0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
Size

648KB
MD5

6278c1db54d8001b80babab0cc158360
SHA1

70044abbc009c82dfad021810b307434c6e46457
SHA256

0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598
SHA512

c07e0d74cb7f04d1b48fb6ea0bb82926f6fe1121644e3923b95e257f17f54798d9e347c18d9620d9e4fb5e84fd4fd5afbb7041a22a1137ec3696e6afe7a514fd
SSDEEP

12288:fqz2DWUHUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik87:Sz2DWgatr0zAiX90z/F0jsFB3SQkM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1256	alg.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
976	fxssvc.exe
1428	elevation_service.exe
1712	elevation_service.exe
3292	maintenanceservice.exe
696	msdtc.exe
1504	OSE.EXE
4164	PerceptionSimulationService.exe
4788	perfhost.exe
2744	locator.exe
3064	SensorDataService.exe
1788	snmptrap.exe
332	spectrum.exe
3204	ssh-agent.exe
4796	TieringEngineService.exe
3784	AgentService.exe
3144	vds.exe
744	vssvc.exe
4628	wbengine.exe
5088	WmiApSrv.exe
4216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5470404b7dd2f4b9.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99406\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0e5cd1188c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000056bd70988c6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8206c0988c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001645b10988c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001645b10988c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe
4688	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3076	0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
Token: SeAuditPrivilege	976	fxssvc.exe
Token: SeRestorePrivilege	4796	TieringEngineService.exe
Token: SeManageVolumePrivilege	4796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3784	AgentService.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeBackupPrivilege	4628	wbengine.exe
Token: SeRestorePrivilege	4628	wbengine.exe
Token: SeSecurityPrivilege	4628	wbengine.exe
Token: 33	4216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4216	SearchIndexer.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	1256	alg.exe
Token: SeDebugPrivilege	4688	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3108	4216	SearchIndexer.exe	111
PID 4216 wrote to memory of 3108	4216	SearchIndexer.exe	111
PID 4216 wrote to memory of 4336	4216	SearchIndexer.exe	112
PID 4216 wrote to memory of 4336	4216	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cbf6fb5d35249987c853d8a74e3aa4ffb572408bce09f35b859d21143499598_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2480

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5f323e4904da9ba6e26164554ea96f38

SHA1
249cea577c57b607d03181d53afd5fb5463d4e24

SHA256
7ae04c58c396a56cf4c21a1eddebb88e230a030c034b5422ae551a5e342f178f

SHA512
69dd97b617c2645b975a0e7d936486b51cbd0dc3b49abfb72feb772224df82c902823f5f52ddde3386009d8b06af026b66aabe6e4e566ce64e0eb57ff43d9bde

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6da2dd7746570aba58af3c70dcbd2866

SHA1
c2717ec024c80622554f9708d29e21cff2717906

SHA256
81a223ebc65bfa62c5784aea7f1459bf6f2470cf0ebb5ee5c91c9026a490a971

SHA512
3117c0751d48bf88809169cf04e9f9cb483c17226948f3260e715adc1a01772ac842a7db1a1b4f30994298e106077c2fa162021fad0fdf659c79ea0aa17f9783

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c05822f182308e53cb65740f17c58f18

SHA1
b1e15d5302b0c93d53be9f624fb25d5c8484cb77

SHA256
951475846834b6e709c0cb1e8282bc4483808dca13a2cc7e476022dbb27a13ba

SHA512
38fb6e6058edaa10d54315a0b90b402aad74709be3dffba14507dbb007ccf91b29ed1b0b167c76d095e45e132388e4f030d0d3968fcf0eaa20227a30a58b3f79

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
378c24aea9b46616369d9b4b23fd9f6a

SHA1
37b67d5d45bcd51be234d6752eeb6c8928097b17

SHA256
e51be374cc00e7df4a2f68e437f7fda9ace35593fa0cd215889ae5b720343ad6

SHA512
5c367987b2701841bf91200dce0117cbdbebf0c02804f8b6b80e262c11422b8ef09cc59c50801eda4c6d7731d83fea4eac613153a7ea7a1162495d721660ffa3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
874b36600600740341a92128edfa1c59

SHA1
62f00e0c34206d476a1b7492e1ced5743c404752

SHA256
f77fa5691e41c3818209cf53072aedfcd2d019e97e6b4481251713c32f497785

SHA512
7587d50fc9740f8869009c33c200e78b86c239911e435fada696596b98f1da797a64444a5aca9d56419342ddfd7504ad216360ee255667a90a195aa9f1d4305b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f692d45f0e7dabef6b93dd4ec30f15aa

SHA1
da1150262d729f6ee39081602516f9546071609e

SHA256
2c2e8adf53b44c8fc0cf8b767f408449be090e40f390d262ec979a98106c7b56

SHA512
41b93d21dac4e42a1441f7c64f7876fb0f5d0dee37a86d8b5185dc5ed5f2058f420e2e79814a1668efd8f2a7d6f2a2c3ad42aba03b8c4297de4256a941c9910b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dbd4035d78be45f4acdd762f287ba9ab

SHA1
05c5869f738299c6312dd31f3356d17dc5b30440

SHA256
2531316d8d2ad72adf74b56c08149259e078c118306ec572bb384d7d565f5d8e

SHA512
be4ed437f42c838da4f28e4b6d712084d1d963ac5e69e883077ddb62ef92ad8a198b01033c1a4626a0e5088218a65585e461bde14d491e6b192cb1d3d30b1583

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
791a0f5e2dee6486edfa414e7440c087

SHA1
2296be5019d2a29396ae7dad38d50de12c698cc9

SHA256
71385dd0b80f08fa46cebf31881e0c1ba9fc2df8ce9f03a03a57fdc9230e346c

SHA512
bfd1de1ff1ab973fd56e15457e7df9dc4524849e05ae4c473b8cd3e9c6648c1e544914e0ccb66b982338c9671937ff8334d4ce3cbd0b66468b4c326eef4e8e00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8373dd841ae8e79436b968db42cdf9bf

SHA1
6ff35071f8e3de48e7089f2024ab7a2e18f98b61

SHA256
6a4ee6f788cbe9bc5c601c9129504d6764248f0cb234f6cb1fe5af5f575972ba

SHA512
6f8132c56d7c0b04c8dcc086db32aaeb6a5fe5b4b54d16c93c5eefffada5644892b5d0cb817f92435fafdb71b4a85f72499d8bf2ec7f2ff18ec84e82136f14d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
23fad2e65fe2c12036c7f95f882b2744

SHA1
f03274f45eb5cec407bc4bbd9220ea256e56d479

SHA256
7ef79c8287717cb16778b998fc805f3c118d434dff3aace8eee04e1a209b6211

SHA512
cfc5b2b8d59f8c46d16a009d63072f997d5c8f8edb109f1476e89e762d6d00ff0ba39bc03f34746282fd4aaeb083d3dae370c843b1306ffe6f9550e2afc433d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8d0cb14b8b229ce11488436712bc7569

SHA1
88e8eedde4937ca531a4f41e5fa73807d5d1e45c

SHA256
89be2eecef8993b4ea11dbfcd4e2de5026d9e75dbde41e5bca267dc26637bba4

SHA512
6cd8c9b33dd32f0876caca41224610d07bd541f77d1299dcacb1f062c3c8f4bb6c1699f31db035ad97999928df43f326b93a4e98276c073bc63900bef4f83c70

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f3082fc45ebf9ff6fa02f59fab24ca7d

SHA1
6e49259db1f2f1a687c5d9c5c5826cb06d49d697

SHA256
e9e2178c71974611d17e366d3c46b05b3f8f026ae6d630f1fbed2feb4aabbd4b

SHA512
d85a3d7abdcffb8d31ccf452b9cc5bb3967fa5bc6cde10e0826f181a6a8c27b6f94740f950a6c56daa27a716618d83cfee9610a3b0efc35a85670c77a1542c54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
59cb1089ce27f7dce81668ecf4cb3c88

SHA1
1aa3f400333698441bd3aebec610c6916e113202

SHA256
a9df605b332237e6cf814dff43f9a3db298b99987035c938dc965a27459176c8

SHA512
1f8c0241eac66bb9ffc987f5d72c36d0d9a9a3fc66f1f05c65319846441ccfb167d47a9e40269161f94190e168d50ff24a0adc99ea0782ef6600a35fded12ebc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
70ecb2f1d21d48aff9d671e63d2d0b12

SHA1
fc8b5af34add9da5a53c21b700e78a4f99ed37d9

SHA256
0abf337fc3abc6ab42e03c9dec2539643f52cb4cc55bbb33203b1ccf57cf2760

SHA512
3f251280910c08e21e92717a02e8c407b69e8e85cade7758a3c1aa150cb8b358bdda411832510a00792aff0fe1f35e7f28ea8661a014d48aff24ff549ccaed7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8526a1f7a29932de8abce0e90ec1dda8

SHA1
4bb30f68471d8eb6621e615cec04815983b0f17d

SHA256
8e7416343d499c4287a1445aad2af0e02305c5b8d9dc4c14886b807942df4b18

SHA512
11a357cb4c3c34cbbb9bd048ffa611f658f6fb703fe42cacb69b931affe79ada251af1e24aa6ae73f03b9723e449bea13e06662b1922111c3f49f9588e1a4516

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4aefbd0b1aa336600709b5909c20a8d8

SHA1
30ecaf1e489c9f09355683872de2e176b09f8c1e

SHA256
9cca864df8b59e27d60cf60a10552064f514fd149593a9cdb0119c94ec24eaff

SHA512
87e7814534247e9da6dbe51049991dc61bd5bb38d319fe4cb70f68bd48e2663a986a0f8c9435d320ad734be981fd80b375b46f9ee508086f1f2f362496dbd744

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
51740c90c226abd4c7b8b54a6e367e6f

SHA1
745e6fdda3e6388eef019c7dff152bcf4a9326b9

SHA256
d09da3017489c7b0fc21d3016eb2bba01db73163972ca642dbcd041c57290bc7

SHA512
f1980ea13c8b8cd9438b7670e74745f2abe919cf0d67a000f800e23c9d58c1282bc816815f0bbadfcde2c277bab82e973fa0fe596d63853e95f1ef48c6cc5a93

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
607421c93b83858e5bab9721bab23fc0

SHA1
951d2fd2e5de78f31450809054a53cc42ed28f34

SHA256
77f69f0de607c484e02b6ce89bdc16c03a972de883d948774aabfe4c0523f614

SHA512
3efdff801519675310fbde9cda38f9fc3b20756453273f3fc89376cf69da02c78ae258bf449b6c1a3152cbf832e181aba14b4672d98557b3ce6bb2307fccad77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
da1e70c6f101ea8ecaebe1853cfc7cd9

SHA1
a1ac88d9f71235c234d550effaa930bb98d85c6c

SHA256
fa97b13cba1d72994f66f0dbbb46c5cd3a3fe1dbe5d1d00d4f4dfa14f722b84d

SHA512
aa6c01eea76e14ccc2a0e46d73ee665790174789beba98c4c76ccffc5f0082b310d7407f27b03be9526aace2a12d917d088f41fc5da24508ed8132589bd8aaa1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e9f362db001260655df809ac59f90639

SHA1
bfc0653473e0525f94635993d07dc33ce2593711

SHA256
0619dda7335333ec10516d855b702d34b4d8a07ec985cb8d19f5a71d59638f0b

SHA512
0629fb6619248fdb41731bb28382d31f4153f924a98564dd4143bd75256d610138adf0f0c6d650f6e6ac372f71f6f010629bd8f6fbe688da3362fa417d9d8afd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f215a6c10b4d1c738a94c9f83ab5c812

SHA1
c9bcfd3f90fdcd0e1128640299f2fb17c0496175

SHA256
fbf94a5f93ce0629faa8bd0f31090b7c0ceeb4f9adb5d58fb523d574a65ff8bc

SHA512
ba8ed754409cbf87857834637b1026a900f835731a34ec129c0928b4faa0f6c54326d04b2258922da50cd1e5c638ed914effc32ef7ddab925de13b5b289fbb2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
81538356d4d7289e587e45bddf14d3d5

SHA1
4bde164c36b330071e80edff1b99d14a12600268

SHA256
b49b234c1dbca71967d54308bfe25076619f6e03bfea7d318bb9e5c3905f243a

SHA512
cbe674335f69bdd705662ee433dc7371c8d6d98e163865f89212e845629a665735dfd1c8eeff23616664a4e5cddc4823d12ec77d0997fd9bd28b508917b1d2e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4083d8d2d36fefa4502feced1287be40

SHA1
bc4e2604dd30032cf163058c78c558ec5da90e33

SHA256
387998f2b886c7354207639131b5a2a2e40b8d7923974925b7eda51a3db6fd3e

SHA512
53ffb3de901b866f31db7b003627459919f4db9dbaf24055b3a20f54ad9a3af7a12f1dd69999a3b098c07c53684e93c0bb119b41d49d8a326cfd48e557f5e7b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f631826d5d75b5074ccd7847f35a9fa7

SHA1
9c573d5732b5dcd7cd14cf8a144dd33bfb7b0666

SHA256
dbc62e43751f9001c8f32a027ca3c045d2d963039205036deb694abdf8346588

SHA512
abcf4299e0cfa4d8c0df6aa1a8abb74cd96f8f6bcbce366fc0ddd428d41a60663ca688498e062a77164f2f6faf86633ffc8469c9c08e4efc905f785b1db50d7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c8c138e48b1cdca9af1098b14c450409

SHA1
05849a98e537574d76a6f3a7876395a1dff692bb

SHA256
19955c7f7e069d75ab65cfbcde079643c99a4893ef3c416004decc881684b612

SHA512
0b44006b5eb9375812a648b3a622a9ba48ac5538c211036625138d841f250d6d931e8c9668b09f031cb33d99b9094e9a1dce3d69c734c1850e8929d585101d21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ca32fb40b2fc66c05e77d127a48c5496

SHA1
cfacb1bbad6c97e0a2750bb2849519b0b467f7fc

SHA256
81a1a86dc2e2e0012ffec09b243478205a7567b861af450c9fdbead04a607ce5

SHA512
2e64d378104059fd0aeeddb7b10ac4ba9a12e284d4902153d8c0ef62e534c0515566534d549b4a573f9ce080f43c4a03d81e0c2602161d15af0cfbc5a7b13d49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e3f9837181c089766967def7776731ce

SHA1
d541f3dec20b8f6ed4c691616841532b228f8087

SHA256
1167e7cfe248bd4d207302f0b7167098a8230a86886f075242bcd552bd88c0d4

SHA512
7cf0f17df1a9efe519cf3166aab3e92596407e08a5d3015cd8fc938f8049d42c8ff80cb4abd4c9d391c40556ab797b8457b6639ccce16ac7d8f0c85c22b747ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
59d146af5a025e5680b6c7f972f5466c

SHA1
a3602c1573eaec2843c86e6fd4f43d30f21038c7

SHA256
fa232b969611047c69afdc71bb76b3a3fc34546dbab21f4622b5ee5f5e22f2ef

SHA512
46ae5101ea75031c2638b326a1bf6dd01bff43bfdeb49e9f20aeef449b8762e563f6aef0a6f54b2cf4daad32d6b7d7e863c6c3cd0969b017d57f48852919cb7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5c8f5326b5360bf6be573408caa527e4

SHA1
24e67f5b2e70a143d7249e51a627ac2054ffaffa

SHA256
9bf11ba27755be903d4f2ffef3c5340f1b745232cd261d7af624ddd93329221a

SHA512
45433c2817dae614414a00e8a7a09635555c574374d038b6f866d893f020a72fcf6f230fe01d5e8b85fa958158beed2b9e1a432befa12e967631e9a179b9a1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d95e0d2034e1366841cd1840c201a5c4

SHA1
b3a7925a8b0c481498403f86a26dcb7da2bc5cc6

SHA256
acf92990f5ca9327702c30ef431140c7566450735d373e4a476bf8a13b61a724

SHA512
bda7018863a0e09e2bfd3e2207d84af5fe153ab51c0e948e15c535ea164bbd9203c1364b234201a1f278dc857e0b6bd801418ac1b67ed1e2f118b3c83d78747b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bd863152c98b16b29fa008a885f19ab7

SHA1
b0fec2d2890b46161a5293aeda2140c3d6d9baf1

SHA256
b1e1225039eb4117678c0149445c8d087306118e9823fe0716f66495d6ae4dd2

SHA512
83e0fcd97a50dc84cf0ae5e804baa7a220ed6111454e11d90cb65833555e211daaffee4cf4587f12972f6458c029efd8073a7f248728452ae45a9ca8580b2031

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
40ce742693cb7176b3e3580d82200815

SHA1
259fd22c92def00c8249670bb235532ad2a143b2

SHA256
4140eeba86bac83e27da5087b1f109c7d586e34b2eab41a6b281de1a47eb28f5

SHA512
24865e91dc06c61dedea5e4543ccb059fe55dd0094b46430253e3e5181eccb687f3ceec95416ba3e96ff73d974da21f6ebef1486dfd92d6379112c7fe51c9fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
570a246d57cd8520af8be0de15d960bf

SHA1
876d1a5e176e97345d5d578c32780554f992c902

SHA256
b14c33c5b23619bfba63edac6b20a064bdb85a5f9c08d4fb5d4c0939375acc45

SHA512
b1e8bf610fe0069ec50fd276f9757421beef6ca27b5e0542f47f1dc074563577409ad45dc04515680b611856fef7fe68def21737d1d3d3b108a915a605584183

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
187736245097625897a8a25f7f6107de

SHA1
92ec61c302204b20a15c687c8b9518ec2e6f62fd

SHA256
ef83cf369db5d2c72b8bfd979debd42584db0074ea50b72acace6757827859ed

SHA512
ea6a6c5339e78e9d54223748ee790ef5708e070afaeac294a2b0ca0bf76ba53c7a4e02172309730a08c85bd913f534a1632259d0828d81ad283ed147d9298151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5176b3c53142a01e905adf9af70d65f9

SHA1
a3a582ee9e19e596f2a247461cc3159d259ff35a

SHA256
62bf977247150e7fe552df00f832efca70490066bd000048ef67b82ccc5cb91d

SHA512
45c27a4cea17adc1a4f25e5ceeb809891fb4b1d960c8d22b80a911ed6ce1288c5729bbcaa06a6e3510c3c16c271d70fbd1b53b7dc5d8c48c1d4f1290bea9c98f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
0ec7372eeb04ec915f4700d3dd29bb9d

SHA1
044bb30e0e52bd2937a367f34a991070147ab6fd

SHA256
6d315083875ae6c2ecb797f22377632fff5a1b5c28b6a5cc33f2cb9d85b292db

SHA512
b3fe4fdca56cdaeb760197e1054bc2aa301a2eb34688c5ffd94a32069dd8efaf9a7578e1877702f67bcadfa4f4a5738191faa39a333415acafc5709680961f5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
aa25ba2ef29bed363a59e4c0e5bc0df1

SHA1
908948b11ca2e9299ad7161d2a4a22dc7fccef34

SHA256
d7d7a80df573c76f0183de110047c3f8ba2f50620683e79bc654d939fab978d6

SHA512
9f67974b8b48081c3e0911b9b6727e5ea0bc99bf72a57a82998af7a6e9be7e8cc1bf9d97847b80797a093034da905fa57fa842b6bd2b12a04f615aec6fdb60db

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0c12ce1f70412c3797b838b5cfc84009

SHA1
0f60f6d824c91fbc9f84b2a50ab255407dbfb87d

SHA256
3b91018c097128516dd2a768e89e448894c93a741cd151c70f618ea6027437f7

SHA512
89638b0905397aad7be8500a7d9e8f9c283b473f61564cf75a05cf847c4306d9adb2238f7d42621e3f48671a065e01124b2d4f74b428c50214b64f307d4d0dda

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bff4194e53e2281da7a00b08e0056f01

SHA1
ac165d18d04ffc4b7bbcd8a1c99e89670a1a3361

SHA256
99e50484608cf5697fa4164684657fcff6f8baa65230e3fc785597ecca1c7d94

SHA512
93aa70f01c70e5f5592e9e96d0ed720c902e69acfedbb325813499be264b258578bd9def36e4cffe2394d6a3012969dde63590e26c655c5f90b65d0def89d03c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8ee9dbf3a38743a9c535200a60ed4902

SHA1
55e2ca1b1f422eafa21dc1067b63003df0018914

SHA256
54b30e27ac660f9d35da775acf39a0936d68539f1c10ccebd50659d5ec236eff

SHA512
5d73b1fd9f267c0b9ae58e73ec4cbf972ab88fb97de0d2f2190ca5475fed22eae7421246f39662273d8e3d99e42eef0a1a32295b1a70db4df780563d4880eb14

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b7f27311578712c5afc4ad1e0c2cf1ce

SHA1
1c7775a745d3f6289bb76397854051fcbc0300f5

SHA256
aaffa6a67aa18680bad8c0bee96244d8cfd77862a81101943afabdae5740a3c3

SHA512
a68b39db3914d17818d58102f7b34db765b7b1c5b534efe792459b2502143e423518fa737183e495cd60072d3c3631b98eda62b0fd55f502e5c0a0e2ae0ea33b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0f0ff4b3e128dbbecdf22397ddedd8b5

SHA1
76a1e420716d664bf66815678264fed5c02a28c1

SHA256
23154b654de478af8137dfa99da9a73f399069fc5a78dca333779597e8358c97

SHA512
5649520a435af4b5b97229ca3384277e7a2ae112026b497892d79f546853de51ebc1cb34ef3b329de3d8b1047a4d77872aabec546a566915b8488a5d8eaa3e2a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
936db202922d0b77ce3ae2d11fbfa286

SHA1
bd0029e75d42e0474d2faace9734caefc028f12d

SHA256
e5cca1321690aafe8ec93ab68712c531bb93fa44181441a82de08430b493667e

SHA512
ef3ff40bdb3b04f20909bde645784964facd2c1fc1c8a5ebf06dd6b940d91951986e4ceecd74efd6bdf8442904618133d53ee1f516335af61da0381e0da06966

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
dcb5f9a55779433eb27ca793db37035e

SHA1
6a68012b62a531fe56040b0f5f48c46afe8ce03a

SHA256
6aea1aa09ba5a87738139a854ac22892359232ac21e764281517e29033b7b6b9

SHA512
7f7f916d600db95b845cfd0940dcca7609436998358367ccb5d9ac6a25f4e3347a53eb4c89ca651ea7f142b26b8faac6adb337bd20fae438f5a0e2ad79f2f4fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
31636a636d0dea60ddf166915bd0a10e

SHA1
a8ca1261115b90afc0f688f9d6a8d0014329c7c8

SHA256
e529485692df1085d339db034010b124a37c32f0e0443d024d003ed6da6b44e9

SHA512
cd7f250c7fd58ea98768335ea33dcad9c351769c535a29c1200b7ebfce528943dd774d2e32bcb82c8bc5b4a2c8987974230417f1c7fd03adcad1fdc057c97699

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e5225069d6c023cd28060da996327913

SHA1
02a6f74747b469edd8d25f5d17a4e29f2a7180b9

SHA256
df9350ffab38490a20e9dc188485e5f6f8888a9c758042b8cf5d51beecf0da06

SHA512
8b41cc8b7303d57d09973c39ade19a3a63855277ed2d7778b94dd92854e535c04f953a874c55ee1ccd2e0db33e742da28ae94f29447fb8b3dad829c5373d3534

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
972311d1892e3e70578977d1f11ca84e

SHA1
f5e549abe19c774a892681c25f9bcf9d7aeb6cef

SHA256
9496e74120528352a246e135974970e6f7cb93cf2e0040c9a91fa44024560474

SHA512
1b1a77736e358746ddde5fab05993b615df2f6b6f7579cec606f390d3eff4f245b784d927c2047b0e66c21f92e7ab1f7441aec124a990de73b58888dde4c627e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bb074c44ad0967a969a4736bd97dfe9a

SHA1
3a7c70dbbd4fff14d970bc9c4ddb73a36c01c88f

SHA256
b64dcc7bb491b98c10207492acea040e451341a6d82610f9de7e95a969eca4b2

SHA512
1ede987ea5463c19bf930edc26c33d30305abba494c89406f306c7a5f893df0efa4c7cf99c6f1924d81eead31f4daa5e9e22ad7608a61b8faa398ec3b378aef9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c36bb69706260f0252550eb94b9410e2

SHA1
13347dc991ec62848edebcda392e2b0afd1be65a

SHA256
28de1bbe621b3263d889b8468e6d9f0fc7e1bf311b4fb23dd8ed44ba5f0e62ec

SHA512
01ceb211422fcf34df3134ebbedebe96999c00359ed15c8a3e9cf1ecd75e02f82d05a697ca1754b7e286a37a74ce0b1d9c9b7cd413c629c66c60173e9a7fef2d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
df64059d7016de09a8fe6916a5cffe40

SHA1
19e1ac331c72db2a734a79bd17a0632e89b0b175

SHA256
e9387082145b36f9e6ed69804bd40c1d7126ebc0875a732a4de494ec11b2f1d3

SHA512
40c08a4c6134784121ce90eafedbe5dfbbbc216e5e62989ae3b904fb2f519aa34a97f1fe6d20e26e3e6dd0bc897c713b944dfe6e530e95a79c35f84fe48d7334

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df66a158a591b0bd665e4f97ba640771

SHA1
5e2054c403957946381b639fec0de83762a217e8

SHA256
836598814ddf7e27939fb774051e67304567255481b4546724621f9cee98f5a8

SHA512
9f49c48a0ee2fcba0cdeffb7f86a29719f64cc7d554ba9c3e8e930bf917b161953ca61856ed7c969aeed77941bfcc082b5bf15b0ee80aa98181c6fbc3bedcda4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
279921b33db3261b9e53a3617a078b6e

SHA1
6ff04f8f5f7d32a7880ab1ef58520bba34522828

SHA256
37fc28c0ceafbffe18ac3aa1053295220b9997655b1d5d75b1ab6e9e46ea0472

SHA512
11af44457e48a6e182a728316141ea4aa60b085430d8eb33831f63bc89e275c37b393ba76f70b7966e1b6045cb269bfbe82a9436aab45e69d201860e951cdee7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a81a1b64e73b4b7f7a165f19a5c987a8

SHA1
abb6951723b4b7e4bb6c7dfdd41ecb99a5a6ed26

SHA256
7cc0eadef11408f354ce9af46ad4d53c81ffc899e1f8aa849a668c4ad61a94ed

SHA512
a465c94c32e720dc2a4f419719a0a9b798f69a9d1b6960e8dfcd2d19ab7ce9d0a51cf2e202413d4586a8d568046c7e942b4f0f0b5e69413338f3f1e731e5025b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
376d4c0004ffb36d2844955c42b78d1c

SHA1
3568687e78283c98bc32998f83d5e7ed97e46ff1

SHA256
c5c3be3f56ef099aef1a171d636aae152bbc8995030592dd6b5896d4f09b3875

SHA512
9d326c4a6fc2ad99144ae6b7760cb01b37f0ff8c1ebeebcabe3a4b887cfc72ac497aefa42eb4f965ba2ab7a71edc653b1b62e178d3e39907bf9f23271c00d7ae

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c4df469998b90feaa22436eae1ef193f

SHA1
9c8dc1f38699315555b04cd6bb9f984a0231b73f

SHA256
5dd1ff39d980ab3d75ad405536ebcf75bebf7d4e7983d7cba3adfbfb155f5102

SHA512
1fe9826f7d32dedcc8d740d14bc6506fad3eed4ee9c6c028074aac2de2242cc82c650a866f4ca1565160b704f305dc5342a8bf355025f9f6d5f43ffed3aad1e0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
59bf8efb173271d39448fd214472f045

SHA1
4ec13f337e8c5f495090fa3e4271468c31cee02b

SHA256
a1dd8ff4bda9e08546932b0808b8ed5c7bf74ceefc419b55da4390759a833a2b

SHA512
66a2eba4863d7024da013e3dc02e90227d0898480c7990266e8d37f1cbe5afb0be0f0ab85dda63c94f3540b46c88e919709f5bfa2f1d6456d0d32a69b7ea4aee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40b20b330156397313b54b9004af690c

SHA1
5ea6c2f0654f780397907226165d56b1f2c4c7e8

SHA256
1fd976d7d73d58c1990aa31378009f5a6ec66c09da2434d393ce65bc160b30df

SHA512
e4f9ae1bd4db5c56ccd6bca1d4af746bfb1e3d4333ab2e52c14601cdfbb50380ae84085b7c8e59cf7aca277cf64c7d6f684a691cba702feabedb308d40047a86

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
94cdf2c6e633295382516aa6a7c4cddb

SHA1
f4149fcccfc5a8e5fdb162d64bbe10d8f3b80a5b

SHA256
799f05ce495d92f8bf48dd067de8dc8f131eea8cf3ac34f0bc98202122de0f6c

SHA512
ce3c73d4b9bad2bc0e4bfc1331c256176c1b48c5eb85bbdd2089f95b0bed0275dc88cc3c043a0ed57389bb2f8a2a24bbb3c919db1838dc68daef74533ecf8737

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d0ca0c157a85e27435140477fe33d819

SHA1
84807ea82768e1a3afb23ed52dafceb2ddb40c9a

SHA256
b6b864d1df804ff08c1fa97555da884fb0cf62e4f8a9b2739d881da0e020f23f

SHA512
cb8fbf2b4b7f35d2a7bbf65fef15e2e33183279c27e673d214b6649ce0a262ea27165951200f20cf553b2e43c646e0b01ebde2746577c11a96a804d640f23f61

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ff7530a849fa5cfa6f204c4070f437cb

SHA1
6e0c6f5f328389ffffef24e39b230c0d56a512e6

SHA256
33688474d6d6a098ecdb11c7614e13fe48fc703dbbed75f55c253348c0fce76f

SHA512
81498c8979d9201ff6ad1ae927c63f29bee710efa13fa68d4d239c687e92185c54fd2c3d8c9508449b3de09b2c65d33d6d37274a1d76eaa76f74a7ac66126dcb

Download Submit
memory/332-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/332-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/696-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/696-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/744-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/744-582-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/976-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/976-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/976-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/976-50-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/976-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1256-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1256-14-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1256-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1256-134-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1428-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1428-60-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1428-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1428-54-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1504-137-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1712-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1712-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1712-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1712-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1788-184-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2744-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2744-440-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3064-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3064-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3076-1-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/3076-75-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-464-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-466-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/3076-9-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/3144-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3144-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3204-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3204-529-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3292-83-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3292-77-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3292-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3292-87-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3292-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3784-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3784-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4164-138-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4216-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4216-262-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4628-585-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4628-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4688-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4688-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4688-186-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4788-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4796-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4796-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5088-250-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5088-586-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download