7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
Size

625KB
MD5

7cf8d0ba8b0aa7ccee799235950e8f80
SHA1

74c6ba89ab722908b2bf8740dcec6d190dafdf2e
SHA256

7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22
SHA512

6d5e220f7988c67c489dbc4be74878d1ad44a6af8d3b9ca44a06f16f6298d557e563803c2c326ec65925d650325dbdf8e0a213d7e57f793e377ee0a0afdfd40b
SSDEEP

12288:TJXlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:lXl11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1756	alg.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
3964	fxssvc.exe
2268	elevation_service.exe
2364	elevation_service.exe
5088	maintenanceservice.exe
5044	msdtc.exe
3904	OSE.EXE
2264	PerceptionSimulationService.exe
4992	perfhost.exe
1368	locator.exe
4148	SensorDataService.exe
544	snmptrap.exe
4268	spectrum.exe
2916	ssh-agent.exe
4528	TieringEngineService.exe
1088	AgentService.exe
4104	vds.exe
3340	vssvc.exe
4388	wbengine.exe
2892	WmiApSrv.exe
3584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3e0c7dfcc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000055c047af2c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c198867bf2c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000030ef679f2c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d747107af2c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b487ae79f2c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ad5bc79f2c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccdf897af2c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062be067af2c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000695fc679f2c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e830b7af2c9da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe
1164	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4132	7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
Token: SeAuditPrivilege	3964	fxssvc.exe
Token: SeRestorePrivilege	4528	TieringEngineService.exe
Token: SeManageVolumePrivilege	4528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1088	AgentService.exe
Token: SeBackupPrivilege	3340	vssvc.exe
Token: SeRestorePrivilege	3340	vssvc.exe
Token: SeAuditPrivilege	3340	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	3584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3584	SearchIndexer.exe
Token: SeDebugPrivilege	1756	alg.exe
Token: SeDebugPrivilege	1756	alg.exe
Token: SeDebugPrivilege	1756	alg.exe
Token: SeDebugPrivilege	1164	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1060	3584	SearchIndexer.exe	106
PID 3584 wrote to memory of 1060	3584	SearchIndexer.exe	106
PID 3584 wrote to memory of 3212	3584	SearchIndexer.exe	107
PID 3584 wrote to memory of 3212	3584	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7cbdbe773067d6e51d42da49f418b923a8a2e12009d889022744590560a66a22_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4148

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3adbd00fa995f9cdd900d6150b54cb72

SHA1
5e35fb4e2ce6f5d540db4add2d04fdae234a7103

SHA256
8bbfd2ca506448f812159a24d28193373e79db973e0289e84202f35e4c0a02a7

SHA512
bcf1ec0c7973978e5d20f901f0ee0e85220d7498027fe4bb132b794f32e571c229d152e3e0b285168b343a2a1808846dd6fd6a45f5772dd9ac2334607fd8f701

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a8691c8a9fe97cb66cd8c6e8f2d55615

SHA1
0b52c3ca29a31502d3d76f948aee1ec412141306

SHA256
ab26a78c13832d1750687ef03e4886da79cd713cb441c43f21dc7311a7f2a0c6

SHA512
4830d06b9f4dd5bfec70ca5e5eb0c4f61d37eaaa6edf6ed2e3586721a6a77069bbfb9c695abadeb45b9b4d09fdb8e928b327095d7f1164a1f71808e55e2248a2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a8b67f1257f759d868fd684d781be967

SHA1
e670244292c9aa9ebfd631d18206d1a567891cad

SHA256
0f275a2295bfe9a33397251870eb786f1c52f575901b1ba63a9bb57281dbeac3

SHA512
6c18d36786eb1420ac0677df871c053d1dbab3e95ff5669b9165c61b9cbb20f6f4ba12210297f32fcebdec01d61604ab35c7dec2bcccb87fb4ea7e6a3c767bb6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d6924b669266f2c049e576c0c4809a23

SHA1
b17f6e4328d2f34125cb848551191979dce476b7

SHA256
2977f097179b263432472a53d211e8a9a76c4b1122df08741055d0895527c809

SHA512
afb75d7ee3688fadc8e344cde0e6431e8d0c9f636e44b1f75017074d0358647385e7d1fb75c38341788cadf1d8ab905ce80124bd80d543e5063c7d4ce2a9faf4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1d2c979ecc672abeeaf07c3d1f8d550c

SHA1
a1cd1168925d050ff0daef636cf415311b1da76e

SHA256
15120713a2d6212d199dbdcaba54ec383846039cc9b46aca993e0e4b858db66e

SHA512
e1b6c6e8e2a55b1423cf237d4b8334b2924ab0dc5aec4d9b354cafebf9a6cca357c9c398f281eac22b41f96443c8d9a7257c304ad9b4963cd28de2567c47b70d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
987d9f4658172778b5e4cb5de09b5b27

SHA1
debcfa9a553f15020b42ac5b1f746de23466f8a3

SHA256
9cb143b7396c2cd7d564c762ea1a48aeab30ffb67f232bb219c748e8a9171da3

SHA512
f6fc73ade0daeb3e4bd733ca58c340f1cfc8f793747aba11b7a28627b53aa924b648811a9b15e680b8e46ba44552a49396e8fc95bfdd1a5b4ff70f9d2ca2e468

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
916e701334a42ecaf234cf0a0628d382

SHA1
69185f1f84042c492f73c179c80191736f01f2f8

SHA256
3f01f4073c8e6a6151238d28900db710442802caa7f991b045ced2154ec8826b

SHA512
cf0b33badef0d10ca60abb3b426d25616ef10b457190f545b8e19112c606fd89984697792fdd3c04ff46e4e739691bd53fb8a78118f947a935ceecb809caeea6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
01ee79cbb514847588b58d7c700c50be

SHA1
8b5b8a535b71f8e1f9af04fd82be73304c24d9a4

SHA256
b0f3798b8368a7f7d8f1b9ac9e88351b54582f8d144ab78c20ab3f444a47842b

SHA512
10c6e246a661a795127944ee358031d93de7f3797198ae8bcbe47bb17d5bfefd4797461748ed792c5ba51ad1970bf6fbca849e66b2bac680fc8e349792da9a80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ea9c89fabccc0c2f1315d850b2d74649

SHA1
87effd7d7b51bf08edd9245509281b83426896fb

SHA256
633c95984fc7a6c23cb37c1c33870a755dfb7add733a847bca035c82784b634d

SHA512
2562a53398a6cea6eed5aa3e0d8b46a386d4637c5ec35bba7ee27ef6ca348c0c8c7d47a3c386363242b34e43ee396e5196000180923ce78d6a41102249facb42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ceca2819ff9d1db41b2e75ce80ca81dc

SHA1
b1dab2767520ba7d228204059af3fb78f44f45cb

SHA256
93fedbd1fb4f33b22e087dc20c5fe02b761b9f2eaad0bb41d081d57ef0627dcc

SHA512
05873b3f3fc60f689053517c9281c264598155975877c433be93c454a97cb770a6a62199525177c508805d6bc3b36ce29c9799532abd14f0390c635cbab5d3e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f787688014e17b8cf37fbe8b5048cf64

SHA1
632cbe95f9df8dfd3de0117b2d3edb91175115a5

SHA256
a088f105dd8d9e898ef07b8d0b78e5701f437efc8ea14a93a929d9103fec1f79

SHA512
848c0d06150d11811134eeea45350f4f2d44c2eef16d8c6f8c95fa904d3b639cb084e559b90fa0567e2a20224e4f20a949e3ca088a14cd4d5509cf5bee6cfe31

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
942210395ed3a1c4a139b5cbcfd95f80

SHA1
0492e37f7e5c07c548b08cacb4aa1bdff0e891a4

SHA256
76e97b5abf0d997c003a73534bb582dd8ba9429825d1f4e255ae97c821eef33c

SHA512
d5f43fa45612ade201b04de701428d84193d21d305a2df8acf69fa436b6522a36f25e06f9f34c120dbbe55ca512d94b59439c629272074c893bf47fc2648d2b9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
94ba8164095cefeef4b6ba2cdc975c07

SHA1
dec60fbe0323b257c948cb476d6c28a27ba2dad6

SHA256
540948d903007eb3abe40cab5f2491c77a29267174f56d83a403c7f68d4dbce4

SHA512
a77830a02089469f15a1f6adb4a2f6e610f635f781e896e84fa2a6f2443ff8881b2dfa7cf3c84c35a8b74e28b6a7de5a04070c408809b978368ad0fb28b455de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2fc699f6d19390e3ff21f1acee2a40d6

SHA1
c18b5faf93722415d917b7922478b6f96433b94b

SHA256
8e2e724adfba5aa3dba48ef7f22e3893d82235bd39760c7b104ee3a578364a88

SHA512
337a968acd4c68f78aa129a576b037d2becdb618ed338e8348cc7e60ef2e4fa69a69f30009127aa697612ca41c8a62b23c2869ca394d340b82a937282a72e90a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f4c7102f2193be09a352d3d43d79bb66

SHA1
274f2f6b99ae04e76ad4ff3b2df34c21d570b31c

SHA256
86888a6cc2fddf37c0d2cc98959fb1ee05b4c8ba597675d9e3d4b3813eb34556

SHA512
cddee6a128ef6440919ea896b1478f5a1ff2716e26ac5b671487a0f5d619aed75814b27b0fa172da7d6a476e8c747aa742aa809631772700faf727203f4123c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4d8e851e11ba2ac52ae9ef180a6355e8

SHA1
441ab695c067ee57f1a4cb2a20db5c2e736ae48b

SHA256
f4bc5926b8a209afed9563deab98d8d81cac0cf65a2ee57cb86101519524b381

SHA512
b27b75f7b16f012bda39ac8edaf06407402800e201f4ac4e4fa26b7a510da9172d0a94c0ada67eba3f99c6130f852dd6041073e1ab60d5bf2fc01d9090e37489

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
18f88dfb185cc2bb2330f5c236b7224f

SHA1
7961241172d1ff3632ed2c94c42660f8b2f0643d

SHA256
5639c046b66b2318ac53d313866590552bb64652842b1ca718fef11a17267fd8

SHA512
add737185aeacfc9fd4d33179fdf1c588e5d209cca777c8c051d6864e934619d39c3921f590d92c27d732c8131b932cfd301b135fc2c3f5bed6b1cb42ce79142

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c709eed0fa1c24c56a15e5feeba81c1

SHA1
d21bf1e8f4479648a37dfc811ed3622918207e7f

SHA256
01f1cf281e65b4016ded8db20f5bc20ca7a250db7e5948ea61507d8a99724687

SHA512
11dc7bc515949cceaf1f6120b93143b22cfa3a21ca4b1c89bbb8c193608ef9bb0e80c87e65e9e2ffc70802173e9c411ccff4950802606a39dbe2008e1ab09190

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
240eba83ecfa7977dfda299239e0ef36

SHA1
65702a7a1855d5e9139e2b925a82ea4047a97b42

SHA256
86c612bc670dc39dba015a8cf773f897538ca2614d7d482b3ec280ffd150938a

SHA512
1e4af22b455f027f28e26340038a65af92b0622ca2535bdfed9db9257d476ac7548934d3bcf39a1743bdd2f26b4a4b4201f4a7c4b7ad11e7bc9ab20f552fe8ce

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
22a0aca11b5c3456b83925cffd383dc7

SHA1
27513b162fea834a6127b2370e2f9060a5b8936d

SHA256
dcde0136a7f2f45e4e699ae0e1ab9f15b9edb6607e4b73ddf4a040320a59c9fc

SHA512
b7e6d02c8ead9df76328480c4470c31504e43a7dc8a13c867a82b934b6ede3b658c3912587f4e0215f80591ece57fb4383733cd89d4dd385d597a349f9b850d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
37ca69b8e7d56f602dc522897f6258ab

SHA1
0e1980dc89364a889503a52da7df9093d1d102a3

SHA256
de82c115183c32f50104b2d2dc64b290b79203d5fe553638efbe4340b82ce294

SHA512
88a8afb3cb3ebdc0b94209f7d57f0138c6ee5f0d79a4c67ca3878824aad8c833b100145d5af084d3dd92acdf403197d7cf6ceb676e88d58896bc1db7a66d018d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8e1bd51f4ccbe1e5aa5362b32e69a58d

SHA1
eda07305bda472e238b5f019b2a6e9d1f9afe161

SHA256
fb89ba66ed4d08d4db23c529d71159dfc130ed27fba43d77c64a633b5172bcae

SHA512
9578270665a2d903dbe880ad0485fc01e75fc754c22be46046357acd71189c5a3c114050415b5da9567784188bf47c71a5b8623084f54587e5a17a1ba6e8d242

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
eb3bd392076c75d69f7e311cd915214a

SHA1
98409ed346f82e27a2f4a878106e2c14c31021dd

SHA256
279af8a3343e7015f321d7aade3eb38e5884976b451070f90b5d4e326ada9ba6

SHA512
694cf2f79f632e6d109028ec9167700016e185d3c01fd9529a2cba304c77972a7da2d9829900066b51f57387ad256aa45a85745845a9ce4d9c9f850e199a6825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7b858922f593cba035d8de6767b35ce5

SHA1
6ea395b8d7ee2d976d16564b72f6f3efdd7c7edd

SHA256
f73489bccd71992f19de4bb791270509b5084019b7eb1aebc8fa46839b4e7280

SHA512
a6ab4b886884de7a5da255ead1c1661f8058e277f1604e6beaf0ac9fe2a52340590668a7e1a736bb984fb2bb0b9f66f399412aaaee906507c6e219703c24bca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
60582564d49593114ab4c2e55675e363

SHA1
1ce3023fc63e94fe55d5966c5f5791a76f48512f

SHA256
25ca48164be9b75b4baef129a967e6abd3d25e3eb60ce9e5e838622b9e94b75b

SHA512
b81e359753cd903656376f8a0a65ac511e7e529a3cb98833d7418111cb0ed0aec4625654252d47a12b59cbfc44c228a8cdedaefee319f97c0f66ba953d0fd01a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4bb919f73d2abf02990e00ce3de3f44d

SHA1
448366a8e973ddda92b6234481ec880444ca002f

SHA256
e2f0cbeed2a3c64b20ebacdaeb688f0dc5d292466d6e964874a079fb1f1400fe

SHA512
b6256f953c6c7a65ad33295929b55054d30861408b1d00b8b14dfb1f694f0c1c43b0fdcd59f0a72ef7f8ba837853ce7bbbdd3d67a85ba497d32c089d49dc766e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
47802391b1e7f00472aa750140ac0409

SHA1
70b22919daecbc6de55d6e1201999973788ba083

SHA256
67fed6bcd154a9403f26e0518f204b451d8bc970862fee22ae5a6cb5db56f8a4

SHA512
9ca2f4f47069f769db25dcf68aec81c59d9d42a8abe539d46955a8b8f6ab9d416ac6ec1f70be8c38a79b9a62b2974a98fec4f9ffe929008cccc43b7303a9e209

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c3fcb4bf7472d95e45170af2de248edc

SHA1
5ffac2c38d79e2e6a8f3ee0f9dca14188bd917d5

SHA256
d90a788fff8b433ce001f10e0e4501dd7da1253bcb56c00397d24e1d791ab8ed

SHA512
d946d9b968438915794678c1da9b094262af6df7148aabc3b1b06991ad38dd40827a8da42b9006af583f8ee044f7ae0b0bedc39bcb595808a586ae3451998f9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
679d9a7e2038eca86d946a1e10425921

SHA1
bc00995e900976e85bd8d55687bf9640ca692798

SHA256
855781bea2ca4f35b3b67842277cfda54136f70fd79b7b5a47e127380fe102e6

SHA512
be03bc16448ea47eb9bb1c83924b3debf70eab0ce427537e219950e77990f9401a65e9bd3ad74fa1a0278887dba2c32b80a6785a438e38e0334c41ee69bcc82a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
01838275b889983049121ae156e6b6e3

SHA1
bca977ad7d0d171dd78e33e7875170c6e859654e

SHA256
c2087dbce885e072ea36db8f91bb67d67fc5ad7e1baff2c65e6c330f8106d7e2

SHA512
17c8df637dc67e6c62fb404f3e23144fb07661911e7eaf2c703e06e5085158069c866f53f778d44f292a7e13917b609e2cf52c90360da507acd9e823c59bbfda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d5dbe93c4488419cde2a40805889824c

SHA1
a36dba52c8beaeb18f5e7d7d75821f63c4dffe1d

SHA256
b5f251ecb7207a99b1f75491332d8f87c0fc211bb9f93e903b8873228b1c5be9

SHA512
fb362b964ac412c4c07cde5f9508fdd51be9ca846b529f929d364a4b5539172707c4b0843792537b67f5c19f3436fe13948c041f6cbad46cb6d90505be2bed4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
935fb74d5caa370a32ea4286434199b5

SHA1
cb5c408d3be51e507cceef8532a870b20dc20620

SHA256
03829c9feba66fb2bcac087f90b7d18dc008c7d6fc4d993eae9379bc7c7f8e74

SHA512
07263eca3626aaee4d4b100d6b580c2470198845de36c65fed649df06a99f8486f6e20eab94d2a9cc5a6418521b8951221cb6e7e8ab02882ed0449276a2a6f36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
98b285cb2ac851fff854a5d435d586f3

SHA1
ed132b76d59cb711027832831bce51d630ca6b63

SHA256
5f06809e1125fb29a111fc74ae7b9f20e1fd6abc99f5aff4a90caa7dac06278f

SHA512
95ac9a70de16c79d1aa12ed19bf757e9cd24deec08e170550f7f0ed60b0af0eb551342091c4773fef6122a3d2277b3b46ed4d5fa4f9a3e44685447d93d0d4e37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3120b75c589f25ec04e40d5a82b25adf

SHA1
76fee5c3469d97159dc889ec59bc6fba82fbe3c3

SHA256
2c52eeb87a1d2f6b59831677ce3b04783f4f47b93c0c6ce24ed45b9f3131486f

SHA512
5ebf560489d7bd3bceb947589ae8da50ecb4b94ef45e24aed32980d23dac1bc27c844af53407a3c724f49f5aab81f848eeb67e508c441acad39fd2d886cf1dec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7fb12b0bd2abf43bd01bc044ca38b35c

SHA1
0fbfcb51573a4224f853a48ec1a02f2a09198758

SHA256
224d8ed16259bbdd9265b6e624c1a92b59a7a441d3eb98c4f99b167a8bb7e398

SHA512
8e6f090c215349c5246d1b09a06931928bdb81eca45bf0db7dc45824ffa86b00bcc02bb77225f894369052d78be5211b624e14fff0214bf2b4385ea7b73ab964

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
68c5aa49c02246e14aba15ff828b6355

SHA1
69888d7dac9998ff4b475ec52f4eda27ee37f800

SHA256
936cf3d319b623e9d6929beb6b91125597e22853f7f1bcda6e6fa77ff0000549

SHA512
2d14567d15c6214447c98aa786dac31ad2fa4c50f329a75b94f61c44497d8fd00c88735eda825706d4469ffadb6287e5843bfd02b0d4636324040ae6d03bcbd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5885d0ca373c2553ccb38afbcec083a6

SHA1
515a26c1218e31657e848eb047b4ba7c68407054

SHA256
57506e44a5c2aadbdde27a393ba44b5b7985bff56921709baeee488d5760385a

SHA512
b85c4e93b377a848a54460f3287654df81877c3bf38f6d30b070382297cf4fd6c27ccace37d4f4905f58bec34bab7b859ae0ec535a9e8a271d4324d8d35d985f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6edaa6e374570bf6bf6e861e37141622

SHA1
69fe9a1322520c5ae10891340683bf6611a279d0

SHA256
beff6fd5d59c23190ab3bd8f5099c397d0f4d3b2b0e1bc3687398c30aca75954

SHA512
532568880511b3906a10a44e2d28eec02bb3b3b251158e20d8dea916cf535dfc07ef5420e0278bf8b3070ec3638d5425d97319257a0d085c461adfa5e04bb0a6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
76039a7d030b4cbdde5dffa205d83433

SHA1
badfe415295857175caec3412dd45ce1f109b633

SHA256
d682f81afd56e7b546df0d8f283dc6b34dc6c13503e5a7bec707802bec9073cd

SHA512
cc5c65fd31d93fcf001ffd63a3f85721163f6f7bee6550c273d8451333a16bb7e8095aafc0f41c25970df49f374d813a160cd3a9ac006da21dd50b8282fe0061

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c101b1eb450fbf125b6e9187ecbca387

SHA1
2d922d003cbf86e4e01a947f6ea37eabfa75ea09

SHA256
8d98da23029e518eef13b82f99eeb4a4386b078564b32ae8da5bf28573873f6c

SHA512
97facd8ff5765ca10c97207aa12b1bc57982d7d18f742b2fbdea2f2e1242bed4f1c8b3c46622e8f85b4304b207e078cff283763b0af7ef91839700ce4a9665ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
714c326e1c5ca24b095d17d5065741f1

SHA1
9f1b8466f3227d1e7d24612c7b4f11225cec8d80

SHA256
90f7842fbd040c1e69b293ca3a7bfde4427bdcc18e261b03aaa3dc0562d9ea12

SHA512
049a2efc0885d72a41120c7b4e5781d51f65fd8dd80ca01d111b57e1336e0e3620f574ae77eddd56a69a6c73eb3001ea40e6b0cbc49047dda22129d01b152736

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
185849d2d59c88f00129878c8543545e

SHA1
7ceb6c89e700a338ba3159fbed011fde06df09c5

SHA256
ac5321f45bf4f8d72cc6bab96b096fa78426370876dba1bddb49ff8ec1ced030

SHA512
605daab199a2a9061419effe0cb381235f9e64cb8901c36365f89f2fa141a6ad93434551d4991ae24ef434fc4fcc269e112ba58d10d5a2198f0d5e7b634b47a0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
29b39111828b4824d742a0c32506f560

SHA1
9aa1bbb20ad870e7ec016c9cdaf40f24818b6a79

SHA256
90ed2fa67b4fac7ba3f2599a4a447917e563957bc82c1137fbd33b85f7df9a56

SHA512
a5e0e9ee910a4d33cb1fa58109ae8d16b23454049b4c19d808d0b98db16237ab3542e80bcc0711e8df64670f1380ee0dbd48160cd388207c80d6c5201528e2ae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d4595c5f726b0b163e19eb88617bfcde

SHA1
3c18542d7e6487aa6ce7738917310d509809bf83

SHA256
82fe6fc310a1174e2b384237e9681d00d34ba4fa4513aaf4dfe9a744b2a71f4f

SHA512
403c145ce0bf53817f59e999900843ee7c3e2cca0b45e18abdce6bea05d82a9584e57d854f0257ab1161a7033600cc6d7627e23a4cee55b9ee52eb941c599864

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d13eae37d191ac041d1bef5cb6092227

SHA1
63d323a8f6707873d8d3ee80035f147a6ebad1e2

SHA256
b9b6f5b2b94ac45ab7f21cfd26ae2e1e3baa00429078aff42c5966cbfee5e805

SHA512
8f9d3252e04c632fbbb683c7d5fbde539169a25ec00d93fefca56612b2faf56706db6d5168ab9b0a985bbfb17a48da800c6bb73b8a2c527e426cb4ffa8821d9d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
04e9d6bd21cdc9ca214192d67f51fa75

SHA1
ddb78fd61337fa6337bdeda7241d489a71c1a571

SHA256
2a98903bad779e6e60ad57a847491e81762cd75330c9283e28b68666c3706ce7

SHA512
c9233a8c4b04d46c9e429075c3f2a8eb7195cd01c460ebf5601207d877e7d6f2f876c177a4338c034cd1b45a04cb9fb0c4527d4001ae6f853c30d3637b3f0017

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
24c21822c2ab7c6fb211632facd1f4cd

SHA1
3a8c96bdded1c2c21633857d69b17d16b76075fb

SHA256
2871d0469fcb77f36d0b44150518ebfe358fbd2a70709cac7648617d96bc078f

SHA512
b7ae0c8d6c579cc8e8163185549b11550f1db9f321c241efc9acbdb293dcac188acfc32854fcbfec53083a8663df188164d7390143dcd862588f78599cd1d3e8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
913e00da7b85e9a75068b1288c40e1fb

SHA1
62768e4e0629eab78de8a1ff99c6bfdcc369a0ff

SHA256
5206306258403a9852909629a056aa33c4fb54e31452a1bcfa4541e81503ab6e

SHA512
ce7cb78613d97f5ce62e8f899940bf7cfdb694606e0c6128cf272ec668b5087cf28aa697133fe79782c2dd2a7ab02e266147882410d0ef92234e516dfb9152c0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3c357effba3c71d9e7fb59719698a4b7

SHA1
0c5e1c931b1c694b0b34868a9e1e349b82a268bf

SHA256
941bd183bbeab06fc8cf981f6703f8840afbcc86b3605f9896e6d89ab5b6515d

SHA512
6b07389ad4c8a61626abecdc220c58f254d5d4ac2dd474b5d8236791786dfc536522c7b00b6aa7184364a6b0ba9ae7f4fbe31b7368827590a1f6a938cfec616c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bfc5400c6f241393af4f0dc9d196bc3e

SHA1
03e7b543543af7b46635db782bb6e9c705489354

SHA256
6fbe172631bff61b8ae4ee832e78b2f7f35af414142b1bb3cb12e5b41a83fb23

SHA512
1a883ffbfa181faf3230c7298bff6f0717d0f641e68052344294a8f7c4fd67afae95d94df836dc4a659166fd6d7e31c95d949983911621e13e9eab849ce0e335

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1f78ef83dd26ec40943da947abdffd0c

SHA1
445eec8e0ea39b0bfb2024ec15b21cc78dcde90b

SHA256
73ccc8cab5611b622be2c286ac55182ca482c5411b08a1960a5d019a3009644e

SHA512
2f7444967a1a2aabb3e5c065511185bb3dc275227e5cd3ef493d8d68fba4765a3a854b002de9890a6321f2a04050014099f2ab10982a4c268960300eee155ef6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e4f4cbd12d338316dbb498b219af2353

SHA1
9f401986a93ee695b119496bae0d58d108f01e37

SHA256
34127ce0052eedc29ddce3be77e66c84985cee80be50d5787b45bc2e6c42ea84

SHA512
41940cc840f83a886c2428d58fec29643713e8acaa17aacb2b94be23524f127cd97602de3fcc11a267137ae424c1af5c7316176f0e8f1e876bc1f507e7eb5d36

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0c62fe9bfd00a4c576ad7b60e3af6af3

SHA1
6154058350da50cf688510362c852cd584a01dab

SHA256
ecea3793df8d4301039c67afc42cfd9cab89d83a3e664c6e498042734b565b74

SHA512
ec347dbe9be3892ac07fc957a56580a7c41e884d0fffe52c399b5d03eb7ddcfffe935d85498f9f3fa9cf148fd98df2e4ae70f75e467cb090a8c843312a496a14

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3a46a0e083ea771d6db5cb320a6203a6

SHA1
5992d5be121d966998b9af03f940e15d07a52a82

SHA256
af15af34dc31fb97897745665695888712ff1f30be63c5473902b5cdfd887c2e

SHA512
9e6716fdb81934e8141a916f8abf139e28134df8eb403c4a76654034ae8791fc659cc751861f4883b9a2b7e818635f34945948d72a45f06fb45e6f95a0655a1b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3348b65c070fad20a1f4d0ff6213613

SHA1
f946d47da1497519f9e6d46bf7b2d082a2abac4b

SHA256
da50c0fc5e7a62cd54a216819cb4405d6a70046ca6a22f643319ddb797b3f006

SHA512
bc9cf14469f26e2cec2ecf8e0ad2742dc93d7a2589535baf0ed729422504aea3aacb1004b5cbf3e8ce7e7c3323962ddff8ed7248ed684a0cedf38d966a862f10

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a666fcdf495f7fa764021c558f36da90

SHA1
d2859042d208954a4895efe0c1edca382949d178

SHA256
29d080b8f9628940d290f9976cb5c3944dee041b6f7dec92e29f57685cfaf67e

SHA512
7354fc982442491f90ba54c8095399e6d90496bab80c85e3c99f6693ad348d1a2fc74a6d90561416050fc5056e4b0184de795679a16b43b73f8127a47d614184

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c7fc3b5e23a5e4d3045f0cb87eb2540f

SHA1
15d16933f13ad2f3939d3b8a37496395619a621e

SHA256
553cb1336ab296fd471de03759e501ede80f3a1597d46c76f5c1ad3124679bdd

SHA512
1ef4c077019b5ed9df0f05cdf92047e1b6a718ec215aafce87957b4071908897d271eb5ec196c76ce4fe5c2700500bdfa0b3e340a46538548fd307d6638f1491

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb42f3bd818c3dba34d488cc104a04ee

SHA1
1d87ce7c56ac94b5b710ed01195d41693c691d10

SHA256
07f74d0bc759ef02b63c1523b4e6e81f50666bbbd60ba83a7d20c7d803a9dfb5

SHA512
5fde3456fa5cee14058048f4abe2d27c451cb54f84102a361bef2c62ed57acbe5cbaa63f0ccc25634954dd7e2895c478a8513fc3680d70c0f25e30636f7f38a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
60518f37994c2f9eb1a036a31e8fdc9c

SHA1
2af0d6ef05c725a2a197350d3ec8c5e9e7384e28

SHA256
f6d79a4299f51d6d40c2e72aa3af0a9e9233ce56b5bdec17ce34439d8fd4b937

SHA512
4bb44cff9d8df0d94123d00a286ad719777362c9bbee4c0549968e24ea53d32b5258171e5e80d07b88562ac8629a80b75c0c8ebced1ef5ecd02c92d97e66b9b4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f7e1e6f8af81f0d28049eb21a5a909b8

SHA1
7f128c6be0e96e5c511581f1f5249183b19cff14

SHA256
7c272d4cba3fa5c14135f9ccb96ea194c952c1c38394066d2d42bd87dd4d40e4

SHA512
9f8c4aaa2738a1186f642a7a06883b995829c7f9fbc1419707579eca18a9514744aeff42266c2ee772a66979299bef780259ef26b9db8bfce0045915aa8480aa

Download Submit
memory/544-439-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/544-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1088-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1088-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1164-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1164-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1164-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1164-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1368-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1368-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1756-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1756-13-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1756-104-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1756-19-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2264-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2264-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2268-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2268-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2268-51-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2268-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2364-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2364-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2364-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2364-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2892-638-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2892-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2916-631-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2916-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3340-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3340-634-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3584-639-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3584-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3904-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3964-43-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3964-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3964-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3964-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3964-46-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3964-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4104-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-633-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4132-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4132-1-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/4132-8-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/4132-453-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4132-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4148-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4148-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4148-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4268-623-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4268-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4388-637-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4388-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4528-632-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4528-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4992-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4992-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5044-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5088-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5088-84-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5088-81-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5088-75-0x00000000022D0000-0x0000000002330000-memory.dmp

Filesize
384KB

Download
memory/5088-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download