a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
Size

625KB
MD5

5beb7a581bda2e8f9928c94140687210
SHA1

67b47e72b36db2920f4897e9e65c12313c281141
SHA256

a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9
SHA512

840bd427bccee06f6a66bb51884be3086530296842a2ea89715d1fc2b527c33a464c0f89d02242777634bd6bd9b0c896ab6c219407197ec76fb3069388c6f73f
SSDEEP

12288:82fHk+fOKVHGc30+DXTKt2IICbMujkicygo3I2OkPO:J7OKVz0+zG4IB1/j3ZOkPO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3108	alg.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
2868	fxssvc.exe
5056	elevation_service.exe
3796	elevation_service.exe
212	maintenanceservice.exe
1744	msdtc.exe
4020	OSE.EXE
5116	PerceptionSimulationService.exe
116	perfhost.exe
2416	locator.exe
3328	SensorDataService.exe
3088	snmptrap.exe
1328	spectrum.exe
3180	ssh-agent.exe
5112	TieringEngineService.exe
464	AgentService.exe
2016	vds.exe
1896	vssvc.exe
5100	wbengine.exe
4340	WmiApSrv.exe
4640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6784e58d4ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000304df72092c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd96ae2492c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6358d2492c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c4ce2092c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe39e42092c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003173fe2092c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e21b82492c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2920	a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
Token: SeAuditPrivilege	2868	fxssvc.exe
Token: SeRestorePrivilege	5112	TieringEngineService.exe
Token: SeManageVolumePrivilege	5112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	464	AgentService.exe
Token: SeBackupPrivilege	1896	vssvc.exe
Token: SeRestorePrivilege	1896	vssvc.exe
Token: SeAuditPrivilege	1896	vssvc.exe
Token: SeBackupPrivilege	5100	wbengine.exe
Token: SeRestorePrivilege	5100	wbengine.exe
Token: SeSecurityPrivilege	5100	wbengine.exe
Token: 33	4640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	3108	alg.exe
Token: SeDebugPrivilege	4828	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1632	4640	SearchIndexer.exe	116
PID 4640 wrote to memory of 1632	4640	SearchIndexer.exe	116
PID 4640 wrote to memory of 4528	4640	SearchIndexer.exe	117
PID 4640 wrote to memory of 4528	4640	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a7f953f3f952b16bc027663a75fa772ec25618634ff8a6dbb96cb6ff1a73f4c9_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1328

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1880

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b10dbe68a439ce063cf716435ee3e07a

SHA1
f5f67eaba8d7a30031de7d25414142c6d0c6304e

SHA256
3686bb75d57b7c23335178b3053c58ab7f83eb08bd0d19aa2901241b8ad9bab1

SHA512
5307231c298c39ba06f35d479d454188bc907ef725af4bbcd4a36b3bd533adfd082e0333206eda511f5d6987716007a5026d4bb8a13bb3af7c248a924bdb7b81

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fea5bec414c836ccf8022e9f9d7b7644

SHA1
3eb693a94b36359a8f1e57bf116bb8b51d7e8858

SHA256
e987a81fa195ba8f9537f1f31591c71029e284e4a630b55e06ea92e66d7967f6

SHA512
8e6757f3b44a5065b175d8ba9bfbc3ad281581ac40e39a811eda58f5c2092d2c461948f9c3b1cf81603adcb6be609dfbc97a3f344cafdb082e7d80807cebc49d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bce55cac5b8604713be8d0837420d4db

SHA1
f30f36eed764c821f87ed04e004e4b5cbb766d6c

SHA256
634f8b276c6278d507ccee819c4cfbdca9ff2300cec7fe57b7a888f70f017d35

SHA512
edeae60451e40748092f5624f24bebb6bac423fe32073ba467c403d1906e8d48c04c7b3ee3bf53ad016cd4b0a4d9216afc193756d3d7293be41ff1c9b9361e18

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0b5318c297b059e4c1f26ff27d5141c4

SHA1
6d3d02642f3f1c15f7dec580b64141df3bbecd87

SHA256
0afcf6278165d676a793ff28779d3e2ee9f2f2300a50aa9e2fdac611e7ed53d9

SHA512
22c988d478146da4eda34a5d215baaa125c63fc6592da0f6b647759b0013d26a8ef09edaf40cf3c017ee2817094c5e77b0519a13fe22d562b48e39e7522c2b3f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
238dd87a01ee8957b05bab72b1de53bf

SHA1
636bfd5939367971992df14998f28af37d853d80

SHA256
dd441b2637826bc6db76eb8842796b9bf4fc073c648f79d89ea11ece58afaa49

SHA512
2ee0fcf098bc3639a320428cc2cdee7fb0fdf7642dcadd4f9b0898b9f01791ccd7e202c6dad85647f092d8afa91e8615bdd2412bcdc5a0bc157db52587979e40

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ee02e62a1df9a19397aec2c255528f01

SHA1
a0047577488e2e34351466691e3d4c0983709c2b

SHA256
fe1afa5436a518f34ca693006448034acb65944a5728369d70a5154576594c6a

SHA512
5a9dfa0a4f2661f2da9ce55f8ac101561914b1d10992d6ebe80c604015d7bf6f38d55d7786f0dd51514d33f1f00cbb571984e1682d75f0fe88210e39a2873f2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ebd6e349a27ae8ce4e309ad2316e4b80

SHA1
41f6c905314e8a8d965ea5a1a2d7b6dd903ccbc4

SHA256
c55e1c570d1c20a9188a1ca0fe2ce43eefffdc0723118e08b479fa0edb5ec60f

SHA512
3332d771fbb9ed719ae86fe05245cd7db1387af0cfa283d087cebee676c6166d200f147eb2d598b1dbf9738eb0c7ac826ee311a5efd5b84cec92c9e191faf3a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a31cad3f9c492880f84ad6955ab491a

SHA1
ae95bb2a8fffc9b083aea1889ea5347e4e5bfabc

SHA256
94479057edbd1ac0c02b37ecc13349bfb6b01da0e8474aab5d00f1926eb0d71d

SHA512
746346e1c75fe49390ba2aa6ead6b370b318a75774a7c1c4a474bd8420759fbc98236a08ae6ad68a4fa8d66d2bd1c8705958c82ab0283633ed644bb292c5ce22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f1018f75f1d17865f39af7740798e7ad

SHA1
d3887442be257d35893fbec8eb863b927bf25479

SHA256
88b1185a673017c06e7105e6289fe7e9f8ccc661078f0155a86e1568757a15f6

SHA512
bf052c8f6c0690cba41044081c4af72b6ca9abd54cbeade2a61db76e694ef1d17a4bb033571159ab63b7bed7590fb06dfc31c7468fd58a208f4bada34059e1c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
40ca3e71a34341d8232d3fbf9d099074

SHA1
5be515f6a88f98daadd8f8d623f3ec6ac8bcee7a

SHA256
21b6848797f6840b9053ad0de539bc76abf037d8aabd92a0c4dc5c2460048dce

SHA512
33d716b8076ae6fa69bc1cea2707ddd2d842f4d555df4e60c4de9b61e97469b760bf9d2019428c9b281a05b8a6697823b97e09d8429a3f1e7cd47866e1c4d9df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a242a2136d7ff1e2abf617564f485097

SHA1
b7d78021459f515b95e69824512e88a8bd48e185

SHA256
fe693dc6dbd6e37549eee47107c90ba9933f400af700bb43b16c5a3b5e6c45ab

SHA512
384c1a962f3686d934ce55cd351eacd13ffdae29565c134e137a6fb92048abb4e9ac3c59252e5a3d7770eb24c0801fb4144276d4faacf25e2196835d9875b153

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dc9abb709599b3779771f05e72f651e7

SHA1
2261f2b6415832b2864e1a22c8981cc61f38b680

SHA256
75fc7329de8d69836ee91fc06ab129dc5a9316f7c45e08b2a49850ff91d4e340

SHA512
64f1266f489f62bea076a029d2cc14b1685a7af55420af3539e0057f8ebf785540c2b87df3fea58d2410744bbb1e5ef5a543bd45cc91d794ca56175cf0c54327

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f332d36f10862d31facde171f7e00a0f

SHA1
6e3fe1c5edc4df24ffbf393588c9b604f2267111

SHA256
40a0769938a1a13bcff55369fff28cafae9bfe687ee3de3a26486cc1e94e0b74

SHA512
c0cd6e0fb053a11f32f7c7fb61d7c074abb0f5a1d871ea99d2bdb4e85cb9b2df620e5870737d217e8058bf2c69471e669acc60fae511dacb0211914272e49db2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3fa77cd6b78d6f9d6e4e61a271c05bf9

SHA1
e8380eab96b08a37b3cc1de1602d7ba294ff329f

SHA256
e032a8fa4f9b197e2299e0c6a08336fd0f66d872654a509cf30b50863058617b

SHA512
40e99df5b028429b1dbb5cce89b362f6b9b21a790ccf05892615da2e10627ca56ae04718d09759ea950bd2461ad1bb3bee34f1ed8f1c20d103932827730e7bbe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ace40f19a67e6b7e9469f6e073832dc6

SHA1
05a61aa64967fdcbc21cc87571ed8d4611bb32e8

SHA256
d5de06b4bb7f70f668d410c10b51fd94a8586346adff0129b78f8ed4cfd2f8af

SHA512
a841db051d015c4afa91fc22222e9b957079f80766704050e33a2eb72cc873c2abd0329bce407b9e5ba73f1d583341b2444c3e68c8aa4993c36b9a82cd204b68

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d657885dd030b0dff4336def1a95637a

SHA1
15b5e636be970780d1a00bcc66f9f77491d17e38

SHA256
ef4af57b48f8b98bdeeaff6219c1695d37e7fb66baaf2c157eb20ee915f4c6ef

SHA512
f57d2e226ffa0720ae1b0d335f48b02fcb1585d031527b46417dddfd0d4b697953983071384d30723da9a2731b985feb0fc8c8eda3b485ff3bbbcf35d93dc9c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f62aaaac0d94a486aada5f152d376aa7

SHA1
08d9a1e6a0b5c56472f82afab4c94fe863251acc

SHA256
4447ff9ba01e23fe9cb37f8c6578a8c6e4b54705ceab1e49c417af34e1d89cc9

SHA512
0efbd9f408ff6f4157094234cc1d84bd745ea583d36dc214da8f4d07dc7c2fe11ac40de431f633da01b25b9b19b49944bfa55637f3f7f36ffa56c76318ae8412

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
25dd6ddd5c18e5fa3769b531d879411f

SHA1
1bd5726563460d974b3ffde15c5544e8b77c75c8

SHA256
7c450b01324e497cccf730aefd3e4b0a565532ae73e5c080bbf79995b37765e9

SHA512
2f4c2dc3efe0dd54b16b2645fcc9cb9eb4d40afb38367e3062a9d0d558040986ca2aca1d7f0c0b4817a8f6c1bcfe739d52736c495444631fea5e82c26059d82d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5a5fc79f269f642567af0639f68c0058

SHA1
d379a003448291868df39cb75194e7fb2a52996e

SHA256
a66288531d139a7308aa54d450c2f59c4e4464982709b938a585eae2ce14577e

SHA512
0b694f30fed3304118e71c7580d9147edb1e52f74f7b08d141b11f64964b3f16679a682b525a381084c9912dffe7034b872d9723a7724296b25776cbcb23bf29

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c1b8b3c6173a4f75c4bff4ec0e8aa120

SHA1
001ce5dbc9bb8d5b02dfaaa247e2c6213ae9c9f4

SHA256
c23a9c6f9f9168afa92d2eaf29d1808d777a5c7879f11aac06401bc06953f6d5

SHA512
1a5285eb332340ca02d4d54c6c9894f35e07d2bfc7f9d250582b042b3c21af6c92e8886a8359a4c0eee916e99338788a278fe6f848a8f7be785c8f795bbacdf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
912f94e504c39064cc825bc0036dccb4

SHA1
552d20c743c334b9ab2afb81836816a5eaf5c949

SHA256
0e495e923a69f2574b026245302c517ddca2faaca4c228df1d488081df5e2c93

SHA512
97bb7e6d753fa12f3f5072f3a750cee750d024bb751cb75a9da7126062579d5ab9d458327b0e4d46fa0166f0bfe830393f807125291540610b7c87eebd91556b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0c8316521dbd99efdca6b593be4a1975

SHA1
8e16b67f8b1aab96cd8e46db46c529b95c6a5c95

SHA256
8b68bc04c139503efda014666b04db4b91d7c4de893e434f4ebfd6db4933f98c

SHA512
80a6a259cd870937070bb88f5b49760c26c80eae579ec25751fdd706c748a480e4bfe960e208cddd4eb117972d806373deb6d258d2334cf922b35a7de2dddfb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
714b0be537534e388a94feca892e0f3b

SHA1
1c16963212c29a785bee967dad4721b5dd7d9c9b

SHA256
5c998f368c16021ba4105b04fac7879a0319cb76d3e98daec505bcd27e0329a7

SHA512
1265843421301efdf426beb9220813f083fb4d4c0ad986862193ed40fa5b802a6ce46a177ff79556aeaf4a5627b6b3153cc1f0347c38b14b81e8f82674ccde9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e8f7af4ba7afeb03f510ef34dca147b3

SHA1
34707f31c878f419c5fe2e9757cc1e5d373d02cd

SHA256
67f5152d11c46f6f92a508b9cb1976e0867634d9c0d17c6502b8bec6be68b411

SHA512
de817bb0743356607b324e6ffa08af574e231ff28ce2833f4d9ee8d87601147b4a67783cf073553dd1af8ffae931cf3f108ba8c942085408d3f14c4807cb353c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d43cf742c60faf9863cc65f076cafa1b

SHA1
a743fa20eee305020cb59e7199db8abfb09b6d6c

SHA256
f862e063877ce9ae4e85c42a3f6d225b747af2d3aa7bb2f7e6928a3fb3a285ae

SHA512
a780d4eb946a01b19639cfb458f1283e2a18434c2c860c9dbefc01635cd337769d3061698ef4ea0b611c02a19073c77f5d9b34d60171fd708e32c48ca185d450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c6d1a948f6a78245aadb7755dff103cf

SHA1
2050c5da724d8cabe0cc60ac796a6f89710ef4ab

SHA256
bd2623cd09c3b28246a3e8a42343c7adab39d2f72bb39fe9bd5bfd7b9e3c1d4e

SHA512
5adf22f971462b1d989a117ca02c0b16d7ecd82949633acaa1d8c66109715070c7b294f5a0b354d8d332147ad7d9660b7235e4675cd2bcee5fdc92f0c90d221a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7b1afd9d13f520d5540608e4315a8630

SHA1
4be88b335752c7efba87cf6d8c7737deb0cfbe05

SHA256
0a3747b626807cf2d593924612d6815b3af91f9664e263be67cbc474b6525589

SHA512
b296f6ab3f983547b1819e6221c0f415193955da4276ad79a9c952202d88b09f86a06e31d463f6adf6f072b85afd720de772aa405767af0f85fa0e331d9bd157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
03076408732029e72b1ded7f78a939d5

SHA1
d4a6e040451feee1f855452d3d81213d5dfe7500

SHA256
34dbabed67a60e140a5c5d94505a3986aaeb6fe63c99359ae59f274a396e3006

SHA512
b5c7fe0b1f2b3c94f910f71d98885ba57498653a6fb0bc40cd18a9b9abc2b37440feab3459b7c0292e82283c3829e3b8d9d9cd2f0ef38e1d60bf338f7542d9f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7120f6285d4951c38d86774dcc1bab8e

SHA1
e28b02c91e16752d3c11b3d6d39c2d6ab3c4d611

SHA256
f01c0d481b73979a54179858f449209994da00d8b93fcc337b9163deed2e7969

SHA512
d50cee5c8bf81cb1460ee59b2f49fee77291d3f4868e56995fd0f8dcaa9b74cdd5ac6e4d706866bfc1b309e967d2dff38222092bc28a598ecb1d9a3e2414bd16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5f1801f047115b10bc5d76c94aaa5c21

SHA1
d722d3809a4f7fa4670309304e60945b49d63095

SHA256
799fa7b23a147f614eceb6c1a51173e4831ab3533964444a1cd104c4085a7882

SHA512
284d2b042ca72fd89ea6eaf48884fdb5c63a6edecf4fb98560138a02e587ad6c8da6c2e9df4dcda3b32445c3121d1d4fd25e061aa441be7052c429a78328299d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5d3dc99b3a6707cd6c8f43ca1e2c4b44

SHA1
9536ed10ab7bff5ede86d0376aeecbd84635fdac

SHA256
78e86d5e23ed6bedee74c92f7ded41b0f61adcaced5c3ca384eafc4fa91a99ea

SHA512
aeee62fa8c4b819dfe39847a69eba233212971fc7b9a8ae2f4287e79ab5d76b5b3eb402d8b4d3b45ee6bf2d0d81be7ffc7e2aa2c899f286c4e4dd326be6eeb02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
40c11e5e058f338dbdf51b637d3a23b9

SHA1
7654e7b66baaae8505dd06ae16b77fff1d0eaa1e

SHA256
5e838f8feb3a4627a6761d9e8545ec43e0601b7eda23057ff7450dc9cdbb25f7

SHA512
5e6764f5ebac86c8814a9a635071fcc28f504bc3e0edda919da6c96f86cb60ae27397599506bc56e329f62ab4c2bedb332f73cf846d43ddee40301745b7671fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
77d70dbb32adc09678803ef606da34f4

SHA1
0c3893e4b1f46a9ea619854dde268c7f316ca60f

SHA256
bb2f5f6eca080277e2098c00c188a5fbbde00292c82c4c93b63f0f58c3885176

SHA512
ce9cb1c4bc56e1230cb4d59092c610428179235e16406d3ed403178b24f1dd6e2957ab88ec0325809a116fa043ac141fc38b86dc421a69cd13a5429171bbfc6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a5d55b055a68fa8cdc7a86dfa1cabf64

SHA1
5efe2083e46d6fbb172fa49e60ced3a8db92aa71

SHA256
3bba15c9cbc53fffeed69a5110311bbb878df3bb7e42a90cfb32118da586a5d6

SHA512
a2b11ee9352312d0b2443f6d1716393fe8774d1d422c9ea4fc1773f834ab8e0aeb070a8983d705a4b39df1a0327c7c34306f145ba41bdf2b02a09941f0840e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e735e9dd2f3b528096c05515118866c1

SHA1
889dd26a0ede899cf72e7b272d00ad421a2f5a5b

SHA256
31050c340cd79b5ba4d625938d00e37f98cf41b48ecdf350e412605ef293b2ec

SHA512
34414bb48331f3b419ec736de031a9b471435627dc926e35befb211b0aeaec6f14b0c6d18594f8557e9f3b002f9131c80d07520edcfad3a68e5223290d3605fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9498b91787b262dcc765452203628c2b

SHA1
212abd7d9d3337a932093e51be9b1ba320497a23

SHA256
e9ed0bbbe1bfd619ae3979a145d1d0cc00bf9fc412238b11ed3f2b554e7a96a7

SHA512
62745bff211c6ba44160c8d90b9f1dbc17715ae6de79eb085600d2df8ab3f38be53b0ceb788d408a67045e0be84f62655672d0ddd757aa8167828c9e5fc3a590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
91ff0fce7e7e452f52fa1b66a4ab41c6

SHA1
8508db20c88d30b823f834469cb8aa959cb817b2

SHA256
d2c1322e778703d35319b71b91b533f117182dbc26dcd35f9d2c1edbe1fd826e

SHA512
70a37db1b1b0d5156a042f0dc376c1fa2914f8942f5105dfca816a11c8e7c179406ef7cc8be8ad4c6aff07f89cdf9c9706df03397ad6e562393c98f57aeca462

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3b450eb7861c13dd7b17d68d2478a7a1

SHA1
69af08ba515119a8695a3666597cf4899cd98c54

SHA256
a910c28931aea577741447a62a3f1167e4bd783ed71e82632dc3cb33ed45ad56

SHA512
964662bd53e4111044a565a4996584aade9e131147a84e4d5946d25a72ea67b59fe0f9ef65be2ca745e4bb518c227cfd46f93c0f12a2434ce66986f9827e5f66

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
030213cadeaaa7b14c8de1179ac6ccf3

SHA1
c9ca1a25368992e4bfe47714396834511057c689

SHA256
7c266023bd173f541272a84e1a9b5bc23b5bfabc2009605dada5cad6a97fe44a

SHA512
6712fbcba5cbd94001f6cbee43613f29a238b7c0f9cb04b28f921332a9479c482f1ffd1e77b325e47f5bb26feae4b5a513f0622f5e0a5b8168216055faa4a781

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
34354ba73ff24cf684d1b1f760d856fe

SHA1
6d4e509916163e1670e7bae78118f1c91611f7c9

SHA256
20935d5e5f67f0e385030b2a6cf0b705b8d10a4dbe265eaea7c1be648f2c3549

SHA512
cf4e43dae84a24dc22892e3a2e6cf563121abc87f7ca27d4d112e83529592deb97f2c2e21c645324ef357768e080e784a01ca82865b01f11de053a3b391bac8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
33d005df8f9270a37656f57e06971617

SHA1
9492001455a9caf4becf293edb66db55deec7e2e

SHA256
6292bccac2ba1058dba251928b345aad86e0968ee54b499fdcadd1ece377cc79

SHA512
7908eaed57efcd55bb1722697167beb10f3b845fc431ef0b87745fa2731a8c9bc3d9392af4be7ea0db29c9b421f482e7d66cbace8b354e64e7329412738d8a6c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
26f7d8ad7eb1bb3f8cb8a0d63880de2d

SHA1
b670db6d7d877b9d44cd0e38e5a43813a1107d24

SHA256
09e40094e0fc7c41332cb269921ef0cb97f50f965466013a7598ad602fab046e

SHA512
6d0dde285acb659fb304a64edc5e87457d566f90492ca1688db69fb49f63cd1bebb47a323b2c554db5f41dd0ff4eaae5720ce196d02028c7a30012ff15cdf784

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a0ab12ff06362daf4030ae6a37e768fd

SHA1
c6a093a239930646439ec94a7d63baea4ba76d2e

SHA256
2416826b9619dbb1e4a007def6dec6eabbafa3f9809771c1ceb448689c26aaa2

SHA512
533cabdcfdf4d2d9bd0f71481f08c6c6db8c6fa22a7d79926ed7572456a0c85942d2da473e74ad43ef26276ecf21d033a1ee9e1a77562108d4e20d138d2f5a30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9ef764505aead4cc201e7c24dad62414

SHA1
9545f27d04d8b352aed43df1af6e03c9f601a5e6

SHA256
6dbee684171909720dea14669ca2f333129fe19bbfb890e7c762ef16d21cabce

SHA512
da1149d12296283f5c6b27145183b527bc924456297b444f4e2181aa6991502bbffdd55e7a547c4f6e890fa3ff8dcbbe473f9af58ee75eef947e40efa117a081

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
062b6d9c26c09dc68cea41cc3e3cda13

SHA1
c4a902c4f44eba0c33a3552c2160cf00cc107d4b

SHA256
1bbd5a3c11ef4daea296335e6fcd335ac30a56c6e4cc1fda7ce773f42cab1718

SHA512
23fc58a23dff457df95ccc24c767c2cad1f9b917a75d6e7468b41ce2aa4eeb5e4ee7c39e17d156a4c43f4c792eb0923afc044adb1633c58b205d4c5a83ab4033

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b8ee4769d6931809f19d933f908b5dd7

SHA1
6fb13a4f41e3450a60e6b954262a36a6ebbbc558

SHA256
a924a1d235a9987344c3f130b39ac8ce19c939d6aae7b50c7be72444e585e2dd

SHA512
182040ea478a5ee9d986c97dd4ddb1359885cab435b07c90ce7c4c8cfc0d1622ee91ea7f3df4e552a5357dee9c86f7bc47cd1f21e3b4fd64c1e0c96aa257c717

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
abeed08135bdca376d723e5ebf2c5a76

SHA1
11c9707678f7f400f0b603b67580f85e921fbf4c

SHA256
32801ce269473bfca937157dd647126433f7f14bbf3d7651829f9036c6657a8c

SHA512
7539ec1a4793da152f09282e0490c9335eb3bb5016fa1ae4b763fd9886083df83d3663e127bbf61d0c30091ca701b57cb4225df15662a7e9ada46854f03e3534

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad17e96ccc291f670e0c2edf477c48fd

SHA1
4a5333e34fa2aa263e0a5cc4f8aa9cae244ba406

SHA256
065c0b948b0d2a4d4bc2fc96bbb14bde92062b31459b39057d154f00001ed9cc

SHA512
0abcfde0da99470c92b130d099125779d4dcdc73b8852229fcfa2066de66162c52f0721b86d1f495b592f28c3e64aaeb882dcad692a0068f0ba8b18825d8aa58

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2180f21ebfeb9e4f1de823baef63e53c

SHA1
0e5735f0be7f71f45e771c42fbe3d8948810a0fb

SHA256
e6e350237220b3ac5a6dae2171c10dec97f4d06d10b433a94f22a0447d046593

SHA512
d05ce8ed32db1e709b74c44edad50ab112243a17054fb645c2100271cddffd2e3b3c82e55a60791b9d6e7604f3a15b298a4b502ca9ec2fce59f2e605bdfab539

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ebe95b4bd9adc6295bd2858e774f2814

SHA1
9d84000e95b36a41072657a894f059eb4e9bf56e

SHA256
1e6ae1ecad95268474b0c4fbba3ebcdd32d08399765a04af54f0009431e1e087

SHA512
bc041cf8242c095c19d9cc52c5a2b95ab7946c03bd74c5af195bf45a6a2c217facffe16ed02946ea34224ef758345c6352d7ae0f4fca21b26743adb6b1a33964

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8823770a06ac36903764e480d7fd1e7

SHA1
9a0b3870804f635f0558ae333a714d6174104373

SHA256
bcb9cfb31df872948f54751b45a6c3085fff9aba72a5b448e9dfbb7e8409e9cd

SHA512
b7e99067dee0eb4aa77d49184321fd60d7d2c5c41d02cabdfe0953657c10e14d3a8ce8d2bb5c90c2681652048ba7a82538bf7b0fcf71f575c2d410f160271e63

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c9f9d34ae1bba24c3a3b0dc3ec4cc568

SHA1
fd30c41e21a33f769ff16e22d9946f516b8bb79c

SHA256
d50825da707f28f2558990acd632a9656aafe49ecaae2b8ffbf7f28c18f1d931

SHA512
cc37c968fa5e7f1c5175afd7b1e2d1e3f82d0cb9f829ab5f56336d48e3a21957144e232385f62c72a1e772f98142d5f9a7c56edc81c5ed87e2fc9bcf85c848bf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e3244e175b968c9c4d51fb82e674baed

SHA1
93fd5a09c9fa116f1fd41c35ad9fe5b8d31783ff

SHA256
8bcbb134e34c7e3ece5552f2e210c0706a2e53fd9396c2beb4ab4e0bfb90416e

SHA512
f30248225044593519961e1e5c57b0f2e3e63e6bc33c6b9416e8eaf3cfc54bf165174300b98a220b9e1a1208706f3697ebb9ab895ebe6a81b818662a75d6d3ed

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
766bcdecddbafcd250832b2caa43eb78

SHA1
188560fa990257998362bb6ddac3c398bf340612

SHA256
8cc1b2c99d164d0a1ef5a0a2024495ec67004138ee62ff1d7eef1ccbfba9b896

SHA512
20a4020103641d6b50f0bf05126bffff07ce0211507b85c9f40059451fd4088c7f57c573359d2854570fd19ee648ad0cfc2f5eb7cfdbab7237da966807f57d33

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2f2ca2d90f23f19e9067653935c29610

SHA1
4c4e3311c750c665b567d38173e9b4142e592faf

SHA256
4ed8eace7f756d30ea62b4059311785711ffb1022842e1c69c44ccc82383ed7e

SHA512
bcb1a9d4521d8c8c189b436ff4fa6a5d02b4e9c09d76df6e437c279bc878224df2cd8f49a474c93153c9bd6c02fc163843ca5f84e1f7e316344099a1ea40ea4f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f204fd4213d5bba8b65d84641c5718ed

SHA1
a56e229de1e70d97d74b427d1b4ca8ee1658ff91

SHA256
3f6d6e4647bf51b18dfb1ac906346e4efc756c8762c6ec63ada36c1a0fcf6a34

SHA512
f617cd95fdc9aec668d8c51dcb9bd272e28bdda99345c3418f671771ecc3f1a60d212824df25a06806951922c8c0ead580f10e03cfbcdc944c812162e5d2e75b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
229eee495577022e9637f50fb7104bdc

SHA1
c4254d62da031d4839051fd14e3d07b898673a0a

SHA256
04aebbba4c4ea05086a3cdfad1f9ebbc098fe479706943c78dfef1547d44a462

SHA512
eae4726d9ccbe2b5bba364f22cb10a89df30dc1ba07e6a017575f1acbe3b4d04c4af3f1259666afecc250ee12ded92f954b64e453f2a0acfe90e5ba805434237

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d9491c76878c7cedeafa50d293bbc9cc

SHA1
4add811ad6f67c6112a60ee3c4de6af2fb8f3b62

SHA256
b55d6e2fdb9495e39d95bc06e4d74d2a63a7ca69a6c088e382ba4b051f1f964b

SHA512
10521f229072727bfb63ddc2f614ae1e9ab5999404e3e5cd7d61650c7e0eb9dbd2caa57197a7749c94af8faffe44c5d6eda813199c3c14bdf4f87cbaf0d18b2a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b0f2dee01952aff44e9c0da7d897b53f

SHA1
f74ad8186874d7a48f29c428ebf21591f7f168b6

SHA256
6957b18b36d4e0b9ff573807e39fda2eb892deecbc9a37a5667d9e509f76eead

SHA512
21a55a27be989ab57582c68374be98488a6f447dbf8389009560eaeea86feb0a72c1a9ac2b5839c35a29cda86af3447d9154d001d6e91b433900e0aa90e4f55b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
18b897801c0a7726446fbddd358b5772

SHA1
96dc915c38c1f4ad2225eb336750cd1494ac5bd4

SHA256
b34c10d9fe2e476fea564c1704674d494475903b7d72f696844c6c8f4ba7cefc

SHA512
525dc2389a19021ce8230e425b4df366ef1552c16a5b7ccf9e03a52c070880b56a5baaeb1422bddbb1b22191fc2d25be483e0941428bbcddfe66fa1e614b52e3

Download Submit
memory/116-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/116-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/212-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/212-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/212-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/212-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/212-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/464-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/464-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1328-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1328-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1744-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1744-90-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1744-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1896-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1896-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2016-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2016-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2416-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2416-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2868-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2868-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2868-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2868-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2868-49-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2920-6-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2920-101-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2920-423-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2920-1-0x0000000000A30000-0x0000000000A97000-memory.dmp

Filesize
412KB

Download
memory/2920-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3088-537-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3088-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3108-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3108-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3108-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3108-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3180-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3180-598-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3328-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3796-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3796-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3796-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3796-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4020-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4020-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4340-605-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4340-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4640-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4640-606-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4828-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4828-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4828-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5056-52-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5056-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5056-58-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5056-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5100-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5100-604-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5112-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5112-599-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5116-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5116-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download