731817c49
SHA256

981caa535fef03ef13a8dfc06819377adca92a63ff5438448309936f0bdf26cc
SHA512

5bd0e9eb7f6c6a782af0c0589736245db5ed5f5a451a4cbff4d8ae71b13a5e56074da64d6bbecc24be68a6eb0c7fe108c14e6f54ad02db72c295405a83c14005
SSDEEP

24576:xkuKnonizr8EzERVY7zpCGSbvdfvDJO5:quVizr8+ER49CGSjJd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4224	alg.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
2052	fxssvc.exe
388	elevation_service.exe
1500	elevation_service.exe
3448	maintenanceservice.exe
5000	msdtc.exe
4616	OSE.EXE
4592	PerceptionSimulationService.exe
3988	perfhost.exe
1856	locator.exe
2908	SensorDataService.exe
2412	snmptrap.exe
656	spectrum.exe
2728	ssh-agent.exe
3204	TieringEngineService.exe
3312	AgentService.exe
1008	vds.exe
2916	vssvc.exe
3624	wbengine.exe
3308	WmiApSrv.exe
4912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\460fdfffbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001df7557424b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9c82f7424b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e1ae17324b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c7de37324b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d4a2e7324b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f3d97324b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe
5024	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3560	6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2052	fxssvc.exe
Token: SeRestorePrivilege	3204	TieringEngineService.exe
Token: SeManageVolumePrivilege	3204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3312	AgentService.exe
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe
Token: SeBackupPrivilege	3624	wbengine.exe
Token: SeRestorePrivilege	3624	wbengine.exe
Token: SeSecurityPrivilege	3624	wbengine.exe
Token: 33	4912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	4224	alg.exe
Token: SeDebugPrivilege	5024	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2696	4912	SearchIndexer.exe	113
PID 4912 wrote to memory of 2696	4912	SearchIndexer.exe	113
PID 4912 wrote to memory of 4624	4912	SearchIndexer.exe	114
PID 4912 wrote to memory of 4624	4912	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fd10a1cbba1243e0cd8da88e3d1d0d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:656

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e96f96b399874088f5dba89a4c4e193

SHA1
324f7e2182b9f8133f732dce2bbfd3523606429a

SHA256
172807f0b5353ed42062e1fe0dc9789db006fb410e75324e3c9e81f32b0255d9

SHA512
1cf7a1c6ae2bbb7bdb7405c0095ed56f61a8ac16b712d48bcb05d69886c649c7ea9b6cb5f0e2b9c9709896a4d880fa6dcd9d9ff86fe2a479b3bb723612e60ce5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
6b1bce462cc98165fdb5f5b8b36039c4

SHA1
1f0db49ae52798aba5d2e231963e52830070f121

SHA256
24f529e99e469f39f3baa39db551001a28f0c7faf54a3d0047a9fa4d2b8dba08

SHA512
5ebe647da06e4474bd98b11c200c30d0a16aa745cf8642e3c0a01abcf788c7345e47424a36027cc66ec740a0794afa3828367348e4fdfb113000efb9ce7d16c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
61da2d2cd18ff1bf577c12e7d2d53616

SHA1
02bad9d5c8a8080bbfb5331fd57d51397ed67722

SHA256
74e5ca8b29c7087d55418097d025451b9ba76f0a2565eaf694cfb2f266c8c4aa

SHA512
a754bbda165b1d9c56c3b672272edf8968107d81172aad318f9afd189f20a1f5015792bda881f752608a22a57f855e49fbe174f024400495bf8528caa9a749c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
99f083d198377cb9f8890e929036f266

SHA1
2c8516d3f94dce53ec714b6a3764db6a59fc1ea3

SHA256
4e6bbae63bf200a38a160a6d69d24581715639f30b7e1b2023dabbd18bda2241

SHA512
c12bc6701574b96a236a84252c0cdd79867a90357c0291d6d54b6734ebcc9608ca800cae2a3ff6ba5904069e2a6ead99e54a2a5e9ea9cb69dac267d3d5051974

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9c98c97fb3aa3be6aba24930e27006ff

SHA1
85e9d354f6a6774059f426929c898cfdff1c9ffb

SHA256
c165bf6fb173ab418b14fe5c59e2b0d8d0ad870a5e1439a69cf9e17fdb061a8a

SHA512
4d4a731212e97d995a186951e4a46051b88ae4c916e9e35aacb2478f46db9368d47c455525c93d7d3b313a09a8a128b4234b130099dc48990ed1e24e68d89ef5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
389d17ac4bcbbda22f02a78ad4d29912

SHA1
4c05b202faf7190b1c260765c400c7a6f0c3e91c

SHA256
04f1054bddb130338f6c30b883c98851b0a6ecb2155461d914a1b218096c05ae

SHA512
0cfb0a23e4925deb3eb312f19a66df2681bf3b73be2dbf6bfa4526f3abbc06b1c206463bb15a764634307e87b2d53535b4ae881d6b7c3356a283674a5c3a6a54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
bf3e48b9d3f65509c9e1c454bec3b4cd

SHA1
712319852453ec5cfbfd440e2d292a1074ddf23e

SHA256
1a9b45215cc7ec7c336812d3f662b9ea66704f3d3679a05c1e8adac40471a018

SHA512
f7de5be86b6918e1794f68466cd6ed05d969b36ce1557affb365378b5d24c8c2eaf6d8fa79da1ceb58afe71221280a09920234977445e1e2820fd209ee95a54c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6adff164fdd77eae24aa9fe77dadbdc

SHA1
807afe5d0265eae21b153dbd5b702778c473f13f

SHA256
04440bd50d97cc228adde6fdce3a05733f1c1b6a1eb99b09bacf40241562b7b7

SHA512
ac52e3fc4325bb5054bc3f9e586f2518f36e7e39845d0062ee32acae0df9fa5eafbd5cdc35fb20044821dc039a6b40ddd37b7e6182e4c479fc573220e67ca5e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
2f51605ffd0732f7db15aaf34bda2b95

SHA1
aabaf5aa918b39aed1c8ebfde4731bc4a1301ff9

SHA256
14a95cbd29dcb6b1b8e718f42a63591a5886bfc39dc5311e44c13a7d7749ba1e

SHA512
676b895f30fa47c52083c14ddb3c5828b1de2452260ebda03d171db19367f0a5ba84d857e1f375629a7f269d97b1b7f6308604e422b0d32e3a4aa2092951fbf1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
384b4c6675e51a11b2b41d4fad48461e

SHA1
0ae9ee0cdeadf9a481bf1f59c329a4948e645fff

SHA256
a7b4fc30313d91490a71000955da79a320b863697b16452fc28953b632c04aa2

SHA512
519f1d4a2514261da4240a09fb4b750bcd2eb21694fb4d21cb6a7787173aab5f4b62b81a7a8a6d55b0ac755f303d4818acccb4114bcbcf96c87d8189ff630f9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d62ea739d2bb88f3e2cbff1b68cae129

SHA1
fe5735a4381e0e454c66c035e0939dc04de28464

SHA256
8af801fd7064342753447717709e0b8e547b0cefbaab45ae398a8d48e3bd7b47

SHA512
77235fd2075feab5c7574edac7aff6ab1c57a687628ab6acd54114e89800dcfd400e21975dbddbc2b936d8c7019c359755a8be979223bed0ee810ce4a5649bca

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
77cbc37ff586a50ad649efd484370114

SHA1
5ac23b6023c658547f5855f047de7c6b6eff1fa4

SHA256
efde1bddb9fa92ad6f98f00ce23b06ac4d7bf0b28e07ad8392d205feb95ca689

SHA512
d2851e63a2e52169b8a8cc715ba5a78809728174e1bd0bec41349d3262e800a4d55712988f7b48cb5e69f217c6a8607524e53ee89ffc09864e36bafb6effc240

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
4176058a15c9867ce7fef14845aaf685

SHA1
f93a8d6ccb03e17fe62d2192f7c1a31f2b3e2d49

SHA256
b2316f7c7927d719a0eadae98ce0c9bd28109b0e5c4ca3f79bb49e50da6041d6

SHA512
2811a455db08f6fd7241bfa593949aaf3df4c1d582a6e50d0ef56980c075568dfdd316df8f36d3816f6e3376fbf2971906bcbfe78b0c67efe290861f4d49663d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5bd70159a7272416c76edcf84f5b066d

SHA1
48e9737880214a5934d1eb6b64203f5570b4332b

SHA256
beef9fae88e6f1aae05f5fdfa31acf1c0d6a1d491dd01087d2d71373a1e0e16f

SHA512
e1cb067f6c11def8f7df6ac22c685f01130b42ece5ddd695c5d67db1501803888a283f8037a59e11e3ad72899639b3da01980ea92e7f687ffef7ba36543bf958

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b28298eb0447972708c4b6e34bf9989d

SHA1
1d43d033834f02489ead3c033e22ef05f7b8fee8

SHA256
bbed7d60ac516fedd07b73f6077601f60d33a96769fd40aac7b72beb1224af6d

SHA512
41b45aab676ba3cabf37ea34dbe477d3d7e8dcb296b11e1b7a574a2817f0f866c4e867646aff3bbe657bf36b97f660eab27eb5c4fe417017aecbdc973a161ba9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1d2cd5b9663c314ca256273f0c3f86a3

SHA1
991a4109c5a0138357bcab2314d2e430c5e1d79c

SHA256
8583144098602c32b43ab6d207ffc18a85d222f8c2bf16e13f31f4db6df0e02a

SHA512
79537b534a244e20b6b1da52b83acd53d9cc53cd3feec42df051fdebf4e7ca86fdd9074c51bc95695a0762ce713245fa407e97cdfc46d46eb080bd4c02a382a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e4c46be8448d4ec68ff07c994805a7fa

SHA1
dbb5b6bb3eb15fad99944bb558956a7c6ef01933

SHA256
b62cb4c4cb307b92b4a1fd0b751cc0cf271c3fc5e3aa088f0937805d7fcbfec5

SHA512
b059cd4aeccf00c9dc559a83c0d7be9c68fdc28184744c688594b98e73fa59f4cfcfb29275e9a25f35008c7c6ecc19f3e02924529876b4d5795208de176f1db5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
afac31c0ae69b62ab867e719abc99475

SHA1
d7aeef1426d1b50a1316f65f2c2adf32f362ffd4

SHA256
5142c8431bff45c902bdb2b621b32792629de39bb36b198ee7aafcde74b7ada0

SHA512
fdbc4a2acdf20e17a3dac8704209b12e404506e34ce942b71e51918ec7a740568aa34a4dedf02c931c34e03190d1da5d2752dd5702174bb87e56a38791959964

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6bc8786f5c6503e56d412c3188b20981

SHA1
1d84951f8d83a421317cbc1acf8b7b7c8e8b94ef

SHA256
cb79f3112ff7057c577de6440ad2bbd626abd147581beea908ce6970f00fbbcd

SHA512
9e3ada0bf0abd85a866157c211acfd0834a60144c61f8c86197493c7b56b7a192b7914784003d15e6d6b9b0623ca5c2301c7a9e347f4dc18ca89e1fc7218dc5d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ae182664d4fa525f96e9fb2c941615a4

SHA1
f96204716b46c543b68d6275b02474b7b024ae0b

SHA256
188094b414b353a0b782eb6726ffd53704bcc9ed6de380973b6458a2daffad87

SHA512
d2aa03b4aad69082b51cb77930c870a5c3afa4880d4b71bbffb35518e06172748bd18489d2e4ccc1d2cabdec413bf426d299c62df2e3c4b49b6188d3ed64f25d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7e3c40ffcd457bd8401d053cb561e4b2

SHA1
61457e987c0d6390dc53dc38caffd16c2d60ef1b

SHA256
24912acd4b617a8c23c68860e70c44592a9bb6835157332ba554033fa6bbe002

SHA512
bb834dd93cc2d619d3590a1a791c84903efbadfa281a808e7b1512f9ac162aa4091f300ebf0f10485db200f45ab47c78fab3a61ed4cc8a869705c95e609221a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
cac42725051fff9b8a1ae90d9bc6533f

SHA1
799f5ecfb34cc10d3bf58a1efe54fb0d032f720b

SHA256
c8fd6d458851c1a5044327979d498bc966fb4a8ba72fff56dd082a120a790016

SHA512
0d31a4ff13fc3f110b94211c3fc6da06778fc9e9e3af29782409c56f0d7aace281f37f3f72683cae9c25e06029911de38303fefdb09ba6b10d0ac14ce320ed3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
0c6c2782834b3a93105011a812fdc7ee

SHA1
df63308149b3b957b3558893bf1acbe56630d065

SHA256
fdbe72e26ea163a7b518827f8a173a1428ab9ecc93530aa542d311210a9425a4

SHA512
4c91dd3b3ca581a6f78f04f7c8388d2de06c69893abec4f62f5d4b27e48879e15ce75ae8f13cd102870e5b209ba9e112eb125d7d7fa760651d0f2fccd0bfd3a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
868e2a8df816cb63d66b8d7830b104cb

SHA1
20833bca008bc3b02e92b20cdd10981609125626

SHA256
27bff22a9ce7fb99dd3eae6b1e68a68e1cea9a3198cc063a23d06b40374275ea

SHA512
eabae72632c6845485f94a8a8406eecf7f08fd1273bc0bf8a705f1a8c6dd7f0953ce7950e5c365c882607713896368cdabafa9d25c1f55788253568cc232141a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
977c8a4c26b897f05c10c63d4a6a9a8e

SHA1
27c1f29a7b21944254d78e28fe25025e98188542

SHA256
3afdea1ed3fd3bffcb08b0f88c101bb07523aed5023ce6ff2e0b5b55246a9436

SHA512
ac151ac978441faf7992b67fd6d4648ac117fd736ff40efde09f41671f2797960b90a7d9633e1813d87fafd0b073dca8c4f6b856156f8445c8851314be52890c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f8500abfe83b26b631389e9e0a7fb8db

SHA1
a6e51091804e1c206eec68bcf7ffc3ad3ac59904

SHA256
b3578cda568c1548adcb128a22586a704335219906bb4dc16336e725b26eaec4

SHA512
8f4b9d344aed4b838bb07879b7a22841e30d6c8cc6cb21270347eed38b760fa97508cd2544f39aec5fb17e3536fe6f2797763f677076a9948935b219c4f6f9f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c411908710fc06fe0d38afd2433f9475

SHA1
73b6909975d21e77076cf0de6159e7b04bf971da

SHA256
114362393b65dd31433cf42a310145a6e3675503785413846f19f57053444bcc

SHA512
635cf7801d2e72d0c8cf03018be029b86275a473c5ef60176ca307ea3b5983b19fc24af07d4521b9b74f0a4ed9d17cfa71ea0a010552b57ad2c330ca6bc10f88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0b99cd0b7e5c233ba8be297804667260

SHA1
8c998f8b87c5ddc623237cd8fc7935b6b698d239

SHA256
4338983e02772a042a0b3f979bda9c0dd33e8a85992bbfd458eaf288405f566c

SHA512
4fa4e16396fdfed9411797fa8622e60bad938bab427cd362f31720bf412bfe0c3311a6915a6771e334b7155a0789b800cf3782175a8c5ba9d7eaf53b5a5853df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
5f0f2486206c3bcdc8fc5cf5542e6a1a

SHA1
1828d5e1147acd05b8ae27ac28b84cfcb0db7347

SHA256
2545059b8f8581304c4db70ae93547606aea3e9c2257e6c2491286825c9b112a

SHA512
a26afe6845936a0cd542a20393c96a8abe131d22c1eaa396aadf2b07e63281d13617b62e9fc844266ab4a7c24ecd2e0965f13165a0ebb827399f79f91ebcf6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b14a0ae7c5475d5426a103abe073dbb7

SHA1
6625ed7718a2d91bb420aa46e5a7b84811bac13b

SHA256
d85f89878268db8e78982549ed8ec145d1c4ba3c385cd486275584ede56403cc

SHA512
4463abb96ad342c37012d2967a5c7d2598a4bad670de838db42ba350546dfa91ee0efafb66bc6c2ea6d6f4192a635501900069eb8b252cc57ce6347d8d19030f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
67513b96a9a13c7e8752d9cbaf3539d7

SHA1
423416c8f147670d3ee5948cacd5c92776988f6b

SHA256
bd47814d0843c04e8b8bad86fb859fe4ee898170fae1119076f6a878b6584aeb

SHA512
686c8b9b5a55631b8ee2529f819b8f4688650011d5a80f67aed9aab32cd6fce22f9abe9bc83322faf7a008baa9b9b4a240185fa68487d5b0d01a831948ff7550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f7f998a5ea996c697226ba54514f8d1b

SHA1
86426fb58a928b649e09e7bbaaabb54bba7459b7

SHA256
0e045c6017a17a07693ac2bf9aa2737bf09ffe6cf18a2f085979b282e14f6a7d

SHA512
d23826ff9e3ffd6260ef79abaf02a1543f3e236886edd84d2b806c9cda29c37599ddff725cfaeee7b47d7e7d7f6daeee99e45ce5b343c01b77badc11445c76cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
384084b3de07477a602fa86b808f18ec

SHA1
958d0a62ae3729688a735591fe6f2013163476af

SHA256
aa0c496ac803083534b3ab81eaa37567419e247763dbd99d924e938076f1fc7e

SHA512
fe8a3b957937155899de30d32dd22ba70598f76a1aaf2313c878430e6213aa160ec144d7246f4c69873a0149b3ad75ac2519624989240fd661913bb55b5554f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
e41d7ec3ad1fd971e6f0b2e19c9cdb72

SHA1
806293c99a36ab1e81cff4d9c1225c0e38cb1516

SHA256
1a67f17b11c6d394eddaeddf7597c2460a6f83738f9152a935931455bb0fe445

SHA512
579d363f33d5eb190252ae696cf14d34af87d0786dc0626c9fe6a4a0ab01197ec6c3ff551fac7840a71edb214c32f6ab7e94d1a953db1d1a77c91a506d4d3751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
fda506fc47273ffc9b58085081b12a34

SHA1
9275796d55a1d1cc46d431028c0c99ad57bd8846

SHA256
70fb1152f76549d200df2447c579f3e18bd954b62b0a1739c8c85069a8420d06

SHA512
3c1f70b9646cc02398c95afa4e5c5b766fe1925abedac9087faead067f40d72ec7c6238e7ec252b75f7183b8632a7f087724e74cbf089343e820f5ce41614ec8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
96dc19bb0ff4735811d1dc952c8624f1

SHA1
8cb340a65d365ea8fc2a73ce186668ac11fb1e9c

SHA256
98f2fff19720a6c48bf8f579e5f2949f39274f62276cefb634497da3adfc0f88

SHA512
14270ae165ca32376d25fbce43a63f2490d8f3d5d5013308853591ae04c94b987a0e156ee7ddd849de3a8ebf1b2ded585b64767e55f460bf711748fd231c681c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
6c8f7cc064b01771bbe7dd318ea5d2b0

SHA1
a4410cb54cf1bc716fdf64da80f30378ee17e906

SHA256
1d9b482366b23b9c2cd67ad5d916dbb572fe4842a078a5f6c67a0f9062293002

SHA512
0388c43152b5dddf3683db248d0ab4575c67730e0ca1f74532cbd29e06a6918e489a71964a0b3f585b73583725a5ba7fc590e30790bc22a79f81a607eeafddb0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e9156bde5d5f77716a87e3c1f335233a

SHA1
8cb76aa0fcc30b75110062932d3d8382783011ba

SHA256
4120a5f6aaf8d07b228a98dadbd47893ae86354ae1c54dccc12bb6d4a8fd70bc

SHA512
c493624ef8e07e7b860de17f6c5782e8bf792e4c8aef60c979dd7877ded71a07ee73cce8dd4d685a7a84f37b045b758438cd552c5cad65ce747952a9740f67ac

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
b4de353869c892ced9ba98afecc5ae13

SHA1
02dcf7ffe488305afaf477b20c2906d80c760f22

SHA256
ebb93a52376b2761ac6c37f537308d84292db7eb8aa6adeb1245558fc7c51218

SHA512
c006840170b4a8970846338e36dbdb2db19d78d0c2b81b2519c20269632e13d0c4cbd958f1a2539beb524dd2dc9cf462e9aca91b09eef633f360ebe25649cb91

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
41bc73cb9f947736ac628826078bb8dc

SHA1
a508897a968d4c047c135519ee4a468208a87e99

SHA256
0efef0ff43c6e6d468c328eb17d0fc35aac9330d0f46774674038580438dda57

SHA512
feee7df5d262579104f32ef18de712a379387def7f98adcd39b6b4b72a47d932a27cd53a2701189e99b7c586a2c30fa7b3ed4e6cf9faa70109140b994cc65fa5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fadaf8321ef3fdb30c3028e9d1e2a4bf

SHA1
42a9641783900ad6c0827e47eb5d49c6e718fc4a

SHA256
a2d4c1609a9816bb186fd4fb657aa02247bd45d1854e4ed8b7b9906e97359645

SHA512
9cbbbd73f3d8ad3c4a55883456f216b6b454f86423b9c360d40fa99b7ea806bc96972e0cb8ab4363ca3c321022b45d3dc8f37c74a398d62b64dd6e025c43d844

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
6a662d78087922407a897ae03d668d10

SHA1
0e25a0f3738fc24c7b00071d47e9492d871d642e

SHA256
1d61d017e0e1c397ab0cf9e2fc3e0e912e41fe0c35a13e575c8ceb49c222076c

SHA512
b7a5193dc4832866e8243b6f5bc24de2bbd57bfabdb0d679307de765d2bab95916e81e85f42f90d76a94a7b0fcba70b63c0e5d45f6d76976e1158980a4928f9f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4fca03e8f22360bcdecd77e58f03e784

SHA1
b6660c983c0170118137d9f2aa0ed7ad4ff7a200

SHA256
7951279cb0340d3ad2007b5fd2f7bf666ff74f9966550cb2c89dbd0210bee802

SHA512
8cef68019228bb3145b96b5b5c4dec505b4159c19643e639aa108b1ac05695128f197a4c0ebb9806b794222402874816a5e5b85fcdbead81cc54b73f53814f31

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
94fd3cd0160f48b6ed0893220360e297

SHA1
218b48d50a6f4536a53447ebf2ae4338d9997102

SHA256
0cc093d9f9ab4e8c5c8a181860b739c5c9d907c21d2314a17d076da6568addcc

SHA512
b3b09c47dc59edeb83ae0103ba33e5e5192906c80d9c5ed77cdda1b77f5e9f1ea7496073bb9d0d878cb456f51ea200eac550e4207d921fc569d91e047df9d10c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e12564533aafb41c9650f66654dd7a69

SHA1
7f2e768a4b358a41dd7b93b8931029bf49c1ba6a

SHA256
da35be078178bb56d39f665ad6f81e235ac255e1732afc15c0de46633aa1a277

SHA512
d38a2a39f4ee39090c740b4f7c501b0702961d4184534df720e3546d61ba04b8219188fbc6f8ce7821fea300f505ba6aed40b09d1874fd86963a4e08ebbeafe0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
addca923846d0c6afa06b00b8166290d

SHA1
ec224f6d392d7fde5c85b7d203b201b3197b3bd0

SHA256
ef19dc9c9d3837813d2ead8122e0f3a8b19bb8cae9e3c6d64d4aee2293087fc8

SHA512
09411ef5ada24b80aa6eda61a0b2bb23976f9445637403062a4540b4e199bc8a09a09a0f085885dfd0b4bd2361933175cf2ef52b9d7999635899f869bf5fa260

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c7c42f7de108aa9cf1ef167da8bfd765

SHA1
5551175e23a40762be61b9f7586ef84e463c9c90

SHA256
e43a4887902f82f0b796777f00b2cef0f3b15f65a4577fadf685126bbe8d3f5a

SHA512
148b37858638703802df3f42b516754a665ca268f484ccd468b89f3b19e9f8992b5b8acf22a3314516e57640673ede7def7b80488daf855cb2f962c84887cf38

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
895a693b35671fa9d4f6e82d497922a2

SHA1
7c2ff934216f402c225d89699c4e7a1fe4f1a31c

SHA256
433a12a0e5c7458a606431f0e0625bdede849a80b2bb58d3f571c80def54494e

SHA512
bc86036561dc429f2ea56ca5bd5c6eb3e27afe00851d7661e6e3b4c28f9133d912bdb0c2ace385d54579d11fb151a2171ee1cb03e1be1c4fc8706a96d53c1d97

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
83e2875565a5a7dfa5afccb0f1cdf1f6

SHA1
cc11cc7c46e40ef5ba88d536a5ebff2eb58c85bd

SHA256
51ce9d3b00d03980ef7536d2936b37ba769a38ec699ed4e284217831d67145dd

SHA512
2f129004851152bfc6b217b05ae273311edcba7d87572ee1473a80c34d462e19defcfb5fb295a5065f9df605ea286fe742f650bf5acfccb6b7063beffd9b3edb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
c4d4a446191f9876ba2f867da4b48f69

SHA1
49a1d7b805f56b66da53cbd20b920bdd86613ab3

SHA256
47d67bcb6ec30b2fcfb2b2b4f4a4adfd5edebd67d6bd55390c53cc966e8a1000

SHA512
e237c477877b27a4b16fc281edfa0468a68393a86214cbd5dac5f0a1dc868433577f201da742008016359cc0a2472834743ff55384606768fe825af2b8fc116d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
06c50258c336be694addaaf496d8f97b

SHA1
478f333f5b519ef27895c82ffe323f7e8c7bfe4f

SHA256
8a64415dc4ec4bff06e94bc8541d8b6d08ed1767fbb8980e234874b032ec74f4

SHA512
b67c6f87e6a4f463794432a3999b803f2db4a7a1a396ddead234fd3a7ab525f2a0838449ab74ac58b16904c6e18d339cd0679d7c3de79e865663e7020cfb6f2b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f393e28332366bda961e5fb9be781bf1

SHA1
a694c67387215735a203d384dc449f24f4902ca6

SHA256
24dac633e788694037196e69e1423566c17ca84608d84fb040cc4b321bfa0475

SHA512
0e456844b80acf28e14569b23c505a53e5e8cfbd9ec80b037e995f2fa798104ca87c9b6f4dc31311cb4e604a3eb0a94f8bbc3e68012a8f52f0d028fc4bf5511e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
34142a44d61d5ba142b49f8e4b6b8fa4

SHA1
c5108730022015b1b63da0a900e2137335f77ab4

SHA256
840d01b10d38e02e3ad55e745511ae93ea8b6c30b2ff1c7fb59c6a44f88684c7

SHA512
c561aeb2bdbb571de26a7e8014c745bbcef6a408376acbe8235f709f12bae256a146978197fbe47e3c02a8598e2aa3331b6102474b3d5def9fcbb6ca71eab84d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c8a6ebc7b535991f94d24e1315d669fb

SHA1
935687a07a073fc91ec19492be892fb862195586

SHA256
ce2388f9c07b8810e181dcac821d4085c5a07c008b874ffb1ee40fecbab97c0f

SHA512
f6a07f16a6b616c9bb6ca43bd7a4c942f47c7cb5d9bf58ec7e042665ca9a5d5d2608129f644dfb080cd50e30f11262b73910ffe710d6d399764e1ece16d0419a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e46ccd63251cf59f8c8a8439870568f3

SHA1
c95d656ed14bc60490eeca03951896e833f3121a

SHA256
472747b84eaebc56f46e3327bb0edd68e1afae69b36aaa7b538364e481a0f154

SHA512
d1c6b3f106e739871dcd0e23e3b38e1698a50e4fa66437a2d1b9cc477a920be15c9ad117d758d0318f535e4b3dc02ea757dfcbcb5b60408319696e4030e09131

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
7cc6acec95aee5c0d8e57d04094245bb

SHA1
4e99616769d4dd305bd596e87d70f891b4b7b6b6

SHA256
adb3b7e0b31ad16724fb7c12086b69076d5562d480843f866074b977b21cac7b

SHA512
f2a695fea751f17521463203828e566ae9796f5b39045fb8a8806dfc675432788eb6f461d0a781b633c8117c3f621ae98516170b3a038be5b954e5ea7c23d626

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
864448265ac70dbe35024e7d1b22138c

SHA1
5a9135878c5e5528f5933df6ae642d064de989ed

SHA256
77cffc5727ffa77964811a9637ab51a0e4302ed30777e7ecf3febc53e9463b70

SHA512
58c60a6f724622fe9d7b7eab7c39116a3d413f0a52ec015fd5a439c3089b4e1ca9ce443e53123d5b8061f2175b6c86854ed8b3a71dbc6e269fc75c577a62e91e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
71f94441760d70042bd6b12407309e7a

SHA1
77637dcfc4083ea2154a2c240ed3a6f672ade6ca

SHA256
466ba6beca90e5bbfa6d85384ec3f37b2a2a003144fee100571b1217d29e0da1

SHA512
ef8b482c6c9295de8a396502bef2cbf90347cd9787373e66c728f2dcb66eb9f8f84b2012d1e42152c58c8557dea6578b0d76e49de1a403bc5a64b1381f76b699

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6aa1499b7b8810c8fa0a5184553ef6bc

SHA1
08fed1d7209d0c00ae221c0857259ee44f16ca3b

SHA256
3af87df435cd4b020d411f526dafc18668f86b4c6a2215e72db01fa5118f4a50

SHA512
cb23c6def5f99a60192af206e734662b5fb0a333804476f0ea9bda30d1923fa7522fad0d1977a6af47602aa28420eea60db924b0076022a22f5d6644397930d7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
910cf89ef294b82c6d3b4da62054c199

SHA1
eb56c221d3566c48f2fa8592a5c157d07182688a

SHA256
12febbebb4db00109a9108c8bb20ab38fe29bae717bf9b3f15dcdbeb65c4ee33

SHA512
0a0f5feb9e97bb77f1ba4ade2ac62d45bb7679c91df5835c55abcbaaee2a9fc40ae2d243bb7799fa20d3f66f4c841a2d05da4811677f0e2e8154c1904c5262db

Download Submit
memory/388-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/388-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/388-185-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/388-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/656-571-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/656-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1008-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1008-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1500-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-206-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1856-147-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1856-257-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2052-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2052-46-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2052-39-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2052-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2052-47-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/2412-469-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2412-162-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/2728-194-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2728-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2916-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3204-207-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3204-576-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3308-582-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/3308-258-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/3312-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3312-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3448-85-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3448-80-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3448-83-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/3448-88-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/3448-74-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3560-2-0x0000000002040000-0x00000000020A6000-memory.dmp

Filesize
408KB

Download
memory/3560-8-0x0000000002040000-0x00000000020A6000-memory.dmp

Filesize
408KB

Download
memory/3560-0-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/3560-82-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/3560-521-0x0000000030000000-0x0000000030145000-memory.dmp

Filesize
1.3MB

Download
memory/3624-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3624-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3988-234-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3988-135-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4224-99-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4224-20-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4224-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4224-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4592-137-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4616-133-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/4912-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4912-583-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5000-101-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/5024-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5024-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/5024-34-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/5024-136-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download