4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
Size

648KB
MD5

105eaf439689f098ea3d237fba2bd7b0
SHA1

894a531087e8a31992487f2c39040d418cdf1b24
SHA256

4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43
SHA512

3eb4cb8e68074543e4bc1c7ddb621b2dd0dbcdd7bb1dde76dd92d280a7d7156aa2a6350aa75bd4d4141ba2ece032971fc399f688f26a212ff6785baec8168684
SSDEEP

12288:iqz2DWUH3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:Lz2DWm1N3RUDHNmdPCAaq8Nozgi/rE08

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4444	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
3160	fxssvc.exe
3868	elevation_service.exe
1132	elevation_service.exe
3288	maintenanceservice.exe
1528	msdtc.exe
3024	OSE.EXE
116	PerceptionSimulationService.exe
1924	perfhost.exe
2336	locator.exe
1496	SensorDataService.exe
2760	snmptrap.exe
4876	spectrum.exe
4668	ssh-agent.exe
2372	TieringEngineService.exe
2440	AgentService.exe
2120	vds.exe
3984	vssvc.exe
892	wbengine.exe
4376	WmiApSrv.exe
3640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1074c3293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6a28467ebc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033933367ebc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046496e68ebc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d092a67ebc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003665c767ebc2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fac6c967ebc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9242968ebc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017eed067ebc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2512	4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
Token: SeAuditPrivilege	3160	fxssvc.exe
Token: SeRestorePrivilege	2372	TieringEngineService.exe
Token: SeManageVolumePrivilege	2372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2440	AgentService.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeBackupPrivilege	892	wbengine.exe
Token: SeRestorePrivilege	892	wbengine.exe
Token: SeSecurityPrivilege	892	wbengine.exe
Token: 33	3640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3640	SearchIndexer.exe
Token: SeDebugPrivilege	4444	alg.exe
Token: SeDebugPrivilege	4444	alg.exe
Token: SeDebugPrivilege	4444	alg.exe
Token: SeDebugPrivilege	2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 872	3640	SearchIndexer.exe	110
PID 3640 wrote to memory of 872	3640	SearchIndexer.exe	110
PID 3640 wrote to memory of 5068	3640	SearchIndexer.exe	111
PID 3640 wrote to memory of 5068	3640	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a61ce9f23261a039ed989bb0bfb780cc58899f241e19911d24ca5377dd95a43_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6675207a07d44ff2f72cdff00ad9d3ef

SHA1
d59674a80037d7f10eadfb71c134d8ff73227263

SHA256
a75da144eed929dd3f5ae65b47127d50b027021a0e6f334d036f7e28648d9bdb

SHA512
094d0699099b92b7c78ab30fe7617d5281eda59817ea6521a45957463445629e7dd46e7739e7aa2ed4717a79858aed83e7c1ebeff96d1837bcef441c522e8289

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
de7a33391639feb6c2cbe3b07876bd20

SHA1
71f82717f35858a7cbf9cf13b71fcb3516ee7e26

SHA256
7ad1e3ae05bfd00fcbe44830d053e9a234cccd41623b0e19644b8eca0b09b558

SHA512
2aebb04900c38db86fa956ce7ae0aff0c152bebacd3e251056d3d89b62092727618f1e2d4d65be71a4ab6fd5521b24f38f52a3a449705ed0cccbccb50c3cf5a9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6e97bf09a7b3219090dae24786883f97

SHA1
5d5663585c8fa95283ecbd2cb74ebef04e784b69

SHA256
ae66971a973dd85854c2dc1e158f4712484781753924f1e8ca44512c2c7fc8ff

SHA512
02f247c04f809a8797a85e74cd39c2f7c84f92563a9e01e846ac98b7997a13b63af2422d41de7e57d091b9a61a2a12f547e2f05b3ab34a96e1f0a4c571d0cfde

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9254627a43c4edebd8a148979d372d58

SHA1
4e3ea301c72d8a028347413b9c92510b9d6fa201

SHA256
ac38e9e5abb9d039446cc0b0f752e2f7f46ef5184588acd55c8bdbc87ca1e87a

SHA512
4272fece947c962ba2d62e06e218de2357cd7151cd4e18f387a1ab23987fd4ebc6ec0b1febb06f569d2f4a40b605554c16d674c1d00dc0c00e1dffc4c8213b26

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a0c9d941126e0b1b113ca639d1ef2a2c

SHA1
07a92e3029cbdef16f13ae10521a93e247521293

SHA256
7bcca843e8de626e7b6bd3b894b22f158265ce3c8faf20001ab4a769dcb8c4a5

SHA512
8f60f55d40e826e1212aa83bbbf766352016a4825f0344deac5b82209de972dfa4c2703abb01097d65e1279df56348295b9650bb3837b0bf2cd482e743221bec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f6dba2eee8d6ef30ac4680fa18c28992

SHA1
c51198c04062d8668e9e539d763606082fb3003a

SHA256
930e896846675bac6ad7802ff935e0bc4f467b75843fb813bfd7dfc2770d5a24

SHA512
8ae4e10a96882217c92377e864ec567ee6ff21e25ae8553e78e0542da692c79af04fef42ca3b7214e7c7834e4552c9bdb056e942915a4afe95e4dcb6bba4415d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
87d5025d7c27efc6ebf5dfae33b9dded

SHA1
2784a6435f6789b82acc15e6c76436b103c6f426

SHA256
f2bccbaa88196385bf082cd452ed63be2d10dc042d14eabb58d06239870a2f8b

SHA512
2121cb1ae2d3b1df98449b15be8e309c14274aa768f45d19af62616216e2002202d1f0ed86710fb1091702e972f658220e82298f08fdaf12480973d3fe683b26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cf8a44b56772aff409a18fde498433b7

SHA1
5d84c640e01b4b1b3ceabe208386d3dc1565cefc

SHA256
35caacb7aac2f7fc82c26f49a1604e521721b562c38c87502cbfdb0e6bb8074b

SHA512
2453bc1a8749b8c7106a2b126b3a5b792b7a556160c5c1d694b4d214d401b4f11b5e5b001c1e8856d13eb66c5510746bfca802f04787655c8bfa6339c350e1a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
747c1f1bbcf5d9dc4582222391120d6b

SHA1
24558f60832f7b3e85241ed045f44999b90beaaf

SHA256
4a080a0d1c7677cdb619eadbb9534eed40c7cee907a52c198a123f5f1b966d7c

SHA512
b44a1f699cfd7de391365c3d01e7955afafe52f186f9129385e4553af0a78d16712cbd50dc15657a6c1b1e93e210d11faa442d834b26ad230a6f08639e5c3288

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b86a1f301465cb7cecd2a1dc3937f01f

SHA1
953d7495c7856f18feebe824b6c8bbedfcb503ac

SHA256
39b55471c0547a3aa20d86dd64725d99d66886da01ba37fba9403f87c32c4d55

SHA512
52fab586d90e5dd89d4ccfc98b78a25a743db60ea2bbadac2e547f2856fb821aae44e43454f4486d28d85b99241e6fbfcbefce6302da6580cf699c0012b8af85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9f823a93e98a076c6eb267508ba83c22

SHA1
1bd76c14b79a9347283d507b9bd65872ab1a7570

SHA256
7b3b60818535d6a60127b8f691f066a85d560613e36ce61901b4c62ef40ba928

SHA512
58445b41920120cd1402891cfa71507f3bacb437afed4a892b97866fd848dc7004ce80733d6d3e4afe44a6194a0b2e604bd8c7dda6c7d6422304b075c7317025

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4eba34845e1bf22f1f4e96462e4df10c

SHA1
8fd9027397b00014a58d48c9b83400390ee78e54

SHA256
b9ffe7206d96d27f5e28c045c03fdd2233720ff4ace77dec5449c6f1df84e346

SHA512
a9f3d8f66ff2cebed83ae4a8ae64b126b601d5c64418bf5d6b9077a3f0e19c925dc0c2b6a7cecb556c0732b0a14d890974e52b76e3bec0545efeef06f32af7f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f4b911e2d60cfb49b6b6439e99750f86

SHA1
b012b00e68beeb05f70a97cbed1064672b0e5b89

SHA256
2ed98293ab5f8b1d9d21454e616111d5cccfb6de4f57e72c7a786a0496f23e0d

SHA512
e16368e8d985e98a346d56f8cc18d0d7513a019f109106932cd9e53da1e27327185d83d8a9493d539aa64952bf4de166dbcf82de79ef6c15b3ec21197fc0f220

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c677788e90132bdeff595ae5a040896e

SHA1
c4bef012e5357703631cb1ed08682416e37c20c3

SHA256
93694ac5c479a9aea3225fc7edc4f54f5e7f5ea4f2484ab99716c1e616ec826c

SHA512
b7dc63350981e2a8df48624368e9450128c33ef94082d3ba272f5b6c2a2e093c0afa97ac40d8a0e6e2e3d461c0ff8c189e173964b44043141a3325ca8758db40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2de31f42cb962bc63c19d8366a5b0edc

SHA1
a12857896abbd74a910b950e75da59a15290cfe7

SHA256
45bf150e43744e6580b3869d6bea3ed60941e5fb57c013a34303edd545d0c1e7

SHA512
0ca309ee8d032350cd2227f7cdac395b632d975f46173464155ab12d8f16fd89c47e04f594210d22513ff6187b0338ef604941b30d7744fd689a00222dd7af31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
97f04381254047360bc730a05815c250

SHA1
9719d9afca71ec5c5820b41100d0b7cbd34be182

SHA256
50d6c99c7ccbda3b5d3a2714fb39398a2f3de825dc57921978d0982bd6624674

SHA512
8486dc14c663e173aa921cd5877823fca6fef6e41acbfc1e294300128132cd61a6ba1c40813dea84f7601b3c2b0f5bc2f2283259614f64fe4e01c7d72211347e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
91e07546e8f8a1d3ef4dd32f28517368

SHA1
5703e4e3b8db1981f304f9329fb70d7a13869e5c

SHA256
7c4aa1cb671f0171cc7a6985175cb102bf0ccdebaa2ba347e47924637c024012

SHA512
219f1d91a9480644812e45a4d0deb63758126cc1aeade84b79c5d5db0f79f49fdf62ab5230c61e9a674d0fff30801c88a9f70c27bfa7f141aab1d895f815c08b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2bba9620f1ace3c75726722f9a6229bc

SHA1
f75989dfd09aa19f21221e20f566f7836bcd0a43

SHA256
997584202645fd91ef5b1001afb5a9f8c4032f815a21c1226fde9f4e8afda1ad

SHA512
40a217374bda82242fd861878c58cbcd97457df06f3c6a39ea58c891dd8ac80e27226f6a3077821a462481c87defed21ddd2c59ad6a183263e818a7e6dc49a51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8eaad827b267f68cfb96284937ce430e

SHA1
dd26866d160c64997b961c0fff0ce192d842351f

SHA256
9f0ddf7355cecae13fcb36c0b50c01d5e77e4f0a625dd64b23b7c319f5161bae

SHA512
664bade46d718f6a60c68b0358838d558e3d974889066b9b91b8720af6adbe5b8734789945149802bbcd02748a1e16ba035438157a09c87a7fb63d48327e81a7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
047f4e21771b4c49f2db6fdd35d24d8d

SHA1
2a87175c41924818366168793cc50e28b42a53ef

SHA256
7388c0ca1b27b27878d4c15ed9a0e0678e21b69c014e6bb7a2030292ea5fadf3

SHA512
202ee1b4292b6fd3d2ad114f236b35ac4905180a1d0fa77bbafc09500fde25f4836b38be4a1e7b3cdf35136d07dce6cce48500a4e34b49f25295939a9eb16e8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ac7bef1cf81bceb4b3937285e0aa00a6

SHA1
c311859acedb594a811ea6bbf1605c6a70ad2c03

SHA256
d5c0f056e77b9cb98f6a4a42e99a807abda4e5570bc65ce68ef5ce79690c3f92

SHA512
311f3ad6f03edbc776ac76ac5ebb6c1db1af0fb8425ac84477056cc54914732466240a14d145dfdfd330506bd83aa796d7aee80e6ab0720b3e0fcb5038b9019d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
363a8aad7a65bb1c6b3bc28edaba9552

SHA1
0edd65361618a7de75dc2e2d1b55a1f3b615b299

SHA256
740b834010af0fdac08411b4d97196e0e950e6795fa07827b63177705b8afef7

SHA512
73229288826399a259f0995f5ac0a7e9ab30ab6ea0788227c2e123a3fccf3361fd329225285e576472144f85105a172ddc7f10d3b1605d1248ec2360f6a12c8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
16f4aa4b4a63e393cfb374508eed1ba4

SHA1
bb015369aa40e206d950ad530337c2bf5443ab56

SHA256
256b678471ed34dfa9948b48e0994718a586f6b555d437696c7db767c793cf9c

SHA512
4a1503ce05811cbeeb8faca22838f60cbae2b6b4711d95f606064bea4444c49e4793a69b9389cc201d31d4cd59a6f02f95cdc2ea65027acb0b1fdbd89ecfa972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6a42b682f17f63685096ef04c39dd4b6

SHA1
9db308c58134928939a4bcdc391a22170f35ec59

SHA256
47a6cd75fb204d103850532cc83c46132b64c195051c34cdb0c2cf1ba2a17404

SHA512
57480331bed13956805cc9cd23661f0e46e0757355dc9b9c7952029d2b6fb38dd43d484a020832faaa800e322c7af0b72b30ae86fec4b7f01b19ffd38d330158

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a3ca834f41f00b988395b3714c85240e

SHA1
becc368fa694187e98b4a91804c473218e55e8b2

SHA256
71fa8dcf3aa3724645af844a2f43f6eb73899f5dd0b14c2f41637e9337fa237b

SHA512
619ac9a0324392fe340b41b493b8e8a9ab38157029e09f4cdeb611ec4ecd065f829d244045f46ebfe18f5f2d42a9d9affa3723371c1af1a96e55e69ca2edab12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b975dd2e8ee57f4810c611b9af59f67d

SHA1
6b1255afa3c7d7ff5dbd1e30d13d1a75580e74be

SHA256
f8cad5cee1016f47f62262bdd51f6cdb8b96ee08c73ec6c865fe1a372c1bf180

SHA512
5aea8feafacfb97338d8174a2ac463ddb4e3acde3c5db697e8b702fc66a14c85e020697516fc1d0c410aa2279659e242e5b088ffe6dd681622b888938106c9e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f1dde5245e8ec24aba23c3dd9827bb85

SHA1
12952732e7358fedeaea373f166ddc0595e5f1db

SHA256
0482493cdaa4897ad07f84353395a1f9b509611f8aabe8031ae5915f2d526338

SHA512
8d9efaecae2d821aa14e646e8f517a215ec675c1f29e98f036969873d685090d5eb37f4e479d0dc20e4f7edae1ae96268015a3497adb83f10b2965b943d1b995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f0f99944c5ec029ae23578df48a7997e

SHA1
a360cf7075bcd972e9ecbf2f61abfcfaefd9ea7c

SHA256
4676599817e92f06bbe11a9ca6c414a1c5e620c72d0db4e9ab9f757ff9cebda5

SHA512
8c579d12c6d767dd6557b0ce454d13199bdb0baee80ddfc7837d9a71dd4edfe37ab59a37dced92429817d8365d490ffcb68aa0bd11eb521caa9719ce7e51245f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
eb58d5f6b02e9e068e5696c9b7e78913

SHA1
c12fdbf4899dbc09127631f58cf0cb319d7cfbad

SHA256
5747087e4f28bd427efaa6bccf2e4e9232b0ccbecf809d4d708ad4a45f95f6a4

SHA512
c5589e1df4358ddcdd4091dfa956f75fa68f03a8747bfcf7efc63603655f1284371de9fd4ded75b1c31de418c114674232250effbbbb8074389b053fe84fd3b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a0b178e72e5351926bb2625b0b2c6e36

SHA1
c93e5fcc7120d7da501e929d4d4a0f31c4f0fa6d

SHA256
d0c89bd19a89f1c755867f04eab770dcdb09cfe470e7f2458f18bd62088ce128

SHA512
0d51d9d013eb8e9bdc46c298212bdf828c7a3480447612ff3458997a6069c7fe5d44934e1b27720023bf2372c0e83ddaacf11572f55f73eb421bb21bab9cebec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
adafcc7530c548377c44255bc5f69a7c

SHA1
d05d7a557b2f5b2745771ca33ddffb5d742803c0

SHA256
331e1832519ee7e43697a076ef879a846d9894524756bbb39bc4ae8ca865c81d

SHA512
8a8729a459f4488740cc8d81e10df0f30d3890efa463df0cc9bf45a13b7acae808004ef58628ae943de7950d591e0b5e52ea4beb9c1c5f1965b62dc553dd5142

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
927d0e0571a02f835946bfdafeceb11a

SHA1
74ce4b12396be914fcf437c591b43086c52229ff

SHA256
d10a60241a96c5067fb01c1c9c0fd47c28e5ec2e4f8d4db9f1d840e650bcadd8

SHA512
e517988b1cce5dcad8d319ba1cdf82ce99d34ece981292dfb47c2063d0588552b1567bdd7e5a023e75d32d5ceee5e37b4fbfc0392a62a256deebfcefd4c09fa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f6bbdb338a177ec7659dbbf7eaa1d0de

SHA1
a2fe61f7a1f93540983d38c6bbb9a14d635c7211

SHA256
8c6165743dac130d116af917ce9eb3cbf69607b289782e0c70adfea9f65f794c

SHA512
e4c12ae4e98b523837203072f3dbce7fae8f77fef468a8f01c0a7addf629ea796a4e9a3549ca86354d2a19f2834881517cb273b876d0e87597c7b83fccc9a809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b1965be8a7b98d2944b09f22bf10ece4

SHA1
b8233909257dc91f1abc67401417f5f6209c18c6

SHA256
515861ae3becf3fa4f7a2f9897fcb0d677931517971073fcdc8e16816cc1783f

SHA512
7b3844427df39782a45ace2a17608ae91fd83f3370ab365399528e0827ab59da154f9b7e0e03082584bb9fb72ce81079599d158942564cb2dc1e3dc40113ea3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
48b4312748c3461dfb50881ecfaac64d

SHA1
2e6eec0f5ab7783c31c32f9aaff34a85b1292026

SHA256
6db75b4d780c1022c29763486bd9368fdd4df6e1b6150c0b8c1eac693dc8eb4d

SHA512
b1e7d4052dc97f7b07d4fdc63fcd27050b7e149e1f0fef250c7b83ec12dce251b3e79743a179ada2f5225d31fcb9f75a81e6617d10e4f637f9aa97151dc6c94e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a6496c4d561452c9284500c056054b05

SHA1
df30ce5968af8f32ee6a14a9e212e36f9b6619cb

SHA256
dbc0cef3a8bde5f8a239764b09935212a1bb4b296973ffecd36656256303a955

SHA512
085980e134f57e2d51471550566a5ee9213070f7fdc77733ad74bf3786a93fd07a14c89d8139a6ce45659b12430bf92b1f354a3a55e632c5a38b259855250ebf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
6087d9cbe0794c089686968251f795de

SHA1
3ad0b3584be8bdf93faf192f5e381dd0650f115f

SHA256
643bce4dc29cda0fdcf9025120d93a023249de05a680b8e7a0410b7ee2020cfa

SHA512
bbbdca7cefaab665f3d01dea7b8c0b216fc332eac96c5358d504d188662c8a9bed231f52a9f2f8920e2088de296b8b24b0c7fbed6d4693745c65ce6866b4263d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
446a7d93ac678bc5abfbc1a23648940d

SHA1
59a69ab11630af815fa03328749d11d4c9162dc8

SHA256
a475545f5c0763ac58f0747cff8bfb1d0171f443f398bcb2015a08708c514b5b

SHA512
3290f4d9a6e9079ee9bf0edcf156a4ea8f64b2a31616b14878597ea40b95abcb37ec897fba4ab8231ec9c66785a05c3e09f45fdbe0592b77471ac03a248de219

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
87e79fc7cc62a1527c82b51a3fcfa489

SHA1
8423bd0b271d76b3a636ca7b57f78e16aa9ba859

SHA256
41967dca32a4953dce2404f00175f4f76525796602bcd39297c6afc9d5ef6039

SHA512
a774aeb75f89da27475c52b64d5d64c4201f2180953b09c8c257edd0a8be170dbd6d1a5b7560e98b653909575e4f56df2b71d55a108ba1ab20d6bafa23b94593

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d362938bd9ab87a766147d625fbd6bb9

SHA1
d5d43266dde77698732afc2fea5ed365fe5d4e41

SHA256
bb22ade2c979c14d5f268807421d6278fe43b7c6cc9dbc492a335e6cfc22de4e

SHA512
e5bba4c973aab8968e40757a876cbaba597a020ce325725e5a6c1c03a7452f934d0f1505f654c8e6af08330d555d5fa5b0605889be8f731016d3961d6d5b2335

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da331afbb7b64fce27a4cb5db47f862d

SHA1
8495db52dbfb5a03189cc8f8da981b76d571d93c

SHA256
ff30804363ba33abff988df172b5571f3de0fdfe30cf08b48e0bd021b0c04630

SHA512
23a8f7e4a4e6a44f8a5f3da66dc8aa64da0d0d45d4477a0eebb56a41fc202c8bbdcb14f80a9b939d6d292efaa5f71e3790d9edcc740a735d98938ed19d19d4e8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8a5c3a82971c9cad6dff77fff6c58c1f

SHA1
74a9db37b61d79f12ea7284a5e68f8b0dc83248c

SHA256
1366430e30033f6463c1997de964c74b4a2e18b5d583814cfe8ae1e3cede67d5

SHA512
ee03655835a34a47c1c3d6c934ff4b5454c2728721ecdd9c1f2ef4bf184b5fb7899c6f1739f4f97e5dcba10a34c051d6f2914130506bf05b27675b27be749977

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
676acfcd054e012f664f0620473739a7

SHA1
ec26c63d349191ad491e420c2f76d91cc20197c2

SHA256
1453afb0ba49533051d57ab1a8e5fe79e620a64ca77ec4ecc33f0e913325ab02

SHA512
30758bb5109225e741b9aa8492104336faf076f62fcd413de87078961a699c81fb6666fb8a2cfd82217b7b9b4c7079a26e19fa362bf994eaeb36a7d94ac243bf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
aa1ceabdd3916b67a4b5c9b0bdc62d7a

SHA1
846970b765c4360d3dfb1e0fd4d0f0d2bc863631

SHA256
fef8a2f633156cc8a8024a62bdda474e71ab1aad0fa5c4baf3ea35de8d0db9d0

SHA512
66b080f52c00d8d4a14fd3cea2b3e05846e052d2bef5effb64db53d4c52c820f9cc8345283a3c96135620bab7e51cacd0e3d2560e5369a3c30ceaeeb9d8e8883

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2b04f1a538fbf45def8274732f502acd

SHA1
f8b69195d13c4ed70125b0d210ccd4308ba4a683

SHA256
aa651bc62bac77b502b1b1dbc69975e10406bfa1110c4d7ac99abe33b739748c

SHA512
26e5c94cfaafc0b4469bc662858bdc046a5168814e070a44d47518f9b4fb0036cf5f72d731aa8db775424eedb8ea126d39c5eac178c41a452b30f43468355130

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
384373d6d2974b8cfc5b1d932b18ae1c

SHA1
7aafd65337c52645fb4ac464a839b3fb79e71204

SHA256
a0610f70798e9eb94f15e382b5d0965e6daf220f9bafb0faba67c9bfbba20c0d

SHA512
e82507d235ece6a83779b07ea5ba6b81457e5c4b815dc6174eb72d6360219824fef617c434c2d2b7ee52a2344ef657af2cc12b51b174ebf5de17bdd321608b20

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c54a6f71a89d66e30713662cfd9f4ec5

SHA1
b956a633f41cc63c5e6414be1d83c062206e7b90

SHA256
6f05356b289208253cdfed702fd2ee16d48c76c22f7635dd270c38be4b163a61

SHA512
17b415047c40e30b5e273f713f661b520804a0081f8ce8f85fa623e9e1b86565e4db92d81389912f8e2962cee3388f81a7c06df63f56b834236a582779098592

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
67f9a278fb6a3ae495a47957d48829bb

SHA1
a7e37de44d0a37c269ca6240270f89b58307e878

SHA256
b5416df56a1318018677dbc6b9b928808d4d87768b2c0b820eda19e2e62db2de

SHA512
9b8a6d6a3ba26b1faad9cebf6ca1ca31e1bc6b2d95dd7d7bc03f0e451e5c47d7f746a9a3fe9c7377a11e77c3a0fa0f81180ce4b21098f0a3c49a8aac3b8d7b60

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
69f2ae0b800f41f37dc0e3c178d7a31d

SHA1
bd5cf338e4ec1efbe508fb67257eedcecfb69734

SHA256
6bd669203218b54f71b47429dc590ae4b7a89a7fc40f94d8ab12a4d000406d7e

SHA512
0b7d00360308fd086b6224d66424ef0ea7cdb859f888e07628bc32cef4493e4def700aa8bed896d8092a7708d66cefdfc7c2477cbe4415d19a868f085b437dd3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ffadc055066d6617e81926f922bcdcb9

SHA1
f0c14afbae73f327c60ca9b4361f985bf47c8803

SHA256
85adcf8ffbf9b166d5a5138cf1aec3b29d39b3d373b2083522d9a79dc61a336a

SHA512
4a346244a1df13e9617850c95e0f4bd69ab73bdd0d0af776bf6e5fe678eadae3b7e780c8df1ac0a3ae7702dfd7d2a3e117342386c99aa5433d2daa6f414f52b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2dac326751ee9da8ec7b06c8517abaf4

SHA1
b57fe7769b10998d0e20efbf3650f74e779bacc5

SHA256
899bc83c5fd05fc90c815f2a7aed25e2da9941c3dc641dbe2dc321c42d146822

SHA512
874075bf09f4abfe47b0cd8eeb8247d423fe4fe0f3ccc1a4cd047ede4f60fc2c3652b4574be3644d700ab73ed180a23361eec3abb78781e4ce8974f53348d304

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
37feac4b5f571162d7652b0604b5c801

SHA1
2d36232a1fdfffac33c8114699293e08c262ca42

SHA256
5a1fc0e2f4a5bf2d64407135c713e9a87a647544cfc949b18caddc8b6b29c85a

SHA512
391f9a8fd10a7fb8f639c7eb57225dfa8b57fac45dc4ed062b9970903de692090e581987b5d2ce552cf48f83a5cfc3dc666af4b2037e96ac49c4eac2e64afa9e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
00c076be074af2a8ef742582e9a11a48

SHA1
b25cddf01d0efa651a859cffc498ce9edc17b1de

SHA256
98f3e894c579df28c69fe5e87e811598f1f983a6bce644c7dd3aa294785e07fb

SHA512
ab28e436e3597bfcb5d6cf70a2cd1d8fd0a1714c92488ffabf8e722fcf919bf209b95f2a82fd65e6fae3012ff8abcbc3520b8156ca18d5819f1fb8e685596eef

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0a31b37c7fdf743a0b7aa5923b1048cb

SHA1
578cf57fd2e1f835df61dbfb06ed9c26c4d4426e

SHA256
dd830c9156308c66175ed2a9cb06c32915cf8d3ad94dea35a37255d069bb107e

SHA512
ff4783c15ce0ec9def8e3486e2168c913bc0d4f39a419f3aceaf7e2bd451b863b9e5ef31ffda143fec77006c95c78946a979bfbae362e527fbc7f8cea9c1bb2d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bf8d9bf07852185ef226992f37b1f0a0

SHA1
e8e3f59d73c629c895d42d2e190f7210afdb732c

SHA256
f35418d3fb0576d5d1138e0f59ed1c742665e1ded58fb603ae3661daba31e031

SHA512
24ce55f4d6ccec19330b5292c0dd4c335d4c5162ca8dad7c63bfd299b0b1f2d56dcae4416fc6db239fa8f9eac8045ce3652efa100b58b87fa41243b2ed15089a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2a024207392c973ce593822596c90845

SHA1
9ab5869295b37f6f3bc7cdd4c16dd4716fa66000

SHA256
118850dd790023faa5f0a5f9fc9e2a819e2e43f3e96500e3360746cbe05609c7

SHA512
04af7a507c4e23489b3bc549e286ad48c44f998a7b41b854b6fd021d2354d7ea321657b103c4b7b0a99e2e514854ce1c7dfb98623ca750f4cd4726f42644c7c3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c73fb526ca695137e928340676347c98

SHA1
f0de15a8f5338f791fdc46a3460d160b8210a21b

SHA256
29adfde489712b6fe7a5ff7a9e6f4895630b42dfb33e71d568436779e72c927b

SHA512
810e476c18758746d34409279bb915f8a77928ed5f90a67a91eba0928367e01801ac3c1b0e0ce13b8a3bfdc78f9a90dc930d4f2ed77648d58c97e3b36a0d5420

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
423e490e4094cc2e5565987a472c4831

SHA1
f7a8cec499805b161df033277e49b4c241079758

SHA256
deb835b0b102f97b99b15a72579079088fd4308469635de80d6a75416f1ae763

SHA512
bcc58bffe40f7ba8c9bfb4329254fb73d5ab589ab91a426407d3f7aaff96b29b26cd9845788e5019c3a965ca0410219d87cc731f7c5fe2f89262d8cb39ff18f6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7a77a15bf4bb3be475867399ca195f7e

SHA1
2de937b7190673711bab1a0ab4a8eea2a193494a

SHA256
a1a753a248c029fe42f2bc04af0ecd7fa8ab917d9f13c84fcc39b21103798e81

SHA512
22591f6e4b52c18c02f23f64f144ced9f8e7d0fdb098053d9f4177f44403b783f6583d486cf14c485c834ae76802b410315dc2adf8b50bc93d5544025a42f7cf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c8ee0322b14d45ef0db38e6c91634a37

SHA1
32fb5a437c9e61cec9372c624f75f7b13dcf867d

SHA256
351ccffe58425c0f3424206b8a8c706cd0389a079d1bd5562068c200b8ed2986

SHA512
0e4bf1068a356decb51e8dac1c4fc40774c1cc5e1d68edd09a9caa6c38c72e0da78eb140fde6fcc5d08d68e9816c24f80bf6faa0e306695556eb453c926aa48a

Download Submit
memory/116-197-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/892-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1132-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1132-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1132-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1496-200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1496-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-91-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1528-195-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1924-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2120-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2336-199-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2372-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2440-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2512-483-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2512-9-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2512-482-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2512-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2512-64-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2512-0-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2760-213-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2876-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2876-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2876-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2876-462-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3024-196-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3160-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3160-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3160-47-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3160-49-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3288-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3288-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3288-87-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3288-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3288-76-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3640-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3640-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3868-53-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3868-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3868-59-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3868-547-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3984-553-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3984-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4376-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4376-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4444-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4444-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4444-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4444-262-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4668-257-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4876-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download