17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
Size

1.3MB
MD5

005f87a4e8d0c430cb2615b160a96f60
SHA1

6e6545a97e1028728dcf35c2fe4f152f690ee289
SHA256

17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5
SHA512

ed325f7b601763ce3c18f2c86a326eb9969f8c19ad1664dec6e00eef8340436831eb068ddc09531b2d4071e98356ef7e7a68870a63e05d6283c5e46cdc5d45fc
SSDEEP

12288:2qz2DWUHxqTSgZG5GnWMBUKZGYaJ08vTZLfX+PdgdnW:3z2DWWxVirnlBUKZ408vTZrX+lgdW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
232	alg.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
1992	fxssvc.exe
856	elevation_service.exe
2300	elevation_service.exe
4900	maintenanceservice.exe
3900	msdtc.exe
3972	OSE.EXE
1676	PerceptionSimulationService.exe
3572	perfhost.exe
4420	locator.exe
3984	SensorDataService.exe
3604	snmptrap.exe
3944	spectrum.exe
456	ssh-agent.exe
2824	TieringEngineService.exe
3632	AgentService.exe
2228	vds.exe
2076	vssvc.exe
2196	wbengine.exe
3628	WmiApSrv.exe
1312	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c6988d16c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c82603a4cc7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ef2f13a4cc7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2fa373a4cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062ae0a3a4cc7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055100d3a4cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5e6433a4cc7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c09f5f3b4cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008647653a4cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe
4772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	440	17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
Token: SeAuditPrivilege	1992	fxssvc.exe
Token: SeRestorePrivilege	2824	TieringEngineService.exe
Token: SeManageVolumePrivilege	2824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3632	AgentService.exe
Token: SeBackupPrivilege	2076	vssvc.exe
Token: SeRestorePrivilege	2076	vssvc.exe
Token: SeAuditPrivilege	2076	vssvc.exe
Token: SeBackupPrivilege	2196	wbengine.exe
Token: SeRestorePrivilege	2196	wbengine.exe
Token: SeSecurityPrivilege	2196	wbengine.exe
Token: 33	1312	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1312	SearchIndexer.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	4772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3092	1312	SearchIndexer.exe	108
PID 1312 wrote to memory of 3092	1312	SearchIndexer.exe	108
PID 1312 wrote to memory of 564	1312	SearchIndexer.exe	109
PID 1312 wrote to memory of 564	1312	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17d57cd788c4ada75fda55de60f3078c496346cb5d182a3d9c8aa61ed604cea5_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2096

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2300

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0254dc3811c0aa5f881a3823192eb27f

SHA1
dba0080310c499cc9f492b905a525c7c516df229

SHA256
44da1757971d1883a4974612ee981f7ed6e309e3ada0ab9c4852d704f35c7130

SHA512
d37399b18775b8e6127d580e8e23d3746c66a8b7df38dc355ae7c31dc886ad9e563c039fc892c88d5fe2e6f5ceca463f90e44239b2557e30eb55621cf261665a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
100414fa70c8ef8d097fac373dc970df

SHA1
4bd224634385bf283654723acd987517986c93e8

SHA256
2a47c16ced961700d15900a9aaf648612e75391b7e0cb0dde273cc3cc53a82d1

SHA512
348c1513292ca18aaf457a699fccaf140ba835dd6aa311e836d068fafda8a9b5c4f277a1737683af10da073394f599c3db0e4a4cbe2123d86ea95f38e1cac469

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
62f98eccf0db41296bae680e87463bf9

SHA1
be5fa126d0e4816676ce9ac0053e79a6f5d57fa8

SHA256
c278711553058f0737432874d89c808dc0e8e301f619afaad9749555fd7d1d07

SHA512
be21e15209f3a60150b6c37fbd0f0fef1545328e924e6b780b71b45e1ba89fa624b69d002bf460fc68a913c5cc3a5ebb7238cfb9f3b7a61492b2f1fcfe4339eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3d0a77e9e31096d817e9ed293fed50d5

SHA1
4ddc607b13acf7c7a2d565c4cf13cf6ca09f4a4c

SHA256
20e9197ceb7f050c2a4bf4587a1dba59fe416f3430faa95d1b49ef9afd7f60ff

SHA512
0e5afba8670fb424cda166fa437b35895f02d35a7fa9ab4901a788765d72f6acf63823769003aea9fb6cb208429c03f91f011b48889a034bc3f21feede99e3ec

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7577e598087cc3c8806a428fb7ce2193

SHA1
023f9d5710229816704ad35f085a24202bb5f549

SHA256
5a405f6b732b9bc84203aa46966a954d42aedc41fad3b010015cdd691290e254

SHA512
cbba165cd6346a3e016a12a4b1a291a245fbea791f535626a3317810f54c8a9b49fb5e0c92beb3e08e780a8b5325eea93dbfc6efab3208ddecfc059a6f3f3613

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bf7de4563ecba0b955c8ab9341540c28

SHA1
3bf957f0a5e18e8f68790ce3ed78552415ca3f36

SHA256
f07381cffa210247f1a1521bd317eb6e21f7d6a24db36ddc3a27733b204a5583

SHA512
ae48253768d862b15d58302712b5440bcc65b3813faa15a89324e726cc83284efeab496a8292f056db54f6a858d22a39a50447f7be214b95f3a0d47432143043

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
92922bde764da92a23ab0c25dd7c9e00

SHA1
1e59c2841c111aa49dded495068acd56252b26e2

SHA256
35cf53809c3dde94ab52a866872fa91246ac3544fb858d294dac074639c1c20f

SHA512
8548560bdf6c2f5cc5b7b62211cb90c5965e6ff8ea8e58b4479202afe30592f96b6f827e70cdf67a4fbfa865d83bc3591c80156eea137e232d8f5327b7ccba07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
82e439bfdf258aaeffe94af867f85299

SHA1
536fa0e884a365f64393cd999d98cc8e738ad0ea

SHA256
c0c023a61709bfc8c9fde180f86adae1879fad2636ce5cc742652eba24e0bfbe

SHA512
2414bf72e6e56db379f525042618e6d188e66481ea6f1cedaeaf60614f7224a31e1011a0f54efcbb850bc1d50d42768f1d1168fb202855fb6293e5c9f18ff010

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d708da3b6266afc42b168c83a7892e03

SHA1
d4f6e3b18dbf3f6562e8a0f13f09f77a18920219

SHA256
125323b0070754bc05a1bda6238d95e2baeb25a466ea978d6aabef6f6ed4f1a7

SHA512
37d93de2107c9a66ab7584be5a6890a54ff5efd14517dc6b745eeac9947fb916185498a1f7098abb85f7c79806a312f566feb85aad27a4f557d15e1541a99662

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
52e5ca327c4d1a8eb6d12aec5fab35bb

SHA1
f07d6159e92226e09db0ba49ec99c9b895f4fada

SHA256
87f8ff074a6298b3d19ba045cd1e3541719e6696df0e33f681db5a2848faea77

SHA512
9390128e1caa13dc900568548e729edff400bbbbca88e81368d69436a90e31558bbbfb139c49a90e1a394f5b4f58af7833b572477b63a26855a3b521418d89e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f860f5b936f2b88952a8dd9513dbb417

SHA1
d904dc1b39dd9604852cf27e2611b00d263932bd

SHA256
4f9cb1c98bb7ef4b046d5cb58bf294b53e8074b2912cb1fdfe19a83ccae04d48

SHA512
aa3a574e6cfac6a708f7769d52c0403f39a6ecc51f514caddcb41f66c0f2a1b68e7af4a3669d04debd8cb2fbb1b836cbe3600a51b729909d8fec69f963dcca18

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b31ee90864a0fc35895d7811a8e3dcff

SHA1
fbbde3a8e14ae78a5881637891d956871e2bf31c

SHA256
08a3fcefeb4a5b536cc662f2842eaf7026327325039885dcd41d83c19bc144aa

SHA512
5847256bca05fed7f1739e090a2f3a53db148b25ff35ce76768312c6c01f03242f1d6952e51bde8e9acf1670c1c0068a5a2ed7897db1f2148ae0d2700626e047

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
440dffe964587aa4fd9f1fdda02c16e5

SHA1
a3dab58e4ae686be2ee0e6b27cf7a82b6768340b

SHA256
c4f5af71cbd65927816cf478de03632408648598bae77cf61cf1158f80ff8a07

SHA512
6c01bcf5b815d5ca8d35320e8e6312027cb96988f2d05d8641388b3c7a7a6cecc807bb4e28ff7243a28e19b2f6b194c2bbc3142313b4c9c146ac76a94635c3cd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ab6479f8b0be16bfffc689ad58b34020

SHA1
2e36cb999c0fd0b4140d36da20717b2aa56fc8e2

SHA256
b791948904227aefe4a12b256f28ade4bf928ade0e6520af5d97837a7bbdb34f

SHA512
d7e1fab6bd672d76464c30b8e533e051068cc0d4fccd1401a0053abc6700ebbf2bf2c037233583f9d50973e526c201c3eede7d4a44415d4bef5eafdac299bcdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6b9ba17f4b94dd5ef9be30faaef47014

SHA1
82e27e156ae921bc5de021cfc2d7071743b42ec2

SHA256
b658d18632a0c8e261f69c99eeff565933a9097ec813365cba6f143446ca9a31

SHA512
6fd72f041b8a69805766669d48b53d9de46873fb7b5abb25dd9b1104223bf5a3c50f7b9604e791be020f54d3557bac9380b866e936bb871c74dd03cfff4a0117

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2e97192392604701a56e9b67ee826154

SHA1
b9091bdc27b84b577f293a8582bcc4db434182e8

SHA256
f0bc2112971810b5b977813586160b467d232ca7f8a153b47f1b5087d83b17f8

SHA512
5a5ce572cfda843c2a92e64b07879b6a9480ccea7cdcb181cca9bc2f5f9169cfc3dfdaebf91b2bcb3f5b51ad915a3a9a75b3db7714d74004a0ca210bf0d9df43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5a5271407a24b0e2f3165dc5292ce3dc

SHA1
f8e80aa4ba9c3f0c6dba212bea2796ed8496329f

SHA256
f6f3c116875d4946ab366453044c97b570bc69541622575296ababb763c584b0

SHA512
b3308ef615032320e59eece6b195dbf13536666d4aceb031a9f31a1cebfb1350b523d86104ce6507726e529cd3673ba2ff508747c3ac2c4e4c31c214f654bd18

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eb515e225726267f491bbbca5a123c59

SHA1
b7318bfe9751600503886a19bc038b970e8ac22a

SHA256
0ff344331c8e9356bbb550b6147d62176fcc3a13b717b718c45b106ba6aa3c1b

SHA512
7bae036017c43b655774a748109497c4fdbfc5b6b3bf9c931272a9aab173f440f2f9629e5b7575dbb2327212a8d40a4982e5b4eef8bfd13e1e21982fdb70b094

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ad50186c3229d94f1c5ffec09017bed2

SHA1
11c0e8c672b07d687eab5676ab4517bc183d7a76

SHA256
a776e88ab92b533db8e833c00777c6a3f0979ded27d9592a1ce268fa625871ca

SHA512
d4088458fa2f3de04fba633ece75d47e4765a1b35f59ca2c0ef64c010a33c75860c37bd339d9f2e53d2392c4294088839f3ff9ca976fcd5bc6e490d09666207c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
26ed1a54cabd90c6ab8fe3c8e429c5f8

SHA1
99dd6c814ff453f2525476b6717eb8e093591717

SHA256
0282a03d880dbc2eaa72bb5f9bfd212f479ff01d2154e86dd68d739fc6e446eb

SHA512
f7432f580eab9cfc2826a93204d57e048a9440fb7f69e7d088fa485a8af189287f23367995263486a50937ab25b17660478f8a7da67fc59b1c90387ac5869208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
44141165e5d0188af38a7b75bd27704f

SHA1
dc6391daa2dc87f42411318cee763781221d90d1

SHA256
31afa5698cb10493dcaf77a10e0ba2ed89ff78206d21087f6e681a3ec31bc434

SHA512
a0138d767dc0be4d5a48ea85da5b8fdf9bbbd2c42516c5b49eaff12107727f9fc3dccc63040d14ea4c19139928123e713ee0d637fa759f7c37a5b36ebf414a94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cafd02732b67ef9c7b374775f6ff619b

SHA1
fec35b5e67bb537378140ed2dbffc7688ab16344

SHA256
c6e793338ea6aab8f7d8bd9b49a8a93488dc3ec99ead2672c4525341a83722e5

SHA512
55e8fc3673b59e08f3ca1163b37f3be06545b01ddf06422eb41c0904f8031d6aa857e3ec4ad959302b905ca258d19397e195721825e7ca6b7ecae98a3567a0b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
3442c1106ba0c49b3c57161d0850d483

SHA1
06eff4077b7c79e49bc60214b98b8711a7a2111b

SHA256
44a9654a3783797b91f6d05ec8fb3400cf897153a7e809ade8a624f8b483fa81

SHA512
3e2c12d58d672e9f3688424ddcec7d4845dbc1f76079ac12ec43d19682de6201223024797048f188be11dde724d787a648a90a4a67d0dff6691b3f0c7464efbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
56d9fbd918def252cefaaf327c12dc14

SHA1
84649ea0308041d2f7da24dd9fdb76c9a497063b

SHA256
aeb82aaea2f2029e733640b9d177315daeb8622991c6ccd87edb4a4191f1961c

SHA512
37ab65b69ffc09ba2c3375be40c402506b8bfdd77c72799cb1a91a0b801dbf922017ef5d3d8b297455b5b91a36f64c93af976a21a69d5f561b28dabe6d521dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a95ff659148cee303fd1e2055f94c093

SHA1
36e3abb81aa3b2b796a44e8e1d623aa319f1683d

SHA256
c1dac238bb2e99c601fe6c48cd4aed41f9cc8579aabbec402b6f35397f54293c

SHA512
ac048a832e2af2435638d23e4f2e930c78d3d69996d4db82e0277ccf15424516049a8bc329cc6102e5879efd396b14687d6c39ab608774c4c8e144451fed0ad5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2db284211835c152eb4fa2d2485a13d9

SHA1
b7872d62d068eeeffdc6ca69979976da74aabb31

SHA256
cd53590983082995187ec7212f409d0eadadb49762dc663a06ceb0aca14b76d5

SHA512
360b84a10a32d21558a348c5ddabe0aebcfd7b31c76163396681f21b859fc6048d2c28c7697bf82f1d04a67409f3f410d2de04b552a61aefd1c87e7e439e8554

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ec3398962f312268a8b784c9193224c2

SHA1
9681d49f0bffd6e7cbcf4c13f5c6d57081fc0b9b

SHA256
a7394ff04ac1bd317b041b2bedbc9aec40011f1b323366c593701952d0bd79f2

SHA512
6b84dcdbfbba427bd6b11400bcb2feb319cc1c692e42c72b3c5ef55807f8921853a72082a45739ed6b8259f178001c4e6af6f3130253ecac3e14f163e9f1444d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2bcf9f15f1915431e27c9b54653d7485

SHA1
82edff31388461f35a7b26ff4f1fc888c773e921

SHA256
9c3249cfe5dade0cf57e624b89039b50cc75be7ec6c5e53fa3f88a9fd7c7d1aa

SHA512
5283c6779cd7dbb2f555bd1ee2a39c2b53966660e039b7377aefe2c95b6a7891ae8f169a93eb2384d5e0a466c9b8b801cab4d63a0fe608b127131e9e2fade139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4d36158a38a7e9f75e8e6e5b2565d984

SHA1
bcc538042429e4ff5a1a92f3e5217424f18f216c

SHA256
0b57affd454055ad8a2491a9de82104c7cadb287785b8636d66f3233352aaa20

SHA512
7451b2d63df0d760eb21171eb0a32762c639dfc5f07be7c817d6165d6fddd3b2f7f977f17f7896558e2ebfa37b45ae894a32bc8006845e5bc4ce56428061e603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
af9d247a0b83137a3238f93b10cedad3

SHA1
1091aac62c7c634960065350276f1f76929581c2

SHA256
aa7dbad2f35fa292961868fa710cc302ae30e50c6abff079277ffc5e0aba734c

SHA512
9208359394b020ad4d0fd0f40396998fc84705fdbf7742249ecabcb244e56358eb539cc637264044268125fc6df72f7115ba9e145fe270a6d6ce8ffad60910d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
196b85cc05f86c19066ad0d1fcf7052f

SHA1
df54e609f51af42f2db7bb58e9feb4c0b19ebfbf

SHA256
1533d93238480bdd1cbcc04f012164f60a29a2e8dd2f415e9bd0d0617767822e

SHA512
de25d8345530c41d9da4f673f1df7768b5eb7609e63279c14b846c3ce4266a937ca03591958e79f3d50b6397e10070b131ebaa3a955917f52289fd7a70714b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
96f435b3e6f697a4eeae0425e70b034e

SHA1
ecd4809e1a8e719e73f374a9c4176e87f672c229

SHA256
9e39448486274e4e89d0240652d083e4c8b6026a730a2d4488216f69b71cfa33

SHA512
7369fa7a3aeac7224693ba2f1399b1cfe1ccf51f2b92dcb58fda4aff9ecf9c2d0b551e0728361c0b98a4365677b739ca2637e4045686f518e0c2803dfe649d39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f2e91606416cddd768f97cf58a41be48

SHA1
b136049fc236f9a104ae1a333e642b6ae15b9f3b

SHA256
528534abe69c81af8848bbe3c3d4e46944e2a6ed25cb16853fab323f5fa145d3

SHA512
21773bf5f0a55511c70c76b1fa6b133aca06e06b90a77a7c1d230ed33c10fc632871d8c1844bd5d33568a336cfb957ad15624a6bebf407eebe3080c5be1be8bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ba45db482c72952d0dce3814f2da6fa6

SHA1
23bfb5ab8a2aad2dc13635d7c13765d1774bb756

SHA256
c20d9809bfe8061e512f76b21ea0bc9eb49f66f1ac0dbebdc284edd986a190ac

SHA512
b5c4ad9321270453fc86c00a19df4dc6cf592c551dfe1b76a8a8efd5b92f8f049c151a328e3298459e0a29fd214a55d93afb12c6b26fde55552a13562f4ae44e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
106c8fe907d69c3a4f58e5c4ca108b68

SHA1
219546050041632c464e92cfd774e3b93cabb84f

SHA256
be707792c937dcf3004717f02a943ed30299f6913d1006e84706ca9d9423e445

SHA512
8385d7c0c8fc9d6b26b9cc7243e3432628d57cf092208d292cf4665d071cccacc8c1e061369981a648c3981665f9205101269ab6d6d58b054d42b55e107e7906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
374f03836513a4d8e3935fef1b14b9ba

SHA1
749f57003ff55fb280c593492836572a17a13811

SHA256
94b7614defaffc02cdec260308f4c0920713c50b3ec8123e2d95e2698708e53f

SHA512
190d47b6fd6007497720458fa0ae07139f5f351d677d2e373161943450cace90204fa55d37cf9a5c142511f3da4db7dc64bea37bad6a98d8fb7d635483623dd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3382f922455a98a022a96f1c7c3703fd

SHA1
6e9a6a8560e5f6cc0e1828940cc0ef146d5a1db0

SHA256
8914662e5f4dc4d609db777f677f51340fd2853443e9780204531ab9bedc01ef

SHA512
18c30246f02bd5881c92efa5d3f49c23e53f82691eafc2e97c3b844f71fa57bf718174cecbe797c99c968e2bd366780f3d37108cb078a9aaf6e5f51d1d227431

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e99eb8163f1b2cb59af7d02d0a95c14d

SHA1
532868f7c73537afe534dc846c6c69208886fc27

SHA256
dd71d76bb8fa1bd10f12989430d9341b38d9d4aa124882d3f597f164e0317104

SHA512
55ca4c6a2a2348e18decf5a1e6a84b374afc1df8aa8fa6b391526ebfbf9606db69d64dbbf0d28c21d680f05c7fbc8a939b7dcff64807ec1516049e07d560a6ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d9509cbe394a47969b9e4f1103837344

SHA1
de5eec4d5720073167f5bccffea8542cd035f2f4

SHA256
f328e24454ace28278ecbec0321416fd725aa11fa50cff9a302f8c328f37a845

SHA512
fa8b13aefebd94c3dce69e54faa4781de05057ad3d4c23f8ed9cedb333ce11426b23e9035a80d016a6a9edf64e7653a2ad68f64c41e6d7ddadefdae5fabaeb07

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0a99da47e1122e27c2abd6814197b4b5

SHA1
fa8c79cd027a4a12ab2b11e9822e6b4e5b0f0aad

SHA256
2d96bd7549b5ebfe3ee6ec8ceb5c03ef137e42aadb5e28d47c4f52e49e24fc8d

SHA512
0409eb13dcc87e0520fce858abf2f7cded21b772eda45a4c5c6f89c2b7d67d6fb5e9869879f63e7bb5955486558f184919788e9d1b60b1893a202a42c9f821aa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0fe2aa381408075f0b84c76ee32e0d3d

SHA1
c56056ea1623bf2eb38114b17d88e76c14eb25d6

SHA256
495480b0fd5722bce049325caceb75d48b96fadf663986057dacd7722e5b0120

SHA512
5ff88fcc8db4b903eabd6895d483ebedc9df75b9d342f7fb5a59620bd8265b6ee3718b814b52e28ec22462dc748c196a863fd44c59f3cebd5ecc234c0a7ab255

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
50d24f4814fff781014488aa127fb52e

SHA1
1bfd5817d9321cce0064158c1a85b6fc4f2b5c43

SHA256
099476d0b8ddde5088df6350796033775239b32d2957aba52d933cb08fe4be1f

SHA512
28137524f3bc9cb471a4ac6396a9a5bfc30113714c066484bb7273813e9fd1c2d3c754452b1cc3e32d13fd79f4ca388b9ae02a7bf4a29b505bea4d6d59356455

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
85683f825b6e4b93f76d8593ea2a102f

SHA1
89e431cb3b756ffe6c87db5a0e05fe2e059006ac

SHA256
2868dd034fa7d747c3486fc4d21d671a2ae2cba7e1c56ce679fcf310cc9cda72

SHA512
815992e8823265c2f4f49a48e248f621cb9ce8063951417d7700abb23a6bae3e098ab6a09a81b6f4323016cbaea3990d07ac0db270469b7b66314f33a4d95331

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
58cc97b3197e0239c3cd7c1ac8c26cc9

SHA1
81c8a519b62284e34ad69a10ab7e2187dcdf8090

SHA256
16611cd7f3193bd7a0682ff17afb1f192d63a7531bc8b8239f325f611cddc0e3

SHA512
812ceb6c9a00e8a6a89dd895f76387e621fdb5e8df73421cdae38feab2b6ec9d4583197b2b5e85f2d29956d13e814242348fc2309a76be8b07586544b1a5c2ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d8741113d69e251555e33d54a68bd7c6

SHA1
8cce422dda0a1e3f5718e3cb8a5e0fa45238873e

SHA256
7784dab2288177846b7a06d41978aefcb27dbb2700e5812bdd2a28853fadbbc9

SHA512
3693f9a10e8364a904681c8f70d7caaecd9d7ecfa3bc9131c6cef034145b0123f14930cd551ebb389436b5afc2df9c5936688ce1520b3213964cf5a2d820019a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f93dd9b4e2a5a0704e90ae695be63c86

SHA1
19a88e740ddd1f182393374e95ad320a465384a6

SHA256
d3a4bbbbfe7665dcd3f80727d7c4132c42fe3bf77f5cdbf5587e27ef5a69062a

SHA512
6affdccc9c4fd6e06155fc0cb4041b21c1cbf5cac11d64c08ba2eb01db0c1fc0d94aa73164a009171c7dbbcb7271f6529a940dedce093b7a31fe670a7ea2e5cf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
42f72840590c66b75a88600aec27ac97

SHA1
4a5ec8abc684769b61e28e75bf63027fd485c2b0

SHA256
4dc34b9d9c478f817882117fe3817bdb08fb7ee3c372d4920e68d60b9978598d

SHA512
f9cea898b267d0cd22e514285ccff6057361a22efeaf2449093b95bf460d323404abbc30d1ac38ee5499cc877e693f4a8bd1a285714f8004ddb4cccfc14f7725

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
62756962a3e6bfd91e8b5b431486cb18

SHA1
bca6af46f000114aacee8884ca85fbf66fcebe8a

SHA256
3c487077d4b7b5441c5ec08607bf992c4458b5329143d7884bd4ab85efcac370

SHA512
df2aa6a369c7345c673e9ac34c824b5b7865eb9c336b314c9e944f47e31eb29cbbd8d848f73e95c8864c62f7d60bc5c14699d844036edc39ddeb72cf7c366fa8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9e057b222e47a1b1847a5f792ec8f137

SHA1
c8b0bc31785de8fa6f48062d7ce85a42d760a363

SHA256
343a011ea779c80cd805a19e200e626d1b9c271890aa650529385c515635796f

SHA512
41fc8baf78b25b3872c264541b6767d1ecf31962116d49a7ae814d8b991f6a1b3403f916fe0960c23885b23b4d307f0e27db4b7a39ffbc5abf4839e394de86be

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
396125acb30905911025c1d34ac5cfe8

SHA1
eed785a2cc7e574f5dfa6c08f6b2596d5f34ddc4

SHA256
ce558718d58c94f9072cb5d57121967f787da077edd52958a9f42a17aede8c01

SHA512
38c79fcd192882345e279c137296c68b837276507cf20c9acc381dccd374f4fc589a5ea667da26b4e8591388b430e43f77d82a5d143ecf50807b5a4536d19992

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6d10f7ba71c0ef1297654c5d63932fac

SHA1
39342c20b81b1dc12b20364cc88415fdcd9d606f

SHA256
6c537159be99cea1a2208645afa7a1c92646da9315a3486ad8bdc6959097a136

SHA512
a6f3289f45d5979970b6f7873e5eb2b9b68e0e9e255b34d416b857467b816c70e2f266f440567f856d3591ae5f5444ee1d0eedf70bae5fd33d419bcf4fa9c8bc

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
361852281539c20f4bec2f6e97851e24

SHA1
4b89818b6b5fcb90c18a745b1be2c0d5e7ce8e8e

SHA256
3995964893d4943239adbeac009f127a7fe642caad702051cbb7f8d2bcb8ff6e

SHA512
4db1665ea89bf98f776ed999c7bf5accd0d9cc5337bbac3ed2d253e8353ab04b889837050dcc18253ad812b848778499c6f17e63e6b8f866716df0bfa7c413ba

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
52be6a8bfd13fd5166acc6eb2ef9e8be

SHA1
246b008b07b361ec03eb833fa5f9145206974a81

SHA256
c92f9a9b56b8f8db97e66e45919faa21dd4ca96dd567f4cb41261e864695d618

SHA512
ec7a505dc3d84a54e6bf7f5746f87ddaf5fa4463a9d41095e0f6fa3c62526d324de940ea076764080c4c2c9b8dbf5cb7f27894a3bffd0e570564bef63a03a016

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0918c6b464d04a67a0800b6be5714809

SHA1
92f851d3799e49b0f1baa0441b9e9849291af873

SHA256
7dcbef20faa6983eb1d8534967e5c3225150d063c1d88acaca5b4eb18f4c2d2c

SHA512
8bf71a64e63fdb42e8255c48681bd3d9ccfada6de9482535f896e5189da99c8896434048f393590426e5764b61017c156f92c3e9071ce35f5cf1350d2f3b69af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5ecb0cc5ff0c168a78b1186f2b01bf51

SHA1
b1aa2caafc8dfa393ac9eb28a1188a06a6460d33

SHA256
0f54523e5981bca391d833646b7e0c998a41c3760dc2d2cd14e4cee4d2a9c0ab

SHA512
d27b5b44389ec4557cea04e4b8a7b3b1bd0864ebb53f56f35db5ff85472b886c88dcef2477ed6dfe4eb510a2542e93263deec9794a84df50b275bb9f8722f145

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4eea988392e713ddf8e689a2d526d0e9

SHA1
a451e5fe8c85b538c24408f712296b697ea1aa46

SHA256
f7739a4cbf04759c3bd2e9e41985d7438c78f4dc7d8905285d37b8274eeb5b2b

SHA512
193cdb1186eb84336039c7ab4aa8407b28efa70ade9e3f493b275787edd312694ebed190042098a162b9d3fdd5dbb3aeb8323a14698deda71746f448bdc9e6ce

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7ab2333eaab389071155265ad21e4b92

SHA1
7daf12c0db8135769465c3050c22081fb0493c8b

SHA256
2ca8a74613b13eb645e1e1934a8cefc51b9df6533df256e25f4107606c99427d

SHA512
7ec918f888677119c22f622916a3ea2c13e7623ce1a2bf423da110a363858a6c92fb1e53e9d22c285957cbd5a5e465881be73f79edd9256daedbe80b24a4a3ab

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fdd4e0b23e48de8dee8111aa804dd980

SHA1
3797aa6053a4f54fc5cf8f87cea6b9c447ae4b9a

SHA256
1a7d308099b131142dc1107f0a345dd9a2d7e1724859a4c5154863e68d94238e

SHA512
48e8cf7a03ad1436bf0abc462fed5a0f93d9362dbf1ed4c715868e570c3fb5c0bf39e6c341ccf2a662158573cddb5f4c040354f1214484df749463d6ce99bad9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2ddafea9d772a3c61d0fb14a68f05b0a

SHA1
77212c49b476533b963c240b0b8526881c94549b

SHA256
aebe8a7dbdfb9264a2a67bbe130382f5512c1efc3556eb8bb966cf790dccd103

SHA512
970612446d5854478d5df69284209acf5902a58d260dca36fa0fb6d6da9dd85adf44960e04c6e0e8c6e7fa87cb39d6095d652595dbc12df880d71e3f197fc84f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d8d171f6f9190b196f2caff0f35de70c

SHA1
dfe3614025b57b248b0058f065f91d4f788232e6

SHA256
281e32371cfb4e444d457acd4043d3d6799dd448ca0cec0c3da3953ce68b5f46

SHA512
e4eb867210a787700d9f4ee2562c1fe78376f00ea1241e7eaf6d2483934337b9a7e5130eb02814808243794c2d809efabb9072b0ca5817f0a4b76ef287879f63

Download Submit
memory/232-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/232-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/232-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/232-114-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/440-10-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/440-1-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/440-6-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/440-423-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/440-424-0x00000000021F0000-0x0000000002250000-memory.dmp

Filesize
384KB

Download
memory/456-177-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/456-629-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/856-54-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/856-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/856-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/856-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1312-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1312-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-123-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1676-225-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1992-58-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1992-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-38-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1992-44-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2076-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2076-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2196-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2228-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2228-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2300-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2300-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2300-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2300-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2824-630-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2824-196-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3572-126-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3572-237-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3604-584-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3604-152-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3628-636-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3628-250-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3632-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3632-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3900-87-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3900-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3944-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3944-626-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3972-108-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3972-213-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3984-611-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3984-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4420-249-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4420-129-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4772-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4772-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4772-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4900-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4900-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4900-95-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download