32a830cce54d422330df70832e80786068239f0183c307dd4582a02904115934

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Size

1.8MB
MD5

d874be503cf6a719e6bd9dc6ee8476c0
SHA1

2c80602fd5c332ea200bf3d9e43556223b3e80d1
SHA256

32a830cce54d422330df70832e80786068239f0183c307dd4582a02904115934
SHA512

e8b9d6a6945ab77b87fca731c7fa57d03c631d509cf509b70e46fd3dad75a22c78f4c4e6803d53e1f3874294b68e0b1a0f5cc0c7f5b2383f5c08758cfb064181
SSDEEP

49152:RE19+ApwXk1QE1RzsEQPaxHNzf9Ckt7c20+9qNxUW:C93wXmoKrfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1916	alg.exe
2316	DiagnosticsHub.StandardCollector.Service.exe
1656	fxssvc.exe
3052	elevation_service.exe
4628	elevation_service.exe
1340	maintenanceservice.exe
2456	msdtc.exe
4576	OSE.EXE
1812	PerceptionSimulationService.exe
4164	perfhost.exe
532	locator.exe
3728	SensorDataService.exe
2372	snmptrap.exe
936	spectrum.exe
1792	ssh-agent.exe
2980	TieringEngineService.exe
4100	AgentService.exe
3156	vds.exe
4748	vssvc.exe
404	wbengine.exe
3948	WmiApSrv.exe
5072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e975ef3e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000947ed15147a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffa8b95147a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bce665347a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb4dde5047a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d5fb65247a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005100d05047a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040a5f75147a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000807dc95247a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022663a5247a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000652a3f5247a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1656	fxssvc.exe
Token: SeRestorePrivilege	2980	TieringEngineService.exe
Token: SeManageVolumePrivilege	2980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4100	AgentService.exe
Token: SeBackupPrivilege	4748	vssvc.exe
Token: SeRestorePrivilege	4748	vssvc.exe
Token: SeAuditPrivilege	4748	vssvc.exe
Token: SeBackupPrivilege	404	wbengine.exe
Token: SeRestorePrivilege	404	wbengine.exe
Token: SeSecurityPrivilege	404	wbengine.exe
Token: 33	5072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeDebugPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeDebugPrivilege	1916	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1020	5072	SearchIndexer.exe	112
PID 5072 wrote to memory of 1020	5072	SearchIndexer.exe	112
PID 5072 wrote to memory of 2896	5072	SearchIndexer.exe	113
PID 5072 wrote to memory of 2896	5072	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d874be503cf6a719e6bd9dc6ee8476c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:936

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1020
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fd5e05ac8b30d934d351671d8f803df5

SHA1
2771e9123694448a98257445b4846bad81744aee

SHA256
64b79c255e4b21745f3c2757cbe87680a7fed1170cfd3eb755f03e3e8c54d6fd

SHA512
44b524d507d865a65518d63d6b348bf8abb4628648df340838aebdd484a188a31f03a32aa5ccd59386dbaf6b4fa2a44b510ab1c0c572ff891905faa6d936177e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
84a3316d239014c7e676766676315b70

SHA1
736ee0f6727064c72a51dc9230a3dcdee64da27e

SHA256
b6d1b21581067addfa2d5636196ee477dd2ed2ef54b563af40b45b5ac4286a7d

SHA512
04426cde42af926281fa21afdf0718372f3678a55449e85821a09724e1e1226c35eb7c1a736e50decb7e91dedc46c73709af08cd0e35bd23fc532ae86925386a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9273375b24706b3ce3c9c94ac7b10d32

SHA1
52bbacd2f54521dd01711910e51a1a78eea3b816

SHA256
fcbd47615f30e53a4064eecc7a6f0113e7db4b20b617dd8e0d4e5ad20a453356

SHA512
f0371d51efa537dbb10221f5bb91610764fc4630195787a302916eb6f0a5e111353d9c9ea89cb2267002472b76a8d101e9a7ed1c94dd04dc89e15eee71d8d1dd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4f61b7d6887970b7136b134bf0f1a75b

SHA1
8d99ce10cdfdba34fb553b8e059d80322cbc16ae

SHA256
0934532a55761f5f7de0f39a6e44f3120698c32b37dec3013555a08413cd37f2

SHA512
41f817caa0d146ff5b5d4da65e67949f9298394d262f87894c65733896f52a448f0ddb803a01cbcd0352779e61e898e811b93caa9374f4daabfa7456f64f484d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f49d57502a2ba28d11b480a5dfa86efa

SHA1
ecb9c27c23cb23add72f3d19c0a1059994b3f147

SHA256
da9b3fbb4008a20f2aacba0d97b36312f8f635ac72c3fc5def07bc13563b33f7

SHA512
d79a13d6e4bf120303c4306a41893012cdfe3a46245b7066722132c86dea65ab33890bf7afe9f5eab1638b2046dc91c106a1bfec97aaaeb4f51a3cdda00653df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b1efb2bc4db64b0a677fe43084e21d64

SHA1
6fd6ad8221a8a76d14925a2f4823cafe20f0ae70

SHA256
dd4eb996f75b10218ffd8aa2b13abac7b51948f413ff48602e03862914347c21

SHA512
a2c79bab359311d8c97fd866c75f37fa46f80fdd1721cb2ee0de48508c1c0a36eccff166bd13184aa30762d007537df2c43dcd4906901269806bae02461692d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c83b8407810eca6fa3ef12a612392523

SHA1
529fde8b0328102610a7caf64967e55eb713786f

SHA256
8ed639051c12e47937c12fd150381ae114b0a224a320f1cdadbfacdaec9fb0ad

SHA512
f6135d80699241ef4722391cad8a856b8a247a9781c29575af8ed485d257d0560cea836fb9911c4a21c81aecd3f6ea0a8c87c4dfe9f79e67db3dabc88dda7075

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
19208876e8c59f82fdd004710c35658c

SHA1
7ea780b11d2de66ab9fdb34f75add389c58a4427

SHA256
bbd490fef8079652d42d1331804f3b49c4b874eb02e11c56725e95f6b666c2bd

SHA512
2120af6bc88a822c588db6c2b49e666537bf8751ea83ec621f02bd61d7076a522637ab739c39753e86007585fb13b521d41c2b64853bf907fa0eb8e01a0d06f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
34fbb40dc141cd2fc3a9bff1bbfc0570

SHA1
5c04f935769aaec85f834a817209e524070013da

SHA256
54775871c563f5699ac5ae6f6726f293ab912f779bfeedb8b49e2df089077e6d

SHA512
a6673874a7b81e5a9abd1344a701e39a2464c0c5b03fcc6618bf8062fb8f729e8b11f88a28a5e99e61cc3d1ba3e7f124a9f4efe018eb9249a2f018b28dd6e709

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
144450d44f3f71cd0c2c658d1fe1d00f

SHA1
ba8347113aa32fda485e143071607e9705f4e4fb

SHA256
3b180a1682c792165ed9e65d8f1642feef9c7d7b99f2e5bf3b3cd85fe4f091ab

SHA512
03094409d9fbbb6b5f6aff9db2ea95aa894743f6aa041364dd023d1c3e0db5808cdc2b766b17e453d4c0801e38b1ca74cb05784b7403f56d60ea24dc1d37ec8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7c073581bd9f10c36a8216c02f9cac99

SHA1
8b1c882e1036fa9977420e6894262698035ae12b

SHA256
022ea4031654b1a1b47a03cfe7c6108b93e50b248fa1024958ddd56d32885607

SHA512
725bf97fc692ab78f1e4aad5e0e1f209271c730555f7b43ece08823e11bfad6c71fb2995aa562817cd4acd46c25675096a2b76d4f9c8ec319772d18427dd7a45

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9945323b05ee8da51ca657596d3e94f3

SHA1
3f552a88e9099cef26029d9797616db4f8a8a1b9

SHA256
da4cd7158c188d271d891e2ac72548b9e4075474a989576e0f63f36cf3cc649d

SHA512
9b4cdaef9aa01727b7eb4b8eb8857050a274c61b7b2d0c329b658954f00361ae3a3569e165b2e37e6ed075f3e5c9be8e356af3d860f0d42ec7f8166b77fc3b96

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
295e85c77036495069a4216182f4e440

SHA1
735ed3820452d7a327a2f3d33aa6245ed7af1510

SHA256
678ec3b3a69e8b7f9951fcaac3e3142df7cbd12a595b95b30134754499aca34a

SHA512
ae72fc595f42fa5a8e3d8ce042395d3e03c085b24549b6aaf9c5c6feac6a9721fd8c5bbcd894a84f5772327abe77aa3164fb84c9f6649d42f9bbe3f3ca0ccd0d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6a3383d18d71e2a29c0e1c3be7a7a513

SHA1
62dfad091c76ad560cec6b5f92fef806c2f557c6

SHA256
26ca1c1fbb5e6bcb0233fc2779581d660992e78db789974a60cc620716666dab

SHA512
eab3df83cc237738ab21ceb994604ce112c5e7af054853578cbc67c9edefbaa1f7de1bca5a1d3ce6b900b111370240211bd9c711fafdaccc66fb8514693fe454

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
02381c52de3d2c9349595e7864e283b4

SHA1
f678f18a11d0f2638234d13d4d9ddb97f5c80aad

SHA256
41de85dfc7575aab082f337a56c0b873aee80dbecb9467ce04ebeaeb67346230

SHA512
506511b86d7d89695850f95d46355e8b6534738f49e17e3dee4cbbf33cc35149012889509dd8b0da0e262bce95b1e9cf3a4b9711378fff3306bc6300bcaa487f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bee9af0f792b57209bd5c16e2269f551

SHA1
150b13ee5678315dd2d14d34d8a2f1ddd4a56717

SHA256
a8715555a8ef7676176a5ae9acacdae951230447256654a22d192b212217742d

SHA512
a0393ebd0162da1d34560156af5dfd6df0c96a7cc330ce8fb477ae5c76f91eb1b75797d54513390feb610168e1dac6a83dcbe3ff190955f18c4deb015efd6092

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c520db9b787cda95b9c0d2c55f0b08f3

SHA1
a99911112823672d86942fb4decd92c797edced1

SHA256
09cca3cbb94e03541eee08bf52e2273c825f16c94ebef57a922c2bcf21ddbbca

SHA512
e95d98b611eaa821bef2ddc695e0511af264603b6b4efa11cdd18e155ce6db501067ace3b502f0fa445041cc387ffc483035484195b644961f43fc3eab9e9931

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b5df2c8cfc80373214a4da740926ed3

SHA1
0ededac1e7f5e1372dee89d56fbed26f4b088f6a

SHA256
9ab176227e2fa9f3a5febe782ae3dfa98c0ba1730f52d99e138b5fdbe319b82a

SHA512
8710fd786381aa41052a0a2a37d95cc952ea08d0a849ab082655c05fea2cc1a0c2f34fb403baf66bd5c337d11244cef5b47c6d99e3ca569ae1066122cdb948e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
310dc763c51ff6df0cf6875bccfe66f3

SHA1
2a491f897cc36201e5e8a5222a5b3ed5081f0867

SHA256
10dbacb097180b24393daa31d3e8591fc3f1c8d686691524c30de155da699beb

SHA512
bb841678fe6e43c91e0e76e85f3c1685a2b0cf4a7cb090d118cb4c45e38fc765ea91ca97cfdba2b78c0604551e0821f7b3cb817eef56007e0d3af2e2bf05bbc8

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b014ab0e6179a9a9e89c7e1abbe406da

SHA1
d6ddcb6175f33d2918b66252379a8cffbddd139a

SHA256
f327aab11861da551615cdc16cf54f2f758c638387287845ee6c063d2ff53885

SHA512
2bd0d63711acd1eace571f262aff3aff8d766e707409c5080dd1a884ff5a580036de0b011b16f4a043da699b848114d28d4d00f6a77d1734aef4832d0ed78780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
98031a5836a5a68791ea55c596e47fbe

SHA1
cbbebae56a1d584b6a472b0f91b42210a0023bf6

SHA256
2c16db8449c0297d9fc5c3ec3d3acec9ac396b1d0131bfa95df42cd7da7819db

SHA512
69cefe27dbf26d5877c4848fa440ab00ac1403e9251e81e5284456b435cf0dc2661413761a75038064ccc19590e9c108936bd3fdd46211d04d31784a47d1a978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ab8987f7cbabf087a8d589277601fd3c

SHA1
b24938ba6e2c528c0ad09fa680f47b2cd5251dcd

SHA256
f53a15601c7f7c7852de21a4f7d54aa69f7e4605013aa31d1faf9f7d01854060

SHA512
b1edf2aea8190b71d0122571eed2768d0334ba37e27d19f74948e454c550da5d97d50f131a4713c9c7a63702e9061ab7a782308b13a293df9e5fddc474b50d12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e366b06cd75646f10596529e5c197408

SHA1
f2839b0a6ffee2f98b48bc11b562e8138ea6d8ee

SHA256
ee31e380ed3e967bcd550b53fc06a3949739286c7479680aab46435afb288cd2

SHA512
e191d3ae6ef6036aabd6e61c633a22e0f99359b13abf7b3da686ea94509c6ee85132ba77f31460df11befcf9f752085b19141a99134c2a7278f2a47355e08cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
9b63d112dc2d4c6fca44e6fd70cb4195

SHA1
92474dd3c51ac44a06c9043f3818ae232b6552f9

SHA256
972c8a141c8fa19449cf6c7d404c0205b87a038ed70b8d8a7e083b4657c22380

SHA512
60d2d254a6b8b66f21cd02cf3b03d1340b7fb4752906895bc2f38278d2b56a94ebc6971abfb5a91764f5a57de6312d875138cbb7e34caee1e3e732513ac220db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f5b00063c748c04225570600627aed4c

SHA1
8a57f2e215d20c39138a22da449eab4d466016a3

SHA256
22ae12c77f090ce842b8e99352a5331713939f97e1cbbe8abbff50d77954ada8

SHA512
51a5dd8eb8dea3312bb74e545f45b39b7888e569c00c6f031f3cacd44d241211e600bd8c46e174acf839f1907980064d9d90ef3c9e1eccb1b59a05caf91798d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e75f4a224bc8d1fa70ca6edf5163b97c

SHA1
ba9ebab96e47b11da3796c70287f8f0663702e0d

SHA256
7f0f7cae431be1c443c31616cdda53a99d5e9eed59881a8a28e49402dad4d834

SHA512
0ee55f2837dceee8dc4f49c944ed2c576d4bcaba993fd2d82d25778674c0735c708f7c709610affc59baa78171cb0cdcfae67f04604e92a416f90b4be0a37672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
830d167c8aed44f8745e48274335743c

SHA1
7ecede7fd7d9c9b675fc0adbef2d29aa0209392c

SHA256
e29c229a7bab4200d4a7ec9f7e8ab4256baa072a98b743fcdbad3e7ac8b863fe

SHA512
8570fd81370b2fb16e7797aba4f6686078a862723465206b3d2e9e7488a2c1b871ef3ed31422817c719a79b6b435f89666cf8965c640e6df8e98374b2bf1b6d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3f7708a05b985df0c7c4ba94d7bbbb30

SHA1
45e2c9510fd9e21eabf12109f574faf849c9ad3b

SHA256
845a486c6ddb72989abaa726c10656660bca1cc4860411ad0028ce23b038505b

SHA512
139875eaba1c7f8df450d60d36f14f8ed945e164b62e8b86127fd93edcccb9d70908d050625f470e5fd1e1d1490f04ae801e52af5a70333a60fcfd1ae717eb2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
18fc8ca69ce553817f7127c33afa9abd

SHA1
9fd0ab1657e8bce8c74056a5fa4f3cf3ccc8bb89

SHA256
e9b2789a04e48fe12572a9444f044d253c237677d3d5a63cefe593c2b120f8cc

SHA512
c4428d0fe7bc3d308c3362b29056bbfe494d89edceeb0ac02df0cc7867e49222f8c4cf4700adbfd8e1d4b770b5873fe616965835863375c1bffc29493393607e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
2b3c08685b69bb040cd63c3d7c915720

SHA1
db6b918e59fc53008b80ee7c874c6c7d053ba52e

SHA256
01b47786bd8f69b7aa7867053457eadc82ea5ad9141f4b1916f31fb8ad53765c

SHA512
30672aa08bc224bdd09e472fb4c258a0b597123f5d3de292684c42ff730be4b303874644f112f1499c1244b62a206f68899f5f3d968ab4f88a0cdf1d82fd10f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1c48aa120f8dac45accaecf58b4d723a

SHA1
52637f15e845b7a4b5ca728bc78b2c3d8f880245

SHA256
c70e64aca5eb3059f4687f7309e0043f4121d732052370d23f91661a5133e544

SHA512
0d441c66bbcefc293f3448b6fb2206f0594123cd28ffd9b908ff85a59b270a5c0206bd0f6e80768748ad7bfb900953d08ed44ad4f849f559bbf433358324c53f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b758dd4c6f8e7bc9cf05454772c7a20d

SHA1
ad2c482100ff1bbf3e0112560d3792b749fb54b9

SHA256
3c49f118256f8699adca02e1f1dc5494f035012e947bb3d387ff4121321f2346

SHA512
f9a9a58c650d23e0e598894e32c0fa526ff6af91d80777b690f6f95d7a79ea3ff08b1c948b25a627b2e32e321d45c6cb99f83ad44d232b1515687aa093db2202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c547f52f4e22a396e58d9bc1ae1ae1ae

SHA1
0a454cc8252fff9d075a2627dd36860f30a76c3e

SHA256
0e91f7111a1ce191b680319c6aa041e97dd29dd885f660e36af3f866b6fd174c

SHA512
5c6644e49dd7be15e11f095696385723e78c294ef8a96533af6d0ec2ef22420242c3a909926942e562c8aba77e5d8c0b769277526c3ee234540b1a9b5ce27533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
192d5f0fa37fe98b44875f0d04095487

SHA1
c24256f92e14eabe81e5283312ef0bd149ef870f

SHA256
84b8e455071004662548004bb839e8c10735cc5ff68fdb8e0dc8dc7320743dd3

SHA512
5871e17892e4c873151f01b2dc20a7fdb08061517c405822ec82c4833b1beed023313b2acf9088d9b7284c08297b31663de299633e57b9247ee07769bfe63b2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
02baa9075807cb496a2b82713264b364

SHA1
7643afa7c4548041da42f9b2ba1b7a2075241cb8

SHA256
adb8e1cab1acb6d80679cf8787a5c20d01967c6e9f830d1c9e4034ea348fbd6e

SHA512
622676efcc595f844a84e88cc42d33f8cbf6ca8c970debc15b34f0efc14251195ba5ae25682ef6f88e83c0afd6d405655fbfd503570c971f8c49cbcc330d8d25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8160262f4eb264f13209b451bfe0ac4d

SHA1
945beb21d5350ce14ff0366753cea5dd45eddc14

SHA256
7103d81a8932712093c78167fc370f22448858fe89363691359fcad9f5db900c

SHA512
b6ea8211c23f9e87e90aad20b553eb3624e28702ab1a67a01d1fa53a4bbe8b0ed2aaaa472627d57274f427e87c3227ba400c7d230ce0441101ffe41720d39d02

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3eca0012ea1a296887dd839b11ba3a4f

SHA1
574138520e54500bf3861c8fdc48d4e4891ec040

SHA256
39d5812b9b79a5fb3e51a64762b58b3cf9e699cc323b6e04bc380783c35916c8

SHA512
4e043e230c02db86b22a46caf85173e5f9c31f24599ab8d14042dac817834e872e8b43152e4901c6f9c9e7d515a1b705447e33cfee284486bf28251e1a680aa9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8a59873303f29a670a8971a3228bab10

SHA1
d350264047e5daeb3145009f7d448f18d8e245ba

SHA256
3c13134e03ab028c62cdcc83cdc33886ce1cd8bb62f39e0b3f760344bb39b2e0

SHA512
fe8c4bae0e2a45d91440e48713dee4d6843dbef4016ed7f2acbd70caff569fd8fd028a845d0d018eda3063fdc2e56a2a8fae774f869fa91068a56e5f9b65e19b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ce07310f6af477fda94be70f41b618c1

SHA1
2f7d69e72ba13ca40f30b93ac2c4cbe0a820c914

SHA256
48c14dc794a8d3d46cdaf6d8818d0011e690e9bacead982e1493668baac5afe2

SHA512
b10ec0517310b354eae24b722efbf0aa328f2475b2708a5aa7d0f1a29f7312b3a7d8bd745f980e582ed80575553fce0798c0feddf5f8c3a948f906673a2a3d77

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0331cc20587b0524b7d315b3df8398fb

SHA1
c06535a686004008555dd4977f3ca69e7be7b225

SHA256
7b0c114d89dca899f34d4c68ae64e69f179bef31d5ee7be9d69cbfe0b9d76751

SHA512
79539adade8c8da4e89ced9b7b9c9fe57b7d9660963e97507a9b0a459299f337aefbff5b785cc916b4613d59cc387d24ca33b1886fb5c5b8b36f1068a9908daa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f23af1f87c5e7b05f7844242c6525936

SHA1
0e104d41794df8349c96a7577c50077201ea9ba9

SHA256
088c99693b7099b9c28299484f721024da90a65254c85cef4ab7ab6e6513e83b

SHA512
a08b3278a4fb23edbfa4091c0e9f744965b1bd5bb5226b4531b56d3aed27064a004e53bc57b27e7fe4f02634572037b60d3cb231e20101497b1688163206f9a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d714d75b719a5eefa3bab3f950ccfb65

SHA1
1cb1284c224bd8192dbeccec910dd9ea19f71913

SHA256
194506b1406286d936ea8743d8b2ae7c6d0de6389246f06ba8191be1ed494580

SHA512
90ef9dac5c34d4467913ad762a354dcced8785f85e7418b5aa6f4337ddce191f05c671b383f671fc266ffa6d60bf414c767f5976590aa6f6de47f7f1796a295c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3a384ef567134a876947e1cb9da250c7

SHA1
15122c2041ee227b6a6763d932e8f7c858d6e103

SHA256
65bc9fef9d353c47a14ebc54b0d2ea88c452b4d9f42c2ed65d697403c38dae95

SHA512
ab3e29b20c2c1ebe660435dc731511dd1be6107f7c7235dcad5a8e1663f47b18f62aad6f9a5c2a9c052c32c337247ae5e375d8802a0a5818c13f4a25b22027fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b1cfcc3bd47d493a613c4f5cba682eb5

SHA1
d73aefd53754b8ca709fad977fa052dba3ab5574

SHA256
c01fbba86e98a939fdf64e4cf3e014f6ffe28f8d4d7fef4825761a7fc04c9e51

SHA512
75f95cf7ab5c663e997f430aa87c064825d68b3cce45e8a64d83a253a27ab9724f85e603fdb28c0d49707c93997806d56a32108c7f99fea0db0b018417986ad0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
339fa147ff8763933de832c629750485

SHA1
8178d6e813e27fe03ff1a627012a497794c3afb8

SHA256
a4fece3f7357056cb328b9bc75f8f5d26989f732a872266e02836a6f490da178

SHA512
d06152c12810c72be7edc5e7bf8d4af169abba1125c7f40dd91f2d2c0f1bd9d9d411c438226406d3ad8b31626a909b83a30b284ae34775b277f6c1fee714a2d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
969e2f81a334c8a4b909f846ca3ddcd6

SHA1
cf976ac0d90f30808fbda7b35804b7d48fbc6e94

SHA256
c08e01263038bb86426bb968d9508919c52d4ba32998b8637b3047cdf5036a6f

SHA512
f0e2d6e25b3a0f301b573a0caed7656185770e2323d489e1d0765f19876d3cf04ff349424fcdb444fb5aa9584cd0e0536d7e08b850b0c1eda3cb211c38395d7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a273ff044b5207f584ac01777cbb26e

SHA1
2b543243b1f9a30095a492bde99fd8e70a8c1229

SHA256
da69962f0432e71cef516c194f526cf355ff936ad3869d6e43f2fc72e978c8f0

SHA512
4792f6b986d6c6cddf47935f07eabbc39f39876ab4f3215411b47e9337288e09874c1122c95568584ef4e1993b07c93a1a575aa4f0378579d39db69d05d7692d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
854b0624b0a3daff3a83ae79dfa8401d

SHA1
24c078185dc3e59b467fc99bc9ba5dc90c7ce07b

SHA256
7c63fdb35c689b8158d2261fab816088b536047f0738836fc67c5923c4cd03da

SHA512
273e584427fa90a5964036101f56fcd9af34ac6e643a74ce78023682d0096192e0c71546190c50c692f955c55bec4a0421f2be2fec422a7f60c9dad15390dd84

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e1675a9b14a5962791f69f250bf4507a

SHA1
723177538bbfbc6ee3758a901a231a6b6ef5746b

SHA256
f2aec23a10f8bde421321e33a4564d13d393ee62937a30f49725ede48e61fbe4

SHA512
4c66b6674ec0df41d6ca144a35cbe85379466ec76c400f48a69eda2384553ca51e53471b37fb8e9b63884634bc4428a73ac57f68bc44c85f795304335103ed05

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31e120bc1e5a7c4efbbb53d75c075fc0

SHA1
87bfa8358eef6845536529173faade204b9c9095

SHA256
4aa753e50fd290e61b5b4cc6a266a8477faf3f41935fbaab3e58ffa22cda6260

SHA512
ec950718be94afca74868c48e840cb69aab1e750d5c1fdee3dbfb103d173bc1cb628b312975a3c0cc6e1b60b8e58fa736e8e047b46e52c1f987d25ccde39be25

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a0c31cf7c3ca7ddc93a69dc024f6e11b

SHA1
4442d57dbacf6f0144b087050ab926a8c575651e

SHA256
347b0f6462bfa08290b6f54e613c905912988d8642b81b9db47b251f9648035b

SHA512
3371f265c1e03db517bc0303e6665a97c65c9591044fa861c251d4be31f173285b74fc17ba50baec51c38a450cab64a9d6f25170395e27bce396196ff0ea6488

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6eeb6ad95e306465da33e3a2f3186b3e

SHA1
497f184ec66bf49607c55861d73545db49576cc9

SHA256
2be53f02bf123f28cc16f67b961fe035be29791c4c89cc3f7a48aab01a85d37e

SHA512
bd75d82c027b1872fb9998bbc4ac2f67736fba53318ef7362d6676b06a19869875846f925730f62c6ccbc2e150af7257119e18386015af9d5e24b4f97946eb5b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
49c1008290c01054c4f356fee4322422

SHA1
11c23918c7aca63383ef98f4b045bad7455819d9

SHA256
fc0872316a8e597730aa0387331b3fec4819f2d8b0ae8ece453edf63d0d468f2

SHA512
b854f39e52d71dd2ae1e6afbc43e7cb0db871fa65891ac47855de6850e8516b5b5f4c95dce552c3064f57cf3b0485a0512b9d254dc763c0f920974255735f013

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a31122281c2b436e5a6ba5b5811e3de3

SHA1
27151ffc9d8dcd2775897292f5e32e6a58ad259f

SHA256
c1949ad3d2702b0c711c61f24f7491e32420a424b963ec41a4fb62c666b3c6eb

SHA512
137a80cb740cced681a1d2edf9cfe08eebb07eb9ca94b9e23de1ba7251402436d521a15b95a40226648a26306f3bfd6287e597d958764aeaca82c620eb45b870

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
29e100f1022f0a960b99f4064ed045f9

SHA1
0fbf3a218bfc7d12ef10e3d23a6665e6a1ebc0d2

SHA256
3593254b33414980b740369a9d4c92e02f361dd5b0800c7cba494d7df5383635

SHA512
fe4e79b67abb9eb4a61d2a370848789118c154bdf88aebdf9adc2e7a20736eb8972babe21cfb598471fc79672ca072744b63a8db9475f5e2d6a046b5870dddab

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
705ba15a8d4e5e25e6200bf1ec0f058f

SHA1
0502ff361abf760623f4e3837a0e1910e8164866

SHA256
1c7d792cb3fe781554ced0fb42ef78920e857fd23cb99687ad8437959b30079f

SHA512
95a09b7bf31e48a00462cbde089504994958cc090815d8c50ca06da6596592797bcf82b9dfcd15d92d7e62a70b1863e7e0eceaeadbe56364416976735f6324b2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7b58277492529776f1762bb20e251e0b

SHA1
7bf3d0fc6a81d59956eeade14a92019fad37079d

SHA256
84bc9f3058ec4321eabdf5496d81879386e6f2d60a3622aa31ebcbfc044e2c31

SHA512
10701ca51bca847fcc933e5235074d042ec13192783ecff9d4003b0444ee8e15e3924ef07afd6843e63293f02ffa8b41de2ac95466b57427f83e73e6ce767979

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
797d53ae73a733e7d06fe720950a0b4d

SHA1
a6dc56c56782b65e18fbc74c32a71398b5d462cd

SHA256
91ec7e127babd8effe177793f757da1e9fd54071c20678201d170e240a49daf1

SHA512
326ddd5c06323e77a4fa69d564f9d5eefb13b2420d2a43b3028ef649c78be57bc5fa8b9a38035c758a8b859abfb66ff358fd6c53af638b1527f8ade522558dc3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0f342ccd83ad3bf8a606b37cd4837354

SHA1
27b5a7930d0293508c77268482248ae36015f9ba

SHA256
56939da5748c5fb0a9b829da988bf2b8069e2c55b236712cb511f01ef897df56

SHA512
e4bcb941c26b246bc4a5c9214701f8329d8ab076b88e3516f3054aabec70433629fd0f9efbf8279a5bd95741f073b4484d42486a7a45ccc7194a5f4fb63e505c

Download Submit
memory/228-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/228-88-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/228-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/228-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/404-559-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/404-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/532-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/532-249-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/936-461-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/936-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-84-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1340-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1340-80-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1340-74-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1340-73-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1656-38-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1656-47-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1656-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-44-0x00000000009D0000-0x0000000000A30000-memory.dmp

Filesize
384KB

Download
memory/1656-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1792-553-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1792-186-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1812-122-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1916-127-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1916-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1916-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1916-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2316-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2316-25-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2316-34-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/2316-129-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2372-160-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2372-413-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2456-215-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2456-90-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2456-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2980-554-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2980-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3052-51-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3052-177-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3052-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3052-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3156-555-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3728-550-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3948-258-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3948-560-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4100-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4100-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4164-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4576-120-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4628-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-197-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4628-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4628-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4748-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4748-556-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5072-561-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download