c99a9196f1ba77f7b1392d1f4d3d74e99dbe6f2fff102a848d6a822063549f04

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Size

1.5MB
MD5

41626c07042f8d3ff3f4a087f257a080
SHA1

c00c75441960f06889a9d29c45f1ddf5f7cc0a0b
SHA256

c99a9196f1ba77f7b1392d1f4d3d74e99dbe6f2fff102a848d6a822063549f04
SHA512

741d3b1fe8dc4688ddebc39566c13e97662a194d821d865e74afa9a860a97c35688e89b617f02702fcbdfe42fdc37446e0d88a071a0b22429daf90cf0852b0e5
SSDEEP

12288:dUSUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:dUSatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4636	alg.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
948	fxssvc.exe
4256	elevation_service.exe
5052	elevation_service.exe
1420	maintenanceservice.exe
3060	msdtc.exe
4852	OSE.EXE
3700	PerceptionSimulationService.exe
4904	perfhost.exe
4896	locator.exe
4080	SensorDataService.exe
2764	snmptrap.exe
4308	spectrum.exe
1788	ssh-agent.exe
1540	TieringEngineService.exe
3840	AgentService.exe
2204	vds.exe
2672	vssvc.exe
3904	wbengine.exe
3536	WmiApSrv.exe
4324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2de4870bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afe124be13a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a2bedc613a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9e8a8bd13a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed28cebe13a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009634d6bd13a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e859fcbd13a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6f275be13a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a27f22be13a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a8241c613a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeAuditPrivilege	948	fxssvc.exe
Token: SeRestorePrivilege	1540	TieringEngineService.exe
Token: SeManageVolumePrivilege	1540	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3840	AgentService.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	3904	wbengine.exe
Token: SeRestorePrivilege	3904	wbengine.exe
Token: SeSecurityPrivilege	3904	wbengine.exe
Token: 33	4324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4324	SearchIndexer.exe
Token: SeDebugPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4172	41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
Token: SeDebugPrivilege	4636	alg.exe
Token: SeDebugPrivilege	4636	alg.exe
Token: SeDebugPrivilege	4636	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2868	4324	SearchIndexer.exe	112
PID 4324 wrote to memory of 2868	4324	SearchIndexer.exe	112
PID 4324 wrote to memory of 3936	4324	SearchIndexer.exe	115
PID 4324 wrote to memory of 3936	4324	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41626c07042f8d3ff3f4a087f257a080_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3060

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b4a4d77da7b457d6b51083eef328299c

SHA1
53d097f3004207837e61088b4fe6319f99b4a983

SHA256
30b110e43135669c4578bd6d55100dea5791f50aa5845568ed0fa69b75c0bd9a

SHA512
184bf6de728d9616220e162a01c98e346572c26a3ad5f392f9da163525eff1a914ef44852359976a3f7ba565950be739bf1e009f5faeb58843728085b476af25

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
6335156b6eb6eba347ce85af01167e62

SHA1
cee7d5804d605cd8ccf1a8e76ff6722b46078b4c

SHA256
74baa157e5fa2624b1c9db9afa339a1fbbc9fbaa9ba1ba9747fb5b22ae471983

SHA512
c0ae6d0d35045e65aa6e79a2db295b311dc2cefb46cf1f92c3723aa0252da133149ce5de1e7aaa210e4273c84d8b338281763fdc0fba0d08499114838e984d78

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
09509788b66e678451105d69c3c39e46

SHA1
e925e560061dc805fc82d57c195155e1fae35ce4

SHA256
8176d2ea2b07bbcf3e80780e664f187cf4f05478b8aefe2bb09e594090c2359b

SHA512
3c3ea3f36033a9479db448d42db452ca2f37551ad7e38162a518e3a4fe6e3bc4ba42272f9529360dc7f3443cfb0b6c4068ec8dbe98a326d35d8f303e374cef9e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ac0c1aa22c6ce9617170aaa8f462c6d2

SHA1
0a196e1e4f1f3069c085aa68ecd08fd4e986602b

SHA256
0fc2f8e9228c84070fbefe051121f11169ab761ff7c2951439c428560e7ddfe1

SHA512
a77d260546293b1815ebc67139cb5a326ff4188bc8f804cd8014ba895d754f5ce619d238aefd3d1fd69bc6877af105c72e158db6ad1af15c7f2bc8af160e723b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
36dbda38f0caef012284303822bf13e1

SHA1
310426669379fc11661e5713f58c76bd6fc41ed9

SHA256
bb8d770187ebda1459604d3baac8f2495357a7c56508fe17d7cee861b3a7dc3a

SHA512
2004e26c649748f9cf467cdfc8afaba47b6c6e30e3d49071fd245fc52baef0123022c45bf1ba6a37337c9918fcc169daebd2ab6d01c4a91cfbc7a276533dbb25

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
4505b248c7e8be5a8fbc537ec9508565

SHA1
cc9f429488e095d48dd50f7f8c4c8653b162d604

SHA256
7ada1c3b31c803a285466a73dd684ab8e5e06227a27f11eb1649564e892c8186

SHA512
9eee4cddcb2e04b73bfea4c3c15bfedfcfd0b2103d310ceaa1429704b66b5bbac558f54e5c8a6f9c59382a3b358a58b7eb3965b48bee9639e9236fedc3771f01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4846a33ff18245afa03c903588e0fa2e

SHA1
4bc7547d2f3e9274c7ac7010c15855b345913d87

SHA256
389e9e0c9865b5f5e5ea1658e45ae8c6f07b5fc6d67c6596656852f62e8935c4

SHA512
570a98b572a9d05f4d3efc6e35ec3ecc620d460acadfeebb9ce5ca2f865eedb369a26304a043f4702e0c7125384d1ba0eb9b62e91854df3dd7bf1da0a240791e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2d25fc3bd7da6d915326de8362bdecf5

SHA1
b48b1000641c90d180ae6fa8dd51fcef023a35cc

SHA256
d7498914795d0495d4f3d00b49b79389bfff02536c44bb33f555f11ff8a5d0d2

SHA512
5cc22ed1a0343f514b65be1ba0893f555308da891d88736b7675bb46ca5fc22fe84d086f1cbc50f47542714d18d1bd22ef31311e0277b6311283a0f008157dcf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f4704f64683bc86435200a9a80eb4d66

SHA1
4b68bed65f67eb11a1b80ed23f0fc0a5b4e95399

SHA256
dab2dbb66c63efa08a48e4ec516ac0dc2ca6225728d5e17c404d2451b53c599b

SHA512
dfe827370dc8348f227ca34cdfa5525bc61393d021aac17b8cc2ce1dfd8b8fa5f7c7610f861a3f7106f57e0a233f3acad7811a01c8c9ed7b54cf0cc335d34454

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
92b625bade904f5679050b966e4a9998

SHA1
dfc1a31d6719dd56e52a57ecaa52477dbb5e92b0

SHA256
a2f54f2f5500b91252ff496f956fd6b77e9e69e7998c2b3d7364179e2c61e354

SHA512
ee2b406d162ace2455449db82d697f09ae86d669af8882389b7e5e88c5a08534eba91065949b9f8386673967c30241aaf7918d5fb917839ff2b336644db83100

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5caa6de384a9bccca7460a70dc999616

SHA1
9a0ab2551e71b331f77129cc42fcdf6c17c32ba4

SHA256
fc7d7e0c32b61335c706fb8cf85374af77b52b8af1a01d14c9e9142a4d52f0f9

SHA512
83460693c19f48cf44ef91089ad2de4747abacb8f829b309e8e55ff5b552b1eb255b58690b18cbc5522573ca49ace5b5cda622cf39efc6bdc73dd2a72822b598

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
be51dfa57bcf05646a62937e81461df2

SHA1
c53e8c586fce6dcc0e4144b81f04c0a6c2fd3ad7

SHA256
e0f2fc80051adc60957dd9004fd5bda88c8d74c3ea51800730a15d1ee82c4c5b

SHA512
a31ccb414bf39d8c73a8059026e53d8a6c2d6ae61b634cd4c201ee5a068debe8f66cbe147eab270287d3eeefcaea254107ca5e137f687e70affcbf9f3da8f07f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
44e24869df9d983d8c40c25b50589ea2

SHA1
67145cc6300c622932a3476265e22ddf45af6835

SHA256
52a518012116cc603349e24224bbb70e56275ecabad3a6dc9b2a43cc21634435

SHA512
ee3175d643ca6db2993b20da09ed1d4c7038f7202d677c9f8e85470cfce6bf4f9b8ec22e2f813b2518dce076745439f1c6991f0848cf3e8f51556a9504636c40

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
af0a5101bcf08f8ffed0daa72327d14b

SHA1
66bd3cbd0a8d2d78317a66fc71f5a215a5876fac

SHA256
3ebd8044c5447ad6fba5e8736fc9bda2034ceff8620512856dd783e740345e19

SHA512
a0bd78dac45c11b440b707f744f24dd33b2c43390730a5d864a8a4fc0d9934ec9ab77d46c78d69ddb6520ecd5eb443e3998477963755c79245fc89add7bb1511

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f4260ddf7f59f2a6de2b8bab2183566d

SHA1
955ba9d4a7be61a18e29a78fdeb314cb8d96e745

SHA256
8430762419ce2541e1c44a59211cda6fd2ec0d6915936855efb0d7edefebda2e

SHA512
47e5739f04177c33ad55fd9f5232cfb3bbb417c8ec2f4b5063cbc7ca8301955da57e7d0a79483257dab81b505b690f93148c9150a89afc15a4bd7ec5bff1575e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4a5ea7878532d174eac19bc96d18bd3e

SHA1
6267391547ce768805fe1f318b869b457310a46c

SHA256
4547e2a75188464eb476684b9f29855b189b22abe0d8e7307df2f0ad8f626e54

SHA512
7e48046c2ee4f592f89f056fd7ce1e86b043d53793ac264cfd5cf627dd4b5a19e8c80e66b32c587bab36e4588b0eceaa3b19a0d247525efc23c28fb9869ed736

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d0ff82f0cd899a07b83f0a457471c033

SHA1
b827948920a045e47c87576c1de0d45de9d6a3b4

SHA256
e10a8eaabf4749af4f467ad74b7b80b6bacd2c36835988c3123e68ab05e04b42

SHA512
4f6bc0cd10b2db48db98c07f74a82c751728ee1191827e88f3e8a29c55a917010462e7b7826d730394064a473ca3098bfb7061946f872f7215793a02b487c364

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
65e2a85fb38fd242700e8d41276eba24

SHA1
935b00e9806fcac44bc24df82051e880ca378585

SHA256
8d9e51aa9de0563c669d7c561b0fc7ae27eb5d6c86c31ec5019ade6f294ab961

SHA512
9f149766092903a624f600a22461a7ba0f57a7c2188ae813eaabf67935257e602177ff089c4b3f96f40de29c027a4fdb41654e69f5b5e8a23be54f5a4149ed33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3632421510797839926bb8f4afa124dd

SHA1
f5a626a365a7cc9e8d1856989217fce69ad6fc20

SHA256
4ebddf209fff0d79ea0e7fbb9a247317fcabff346de3efd1c9055a784c9a12f1

SHA512
ba07b1ea78f8ed0c36ed3891d7da9e2d030cb32aa596b7e0aebf36ca4218be5050bdef3b12caa547db0ac844cd78d27d051f8e7041da8a88c3479b8155927db6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
598f19273750130ef946976ff550d105

SHA1
8fae2107a3e9cfe3272c162348350828dfc5a00e

SHA256
7ea62278a3996477c060d953005b60f09681016784c033a0fdb730610d3a2999

SHA512
63122843a9d20e96678ab0c3e049aa21aaedd74aeda5a08c3ea0ac9c75e30e37880c61dc0cc24100ff8877eb68decce9a288c53a0695a366cf9d83c3e9479341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
d55cd282b227ef246b797b8f2ee25dfb

SHA1
1f71f382ab92ea7cd88f135d0b6f9bfd18ddc6b0

SHA256
b11b69ff00973de9fa8ed2eab34c6e4214cf8a6b3566b416d465aab582e6f601

SHA512
2d3742b57750028e6db9ac4ba9aaa6c61ec5e32e413894376e1b8c6a9fa1798e8829cfce09b22d9be323b917e5f5738c8d5796f57a3a3eadd7130f65375e4dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
cc2fc0a15eb0a570941939237218542b

SHA1
a75d2d16389017914964b3d112a4fa7f0c7248df

SHA256
21607806441628a9ee0449e057f140e6bab7b89e9dd1ee03bb85495ffe481ec4

SHA512
a641acc05b492f44227759f16fd9974ad25163641a3c1a22450710904a18361d63a5d56e779510f98ff93e9249b4811b433ad5e6398750eedae5bd2dd0f2f008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
572e38c5e12999b9a0dc36fe29130a1a

SHA1
1083c3d8facb77802ff9939a95cffcb92cf3755f

SHA256
8c648c761b62d68ce1f7078c51b11a4f6843ea363fec707cdaaaa951761cfca8

SHA512
84aabbedff3bef8c67a9625b2d0edead6de9c2db1384709950ee68f5f7cf79075b220c04a57ba8692ea28ebed04de90f0dadd1be6fabc56e5fd7b235e1792e23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
11adab2b5864c5c99b08240cac6888d4

SHA1
928180d9129891c0cd0f7f576efa23509c918ba6

SHA256
2867235c6211dd6c9cf4c00ff961258a5ba65b9e87ab2791e81470138317852c

SHA512
66a65ff94218963bc75ed4e5dc02722ad8346d83bd3e3ff1a869f691971f0ca98a1494e6dbe69e750d6d7a8fd206e9486913dd0c0e2a60a6a48e46c5b64dc624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
05b2f14c9a536ee102dc0edb69884571

SHA1
3508a06fc822e85d3db83e198ee3321f4b44753a

SHA256
8b6b9faae881ca8c60b627f5fe3cc91a9bff36def4e4f9d9c85df382deb4f59a

SHA512
3a02de57282ae7debcb06886aa31e3353a4e4df0aa4f93bf4207610ead3b24eedf5f3a2f6166077c1cb8e712c59b67beab26dbac9c980acc2489028ed10be250

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
da3675abaa91df6b45f8b62ce128e624

SHA1
e9a68d3cd4b402aec4d86f56873be451c4e1ca86

SHA256
8522cab2be9796cebdfe5e5c081ccfcf2f76aa11142cc9c6480adf949d3dd837

SHA512
51cade4935dd8d6b9a9e321baa080efc4cdc23d641820bf0b16fef7ad696ced00e4a3345a441f2dfdccb0b15c1a8d0eff9eb4fbaae7acd7372214308aca710c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
ea7b2ccdd60994b6df0b6ac8b9e3b197

SHA1
88b1133a1a83f630485d22e150d86ebecccc798f

SHA256
624aed1edcea8838a176bb57b46de8e91469c3bdee66093e9813c2792b1905e4

SHA512
cf944e49395e4634bfca868ee49bec6b777e0a65105cc018749e6ac7c6cfaaa79b6e0414257f0358b513a90c7680ac18084257c5915df43033e830649a431ea7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f3052d7c2e3045884313f14da3d8a3ae

SHA1
260d5acc00c2da904b2b97a40969be036012fce2

SHA256
23ffdb5e9b8ae7dc83cac30f708a15d1ed393d3775fbf29ffa898e524c0e51ad

SHA512
54509139893b6fe43a36c1dd1a9ab80e1db979b406c5c97934dc52ae0eb647a3db6fcd34bf5707bd0f07db5a26aa3ee2baf73ea1c1d372309935c64be9d06f07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
84204b2928c32907fcd9691cb3b7440d

SHA1
7c4eaef0ba80e4e096b1a9946396b9eed0bc5bb1

SHA256
9482dd28f85df0fdf9a0cb97171a7b035c8188146cc380010b88336a70142a43

SHA512
e0cf2f718bd83a0e71e27db16cf8b6ee79cb990a0030339cc9e66a7db3ea99e28a00eddbad590250d3c5334613dabdb7e9e3e919bed65a25f7e50358958bf2ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
840cd151f274ef0f00cab42887eed66a

SHA1
39f0a3f01e58e653cf486c4e8f53844f69740725

SHA256
96d93bbfd2e76c355e7d00c9a69d939a973a36c85da2304da06becf86de67458

SHA512
c19b4fbfeb972a1b89ad6fc458918f475c9ef302f336e81f5a70f8a71df2f6695a18cfba5eaf22a334bddb8049674cc820aef54dd2eb8aa75a6b35691dac2bdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3ae1676d14e39b6e949cf488e41d32ca

SHA1
dd97d640b9e0e05252d87785f603d421a1781222

SHA256
1d3662af103078607a43fe01675a2d346d0a09eda6dfc0b6e4a0422dcbdc73fa

SHA512
82061150d9ee1e6f8db6e69317d54de4518f2f2dad507f0b997f36499bc7f0dfdf988536e0d35338ac68933b70818f8e2e33636349bcfa2315834cc04272c944

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
22115041c2655874b9ef6c9b747536da

SHA1
9ee27bdc9c5ce46333807fb46a5d3e693d8ff9c0

SHA256
cad3ec1bd80df5c4799389189d3fe12e7b53e439e0ad30956ba1ca0a7c9ffbff

SHA512
2231af99260957cf9514bb32705f75176d47e15d2e973498782da325e4e46e88b4845df215b5a33b24b682d11208ab423f061dac208dfd9942e86bf6024c5450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
f9b39ea7a9f2833b860afd7e6d20d694

SHA1
4cf4da42e83c1c608c3497a0872cc0e3c2ea3e44

SHA256
90d114038b853c968b689dbfdb55d1bfca5d330aaa64511e30b37df1e0370570

SHA512
a81ad7292fb49cb80d3851eda9685b0ea0db6acd94c85bc9b5fcd8b1d2c7d70cf627b963b21c7f977f1fb1e2bca4e02d5ea459142154c49d5d01bdac87287e20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
367d07bd2fdcdb6d4fcc9c0c4b8bb733

SHA1
08a03787d3ff7cebdd4676699e10b6b9e92a1c14

SHA256
6c58a0db4b0315a3cf1ce77a431eac0861bcecabfd18bac64d13619dcc464fcb

SHA512
30997c61de703d11e651f4abc212adf0613f101d885e8b1f02394c51222dc3cb144fb316da27e6e1d47c648d68ee30238eb9c1d71ef4165f653429545c2c6dcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d792aaca3869173697ceb4e013c07bfc

SHA1
43a49a18da468409a372d8fdfe993be95f954ec8

SHA256
304add8bd67aaeaba3188e3e4d0222ca16fae557a885b6f83ca7f368ed7337e5

SHA512
1bc5455263f16cea18a46a706239ac76031a963d3dd4577826745de9e787cd300461ed36d2ee635865835862c3c8bf435c9b9229b7c7e47d99595ae16f6d5955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7205a25ed15245b56526d42f2308de0f

SHA1
f792113c6593a1fb0a64b792e8bab43d96c89a8e

SHA256
286f21c5412dcc545c336d847e8988a73d10c2fd0b6f68ade840363ad3dc2a2b

SHA512
a88e4f0a997cff18adf447367f7b667bb41e8f51483fe7561b5f31641349e7b90c0dd0ccfc6ccbe7c4564fbc51bc9e9bcf5cc6ca5700e528fe401fe837c10c08

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
42e6309ee18d5ff045cedd6d18a47ad7

SHA1
6b52e9cb7d38cc5312e07b44f2ec33e735d1476e

SHA256
ed7fe51ed99caa953558a699c51d7f5c232e0fe061f35731116a42471fd4ef9c

SHA512
c005bded2b4ccc35cb4a4768992dd2315a2d2aae423ffe4b27ec99062b114ad37f7845b82ddaa21802006fc7ee57104eaa5c5c85c0f813eb113edf63ea63d6bb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
297ac8d81dfc1369e1b518e197a6c00f

SHA1
432dd87e0cb7c269710450594f47d24129cd13f1

SHA256
bf896d375d5fd206ecbde0bb163f4ca769c1ce144862d79865d2e6f30e58985f

SHA512
92746df6c8d11778dfad2ce5879a252189864b32da64551a9929368aa34c8760e458e8051144e8ed171da19bcefaf5947034b485f3d3ce5886728c5bfaf380da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
d03c799ae7c3cb363aa784dce6a626d4

SHA1
53ae7a39c0dc945ff9ff53e8a7aacbd6374862c7

SHA256
a3a18aa210448d211f60f47add8f2d9006611ea506c03d52fd8122bbc35ee67d

SHA512
c6ed3757f0a779adc4096dbe61747705661ac43c1c6e1532e32d78087342914b9ae8325c73820f195a895a4e4de60f8f19603e8dc1390bb527647140c7ffc26f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
408ea8656f4c513e070e8afe2a80d13a

SHA1
8491077a6335bcc8a3f6e297ee4cf025938865b7

SHA256
c96554cc3b715b760fdd4c33fa326bda380528784d02704f4ebce552b0eb42af

SHA512
e1d841ec85d7b298c2c4517a18a7a2a6446854610fe2a7caaec0155345cfc0dd22b0da0689c40c550bdbfde72a0d96425f27fe6b678e9861f212ccd8d6c54486

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0b7ab314ba3d7ebe80e3e1da8393c377

SHA1
d7aea85c5767088040c219b6dc42ce9575e69173

SHA256
e700ecd9552575f571e054db8941daa45b904ef4e9e5c7f9e45f2a64f0326cf1

SHA512
a126200a5ed4ad1f6e41de2c2e51aea2a069eebcf5565727377552499be261017ffc702f4073081926dc6959c62f67f2f26b749121d4d7edc38ee5cde143229b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7e9dc74e897caa555b5ba4d1c8276c59

SHA1
6358b54a5e84aec7c17f74ac9d88cd3e188e4d8f

SHA256
2344f8cbc43f484fdcc0af82c27bdb9f074140d56d3973c3ff11dc14499c974f

SHA512
8410da81ac2db57230ebf88a7222eca05e25ec54d17b3cad572ddca7c9ca2a6335f2761c78d6ff2195291f4ac986583a41aa8b102cf562facd49a6b764fe0727

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
dabb29f74a631103d8c92935e9e85528

SHA1
f3077402def4e6a97e9543347a7b30439fca658e

SHA256
300f7faf12d1fff59bad4f02191fb7b7e225468677cb2e77402ec20819cc7dda

SHA512
704be964300d159738ddf99d0847d8b7276732b49a0f3830ae651d0038920ba5a2253ac681c6406565f0ffeb447ad6f9e782b8703094fd885a06653f119e03a2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3ce597003831718c2a79fc2188c912f7

SHA1
04354a25a2c633f7f3c93d51bb17ff3b61b1ad75

SHA256
dc16936408aac7e622183f8bfe0dfe5afd9130a07a84948ef5302c258daa8568

SHA512
12ebf1dee3e7fa1b3fdc649cebb58c75bca10e820d3822bcfce9e24bbd881629035a41fc75da0e97b0c2490a367c2287d3803b3d26eb170365e8464203644200

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
1b137efa0b0a3c656951b53ad754b943

SHA1
d8459ffbc4e16ecf8b0a03322130ccb55d4cc2d4

SHA256
0eda1cbfd2e3e8554f32eb5f59eb7c78867045e842d1e951e7a5a8b1483a3b72

SHA512
cc197998b3886ded33571921a8e70a8ce70c258097b0b9afa4322194e38cea2fbc0259e14287124476dab8767fdb5e603b78eb35496f6643bb01ef2ab1708890

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b12422772e3a34a1c1ddb73c0fbbc511

SHA1
ca6f0be0746bfb31e6d9ea6783895ca6c88e1867

SHA256
9866b71a636acdaebb94e35d4133b04071db489b2fc93784bce952b34c1c7bfa

SHA512
210e4cca3a317eb0f81fcde2a98b48081bf12333c8f409aa9745be9d2969263bc0da3a1923642c4f7c4fbdd50259d5a72235ecdf75cfef79681521d5b4025ccd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
37ce03182dfc0835126c4c8a0f8d3cc8

SHA1
a0be66f6e6bd88c953cc00a7bc48e09f7142d3c7

SHA256
067ad4b09040ad29ef761c2a115e79ac65bdb8809e80c12ee275abc0680db2a4

SHA512
ada1f0e3556c73bbd9886e4aec14051832d6896b06ce584ff4770e4a95075164fddf92797fd54f7acd8245fad4e67097a4b2c599e3e2f1bfc373b84623e66e8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d04aaa9ef726f9bd03cc4658beb63946

SHA1
61a4f32f13741821769e5aecaf39c138bd61067c

SHA256
70b0821f4b29a370e0fe749f70c9d7f0cd7429fc5c95d00b5c087383ffbcd5ca

SHA512
00111e97e01dfa03f80efb16876a55a8ac850b602aa9621a3ccb0fb264b3bc1541a4e41a80c8fae223934dd7a953432f8027acc6e0514f425515aea5541d10eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
c7d81adb5ddd4578bd421f3ae44c09fe

SHA1
caf3125fdb8a55411439c0f9af3818214457c450

SHA256
7db69d5fad915be4c243182665d6918b81d4318e877e64bc99d6cb9f5076006d

SHA512
8158b2bee9e7b068c6a3652f83154120691724867d69d98a0a9011c0857a843b100d17feccce483b56ac8b72a26c37acba3b20f6c0cf264af005f161316f6f40

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
431b2c18ae4f4882f7d96e8f696c3382

SHA1
48cb2ff920265021d2c2693834143047c447a880

SHA256
4b9e8cfb1938ee66add2a676de172bb1ad8dc52bc677846f120f6d41c5815ad4

SHA512
5297afb8eeaa4504b811c943ff2868b612a583eebe7f6d68375a5c1eb85df64f5d096d1492886cd20f03293575819a672983c4e06785cdb47b0f819c7da6257a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
634f0357fde3a5ae3cd4a429618b431d

SHA1
d755e7400f5e81b65bd466733fcc6aa1778d4547

SHA256
86af5d962fef1524d650924d05bd5f9ab6878b80c5f2bf9ee6f74fb0d39f59c3

SHA512
ed4b21798506ad81581bc9d5d4e55428b5b1aedceb86f9c17a4ea99b90b4fa72517c8c64d7aad6ea97219494425285f007029fa3c1d6aa522eac4a7fef297bd0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
dfd2f9d4a5e54a54c47d052af01c586c

SHA1
b0130c55bc71e36dfdec1f08a5ed9427b9eb8219

SHA256
683610afe90121e3f7d949d60142d6694ca11ce0404a9ce58e9109f68ccb807a

SHA512
e2e005910df7bf470c0645609154292d92ebf31640e21ab79a7635653b0e672a429e20cfb5142ade10ecae2125c29497d8dce691f2425fd7cf37233cc25b0fbd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
a75eca2f59887a53df4ad3767742c365

SHA1
f1affbb0be6c8289bd0ece890846318c6f67c118

SHA256
0ad05f4d61702797b4883c09177e711104ea57be50b5b3a8eceb87c5222e1b5e

SHA512
b997e69af4d72de7fd0a54bfbd794cbde49b73d6674c6addbc83bbc753709305caa9cc1086bde2dd0374410599b5651ad54e08c8a0e58611bc6147d951023f95

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d37028f74c9bbb73afe4ec56548dbb02

SHA1
e425f2b29f679be837ce017995eaf1db54840fd1

SHA256
25557919cb363fbf52651876b46cfa37697cee93ad3f75a1940c12a2fd5a58a3

SHA512
eee428fc24ccf020e4ec373668a537034c7657af6ef1d75a6991a9e4ff7e0e090e4a1a174b6a42bd16262eae26a4341dfda6fb8c59d2c83d9afafa85fba75e7d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
2b0e13df21dee7660fe0204ac997b631

SHA1
a32c63b454e91c7e8ccee8e750ecaef0ab185f24

SHA256
4523705130e1356c99ff8b0dae59121d7259f65f84da58457c6cf76c47112fee

SHA512
c6b77341803db7942c5249e27dd8230b6d4b6b4f636e5c907313140fe411d52748b17470ce50bf0f5f5f5b4aa8b1aba66a58dbd12fca076337775d225f727ee5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0c834a14582ac91841a0dcf14ca87db5

SHA1
fb2ede691cffd991061bea7ad6d6eb913a3ec2e6

SHA256
70d76bfd44233005c10b99c084dfe4b66717d60936b61482a53dbc0cf63aa1da

SHA512
2483ff91236c42230ea9f112cd948f29f6061db13157469f9acb53987392e32eb6ead36af4269b5b14056098e4435e2881092c07ca5cba485c463acc468bef1d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a0684dc0d31c70f8825400b32ecfb20f

SHA1
c19d16a508bf6876d53b2b0ac021cfe74049f049

SHA256
361c7446e4013f7c219f6954efe440ad6e788fc41714858d8207df67163874dd

SHA512
e38942c3bece9e99183fc59b3b2b3cbf593b0f6e3cb1b8cb1454f4bf3bdb7a044d1bf6198f1a4bdd749e1ffa3c5606efc4868e86f09f861228f6692a8123edb7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
29bed9e5ba40366e24e2c60f7526949a

SHA1
56e24570b62503e67bcbf00f5831d05e7e3c6988

SHA256
3f2778ed49d76baae2762aca393660994439bfd70648c595e989985cad41bc22

SHA512
c8c262e8fd056d9c952a4b3d0defe29567097dfaf293d45f296805d3953b43a5978c8240bd1c5eb08072e2beb464731ba0e32afc494a7402ca8e0b88894388f2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
fcc8976582c3f91901f646932f9c5a56

SHA1
44a86d8f37a345b507e7dc14424ab5a5284612dd

SHA256
7d86bd25546d74068b7325b4b0d17ca9b62f2989fa4f8bd2f7988f8c3908a924

SHA512
eeda64e12a458faf09085be32dd377110ef5cb38282ed8f7842b5504febec9902ee576885369f55c985a825e200a3179a119bcf41ee082921dd686e47b6efd30

Download Submit
memory/948-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/948-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/948-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/948-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/948-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1420-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1420-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1420-86-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1420-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1420-83-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1540-494-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1540-199-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1788-187-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1788-438-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1892-34-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1892-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1892-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2204-496-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2204-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2672-497-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2672-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2764-380-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2764-162-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3060-89-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3060-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3060-209-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3536-260-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3536-550-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3700-236-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3700-116-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3840-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3840-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3904-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3904-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4080-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-112-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4172-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4172-8-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/4172-2-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/4256-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-49-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4256-55-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4308-437-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4308-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4324-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4324-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4636-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4636-127-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4636-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4636-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4852-113-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4852-216-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4896-131-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4896-251-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4904-129-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/5052-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download