63cb9f514e1ebdfcff5744b901d9b77399d1bbdd861e2167c5a5756be46875f1

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
Size

1.6MB
MD5

e8554b32e53225bfa91abc9cbddf0da0
SHA1

9f2b83f9a408d7ebf8f1a3bd99aabdb908921d5c
SHA256

63cb9f514e1ebdfcff5744b901d9b77399d1bbdd861e2167c5a5756be46875f1
SHA512

23ee60d6e9da6cd002608ff358f91ad7d254251a3853e235a0fc5458924a6d623df56097490cc9a2b80c008daf429ed7de8f526bdd1339bab87e0bb803ab708a
SSDEEP

12288:1dhjo4s6rLzxAUMPa76huDeegxo8vDMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZj:NDMS76huDyqXSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4516	alg.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
1908	fxssvc.exe
4228	elevation_service.exe
4108	elevation_service.exe
4040	maintenanceservice.exe
4740	msdtc.exe
1244	OSE.EXE
4852	PerceptionSimulationService.exe
2104	perfhost.exe
1248	locator.exe
428	SensorDataService.exe
1608	snmptrap.exe
4956	spectrum.exe
4292	ssh-agent.exe
4176	TieringEngineService.exe
4156	AgentService.exe
2832	vds.exe
4016	vssvc.exe
4344	wbengine.exe
4048	WmiApSrv.exe
4788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\50d00516c8648821.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b155333a0aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8f3cf32a0aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8389833a0aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b48b4933a0aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fdf8134a0aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d512f33a0aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2068	javaws.exe
2068	javaws.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe
4008	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	392	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
Token: SeRestorePrivilege	4176	TieringEngineService.exe
Token: SeManageVolumePrivilege	4176	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4156	AgentService.exe
Token: SeBackupPrivilege	4016	vssvc.exe
Token: SeRestorePrivilege	4016	vssvc.exe
Token: SeAuditPrivilege	4016	vssvc.exe
Token: SeBackupPrivilege	4344	wbengine.exe
Token: SeRestorePrivilege	4344	wbengine.exe
Token: SeSecurityPrivilege	4344	wbengine.exe
Token: SeAuditPrivilege	1908	fxssvc.exe
Token: 33	4788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4788	SearchIndexer.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4008	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2068	392	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe	82
PID 392 wrote to memory of 2068	392	e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe	82
PID 4788 wrote to memory of 4520	4788	SearchIndexer.exe	108
PID 4788 wrote to memory of 4520	4788	SearchIndexer.exe	108
PID 4788 wrote to memory of 2464	4788	SearchIndexer.exe	109
PID 4788 wrote to memory of 2464	4788	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\e8554b32e53225bfa91abc9cbddf0da0_NeikiAnalytics.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1840

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4520
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6894358fb91a9f39e9ea20c73f46a003

SHA1
8faf336a10c264054f7fe8cc41724ba1facfc733

SHA256
a2e4d08224a2b99bcb8cded844be8cf648dd3bfe7f78378b19eebdff15554ae7

SHA512
d9f37e8670e12f276fc793cc449bbdba15f318fb48ecddfe19b2873b2f78beed96bc4df6fdbd18d21184b35e674a114948e8911318e6baaa00afe37be59e843b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
69d92ad35f30ea2b9eae70c5e9cf6296

SHA1
f36ef7f1ebf538ef9cd2cbb6feb746d271cf0344

SHA256
98b17dd2f2b9b6378e4ccc149acf19854682b1ff80d54981decc79516ccb2e93

SHA512
9406841e6b6a095f258e7f4e1de1e12add2eb7c40c07309d025adb2e717b7253084686673aa2ccde4b6449a99c062d353be823637b5df3e5004772cb8de772c7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6df7d0a336af2e22e741ba45669f626e

SHA1
d15332da7bfbbdd60c9839ca0f72c116dfc3f81a

SHA256
c8c647bee1eaf89783a9baa9eb34669790841e8018521d1a49556d87ff27720c

SHA512
cc651477dcba684fef80a8bcc046c21d869d39c98fb1042f3a72c25376a6f99086c363ebad2cd1e16430a4e3136319a8590716f9ae3801cf0f63ef57e461ec1e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
61f6c7581f95dacba24f6aafff81e0b0

SHA1
defb35e906776aedf7a7134e8c982cea3c947f04

SHA256
82aea84ae12e2106949abc0fc52300b04d4df008097003ba78caf6f56698bd6b

SHA512
511cd4f1dcc5a35e7d83dfeb97e121b0d115805fd1fe7628e4935df25bf139bf06d76213eb281b676f67ec451f22b80ae99074821f9d9d29c0c15dd382e49f77

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1bc8639ada2d1dc4d8e1b21848af58e2

SHA1
15f2386bc47bad78af2ad1e7d7b3dc10185eb207

SHA256
da9ac6bfee32041f3eb875328880774d7fd6b6adf981fc33dd5d88a705a82d4e

SHA512
db92ecf0f476aa1df4a8d414128f79186e385e8815794343bba36a3669539dc9ddd258a28bf4a22af4ae73db537e6c8d30077eca654000f0fdb611ab8350315e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8b50ff40979b89d522e372f7345d1e33

SHA1
8b719fd7f00faa5395fc9f6e13b4942891b7eca7

SHA256
9cacaffc0f61312625491b23e587fc6c7072717055f62a331a267801e63a919b

SHA512
55672d3ca7afb506c09883c4be433118e55f221ede63246f78844b6599b9b562cefc8dc3289744c57f28cead3e9d9da6be66be417be2bbd76d77b8b4afa91fa9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7f2858817b676995fcfc831043fd3385

SHA1
66ae5a2650dafff44d5f7cd6089e22c37ad6e0be

SHA256
7e7fa878b3d7eaa4a8bf899ba44d51d452dd7d0717d9c76d8e2e52b8f552cb61

SHA512
ed6cccd85d3479a5aba752a4f3750d312a925ac487c309526a54a402254fcc134d232e5b108507fc336f923148911e7ad2a0c93066d412b11e001eefed132abe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
986a3ed76e10cff6e59a503fd39b4d93

SHA1
ba029552a399b217ed752e6ea64ecd8303ae9a97

SHA256
3e0311640fb0385882e28f8b56e939f92ed7e44ea9328e879fe7b480f3f67a94

SHA512
b39d0ae729bc079b3fb24e9d356fa725aba17081fd29da26b532a5aa781970ad87ff8a85d8ee8de3282d8ebef07bafa5a3661380d7f98ea9498ad1fd0c2bf3f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ebd30388527427d36b64610c0db6fb42

SHA1
fb5fcd87f17b7d092dcb3f36a9166055f9ea1636

SHA256
50891a3bde2c7558c4f8d9aed0096b8a020866a161d41873a0d517b46101be62

SHA512
9cb59cf4ac9a4cb962dc873f64cd61da85283b22af273dfa60c01e5ce368c00481f94c568d0f1f590fc73f032465c7e4da9ca7352002516406294c5a4e188309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
62fe26bda3f03f6ecf024fb61e3866fc

SHA1
1b53ac7412041357ca83731e6ef94eaed59d4e0a

SHA256
29dceb45a1126f4d9b36f8a1226ad1ab9f378fbff0f872679c971b7a1a4605b1

SHA512
ba786432ce7c669c079eb54265623703b08ab49b65286e5cf57b07b0a540b468844c6b66fee568fa7e730dc765ae9e7f9a832dc888193123a75beef6233757b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a3bc1121130525e9ba7d701955a0c5d2

SHA1
25a56628c1109b72b7cedf369868f0561d113753

SHA256
995556f3582d840f6411373cda6144cd045a295ebed77fed32af7634a2ce0ae0

SHA512
6874032d77d124cbc95b28b76c7162db98af5011f6d2f400cc11eb6f68d0c06a91b9c4c9d75b181680a2b932f9fd279fdb0772b616a7bfe5caa96cbe8e2ebed8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f22dd0c0d950f3d46160ace7c1a9e1bf

SHA1
2391c648da56074623d37c98c0b7bef5e49bc19e

SHA256
5f5ffa0f140064fa915cdca2244a6b30c83ad55ab3a6133f5db5fd292bed2b64

SHA512
7465e1bdc7703da92062d75600cd8ad8dcb8e2e45d8a4c4129ba5bc6775bd3b57a4c694ba550cfd7f39d6ce5731cce60f1b46d629c674ef1381183159427aa21

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
1a1638e5b40afad8350de2e553fe928b

SHA1
b6a4e7ac8b6b13ec0c39e3dde4c24649f7348625

SHA256
69810b352537e54406954ff61f7c447b6a167cd4ab77dec278e6b56b361c8cb8

SHA512
82179c48b9c8f8c43da9eb308535b8b276d4f3c626f7a7943dcd80babff92b669e3d415c6ab42cb4026a49783f5b2a9e824a50b50d93c9d4ba861af0e8a8c213

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b5802f1b657e8b88ac24306f0f16aab7

SHA1
a364566c15f6e99217c7fb2498ee89b0d9f22b19

SHA256
56b93e54e935027f3058dd7677bbd2c633e359d1c457656b4f12137160cfeca7

SHA512
3e42e54fa980838912461d6fd0c2719465b2c328e0dc3f490028075365c37eb883f2c43d2f6b8b8007afd29cc5512d370050490670e76ff0370820e233565b97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
fae001a047b7d1553ffc464db0c08961

SHA1
d6d105a5c8a23f3fd2f8bc69359e67124a607749

SHA256
c85b71e4f2d2f5966132b477f707f6d6a6abafb275e6bf292b475de2b3edb2d0

SHA512
2abaf4905eb30cf2ed6fe2591cc6760e209aeb90acca50b02bb72262c353abce251295de1336a218c46eb5b084ce3307cc8710c0be297a48a752283655c7ea27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d2c7ea63b41b0010d43b5080422a682d

SHA1
9dd5133df0285499448bace44c479d71a6bc12ea

SHA256
4c7c348a873fd3a553d2028d5f5156f4f36e9c4384ecf231b2a31713766a8568

SHA512
9d20d752742d4fded6080d2550a1efd61118413d4cef56a7d1e9467254fef84e559412259e96cba93c5fa25035cbee07824b80037febdc1284a60a0083766c4a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1df4970649975c96e17467b8356a39a5

SHA1
7c6b3bc0c448767bfdae4a1fad13984d862d65b9

SHA256
60feb7a91e0f966702f99d48217e95711aa198d71abcc37422828e50344f2eed

SHA512
78dbc4927552bbcf4cc4c8067ed7e192d18cb751008e1c4c3b3cd5e5f8e654eae3eca8fcea5a6d69031f29c41a467f6dc6cbf1e5c6b02cc41fffab6194ccbb49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6dbfdbb9a442d25ba43640eb66e0114d

SHA1
09b657986776b88b5606d0077c1419123519ce41

SHA256
a633b07313ef59ba2818cb71aaac2f072c395b4f3daadc32b1483a67fb23d41b

SHA512
0f3b3b2629be0f993a1613fdbcab6516b0fb7f4c97940d136800fb8a602f862a15abd8a8c46d6b620f4a8c06526bbe1996d2fb12ee6dba001190fe841ee126c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1b032411af271a097221850f10d3a4fa

SHA1
e23d4b5bd5792d4cdb86f042e4944b36fdf22407

SHA256
997775704a48ceb7a52379f40cbbc899db089adae0f735bd7d7d760d15c72db8

SHA512
f89bce2cc47c85a56ef870f82485e5ed4e6c374129ea169eddee43618607d723b749e62dd6a50cc740e7a855f6e4cfd6c9366982c0417ddd12dadca26a1c0781

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3a931dc2d381b8855d19241e8333d341

SHA1
c45ecbbfe252b79b554d7bc81ee281bf691bb4db

SHA256
e740412388bcc1692a7f9e5e91b30d3cfce352aa85917ac85f439d8ca18276ab

SHA512
82e876e0bd1766c1156702c10ea40e1a139ae6792d8731bba04cce0f99530903f725a75bae32e12f7e409b2fb41952c4bf57d01d12e895ae9c76e63e5e7909e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f0682e5073e09a7bc1454a668910974b

SHA1
3358f36420723115eef195c99c2e97d8843dd7db

SHA256
731b6935d279e598e66738033ac6f6a2f1ddf9507460e432a9f38accda0072ea

SHA512
c8a07d17b37e74cb94124338ae44d0528f601e47b43a0b759ffae4410a82137ac05932026d5d828c525438389b2dc56d6658547d3607c23b0f62d95246663b2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5b8542f972f5e4e9f5b90c3a9b9a24b0

SHA1
8cdb412135be959350d9250aa85614168098f6ca

SHA256
791210012f7af91740bc38df1996aa099ee74d7036ac437800903b271edfe795

SHA512
053b219955bcb43e7a1e5c783758dbd9728685a5322dc95c6b814a4b699d49ce8ca10e410c9f24703dc8f981e1db7d65369c34d6b328ff25adfce480c5bb77bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d01697a13666c506fb79c78148d8399d

SHA1
5c79c9436f190b93aab03b710534754bafdf2fd1

SHA256
3337d3a335eb1e86957fcffffcd0d3078ee3756fe8beccf94982c9a7463598cb

SHA512
6f09bde11487b122d9a7fa122e4baa133d9d9243eb960c480b7f60d5ce3f0f33a010c51c2fc398ac253a2a9f27739cf08ade30116929e982f8dad0b543f01f4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
fdb21c781dc8eb4534e4f9ab939c0316

SHA1
6c883618dc02d743848a4128f9ecbec9b507d9ec

SHA256
e6e5a5e70aba1f2ba139acdf6a61ec17ee109ba44c49816c969272dedcbce420

SHA512
a406113e95c4f9c7f58f9acf8824e0af96a93d514120d73bb686f13ef71cd30be4676b96d2e2ca8c2227eca954822e0602490321826c8c155eb21896951974ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
97de29ad5d575b68291649d9d87166b0

SHA1
4692f61b2538208e63651b0ad5d76238f11360d8

SHA256
e75675a4f0d39f7e6cfdc1346209623f5443ffb8796665fee6937b55d64c5c14

SHA512
db9e7c4618983db9e7ec7827f15c56368281f07fed41d2b26e4c12168004525f778572d84a0e85575c1cfe73b2f99d4000d2a6a4b934ca56b960ac1e6c05fce3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a5482ccfd0deeedcad4d1c9736039f50

SHA1
b7750347d462cf37124f8c3389146247f47dfd27

SHA256
87083a92ae5c7476a4921c38bdfe1cf6e696bf1343d3c673076537fa6597782c

SHA512
53001ad12786676331c25f81326f80b34ef6397b7ff2a90c3ae48b1ee466537ae9351f6b521f3003dcfeea631e93a4de7af134e37024cc445a5a59f82fe1eb8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
79d52e1b61c9d366e8e58127d47aa5fa

SHA1
9f7f4daea01d4eec4b0c3207e7e67dc4b60a7992

SHA256
3698b1d45eaf87f35dcd658ad0b570f78ce7948291958f4b136f09ed5482bac7

SHA512
c3b009cb8a323015561bcea9b412ef343243d647a80592961a52bcb3c9fbc36bb030e7b95780048753a7368d0d2fb65e0aaceb1d89dcc88dea2646574ec27646

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e6ac4a060b05607308281e28aca77ed4

SHA1
a41c0eaa98b544c3f8f619ad9f170b91e3414821

SHA256
97519fca52fdd1f38d94ca23b42135dc5ae476caed8c8f07412bda20c469b174

SHA512
0442ecf3d90c04b0119f69c785e652f557591f12cc38872552895043533dceee4ab971ed41187359fb3ac6ed7d845f5db0efe2aed00c38576ced981f6920acb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1bf1c5de8acaa5d7c9418d18f7b46f3a

SHA1
7f14c9a15008bd0b410a95723e15c91be8940a51

SHA256
e16ac970786739f7bd31dab5d6ea4a77adfa4c6331b3e54f4d987da278fc4cca

SHA512
da9e4866f56e071cdbd107ef3e5f3e4fd32f82df1f00f498c36c38a269fdee34a033366c23f192097874d1e27cbef29859c1ccd804b3db5fcea6dc92f29629a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a922562983f812160d9d76cf554fc6f3

SHA1
9ce67edd85db896ab8f17c388c366798ab02c5c6

SHA256
0ce8dd60dbc6de6e97aeb190050b317d27848d11121463fd8c5e819e93c131d0

SHA512
07384fbfe78849c9777a7d935098de5ed3e2b0354984b842d40183789c009540d87252edcf7791d16a2706268b2e7545d244240b288f256f79d9dd439057f987

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9422284f7ad28666d28b53d623c5965e

SHA1
143af3aa90f829accf6c85d1890ca01a900d7cf9

SHA256
948686d65d11c08127ead4cc0a88de5b61524551bf02e0186e4f673368ea303a

SHA512
574481201e0a2b84cb1fc11eb8e4ec03716e4dae733a189f02ac800bf9f45b2bbb30b44cc8a17eb6bed531efd57a077cf02ac6b63041a8875a764e14045a325d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
411e6eabeb6d91df9fcecfcfae0a4824

SHA1
a35ead215efb16ef450fb1dda78615f737699d79

SHA256
9fc99d4bb0e5e4d062e8dad7ad3cddeb5ed30e7c60a09f3da3edf286882c8cbc

SHA512
4abf988aa20aa9aabd8569135b209ad76c34476e4474a3e8de825fd203ebb3553292aab48fc046f12af1af5263996cf8004af43c6fc4fc608d2ed342c0709d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0030877d2b36da04580e03fbe73dea26

SHA1
74a3f03986479d267aa40aa75cc4f60d51fbdc65

SHA256
3c6f4c5ccb6ce2ca7783d9e3399d9886811bf0011b5860852158a61b3656239a

SHA512
d37ebb66d3c76b9947c9124c5fed7525861aefda0773b92b865534ec4403808ab4e82b1df05611e8efcee26f1554dae2cdf3fcc331304ecc3f7d450a423b54f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
788f6cb926106a0d63a65e6415be8a4a

SHA1
08dae390d4cd3f5929475203d940b952ebd04d67

SHA256
4fc027ae49404b9148329eba5dd9f0f596679cc17d239245f1792ae4c535cbd7

SHA512
58d9ff301b638ea9335a14ba86391916993eabf4ca584d11c44e58cf6de45ad5ae6282a5c45fa7a5171da94d7e41e09c614ebbcece0a94a3cfe28d9a1f525780

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
6e6dbda69677fd970fb6c1e27762e6db

SHA1
accf8074706b39426c8a6851847de4559b42a594

SHA256
19d25e11bb1772590c05f27ed38fda04ecfc8629e14ff9c18bbd7e4fbeaf1463

SHA512
96c4f72da1c9a1c57e44689430d7e63e2037ac75d89bec856bfbd2ed41ed2c7eb4112bdd89fa9fff25ef5721442848f43b32253c19ba8ab270d28dd195bb0bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
32a5339ff1e1918f7b2b2368b8495063

SHA1
6fff105e6a6ebbb81c86fd8ddc3dcbbcab7eb047

SHA256
38c5ee0db83fba5f168854c5649d25b710a859fe215af4a7db76b3fb6cbb365b

SHA512
1a7e0109e1f1aa0cfedcd04a40fe4a169981fa0a0961f8df777c6764ea349fbaeb0c88e91fcbbf939b733caf4758234e31ded982787cecec4632734a67eac94d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f7d9e29ee40de896a018ff8d748faf9b

SHA1
2dc499e6036f813633efcdeefa5e4e20dc5b77f0

SHA256
aaefb8f66bdb9ebef28c846ff02a6094721fb253dfc431b3f6113e09e245b11b

SHA512
b18b578e3d20c9de0a41761c80422cee6ef91a5c470aca972856da5351d5aed06f44e4705cd1d3a3465f26d2a43ce7db5ffe1dbd1dcd657b290b4236731e03a2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4f003ef88ed000c29391d8dfe37499a3

SHA1
b3bce9716f32ca5b0da578c64d885fd55021e043

SHA256
47eec3e4b71d4714c29f8756b66c4db5ba5ca1aea910870f9a9d5bf1e0a234cb

SHA512
192d497a0cde8b756401b7ff934d2d0ce7d25aecb3b654b75f10070718884bc0d5e09af56e442ea507f57991a8395e2f65faff41480b24bf52eca6253f7e3f41

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
61a3e235db1ff4f8710675bd848935f0

SHA1
01b6862305389fda00e566b447e5a301cad5b0c4

SHA256
02cef639000c9aaefd9a46705472087ba0b0d9638a726f8080be3d50b8f3b403

SHA512
4654808b1b00608fc08ed5ddc908c6e10fb00d06f97d440b515a202f9987ffa600d29d92694695b3f71e83f0c195e3d872a89fe1d7b52bc3524a60c642f02f64

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9c89fe120dad5c3fdcff93e48229f810

SHA1
6acedf52be1c0567bea7d71b28c9255467bb581c

SHA256
c5de0c4a672d43413365ec71c1b7e20cd20c15bb73ba616b3c783eebebb0f435

SHA512
8db0fed31787aab14b018a07b65da6b16a01676a74964e1225f16bb6efd7b204914935d0ddf8477200536f226b7933a96c09d91139ed1867c2618780083ce4a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b190868a23547ccca6adff3c1dd984c1

SHA1
712af1d1fd2136959baa9db889e3b6fc5a8509cb

SHA256
1f7a87dc8fb42215db02abd954dcc7c0121b113f1bb319af7bfc5ffc7b755156

SHA512
ccbc53df17088757169f99ff3a0a06ccaca15ce6484556993ae6338b3d380947e057dedc4ac871287e72bd677c41673a3593f598d86d0c5e3c64faa21e02eea9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e57d743a71e83cb9a94d77a3fd476087

SHA1
0d32e8cd7d12c5ad932547f83aa13e8abeb4b01d

SHA256
469f71c71dec00477da9c83f40db7e9cc50cdcd902c81673fffec280f931f209

SHA512
95b688ef9539aefdc320948a4a5a4a2e034f189fdaeffc4524e953c1ba462f5472940cd3c5642be957e540a16063f0c24fba516aa09d993ffbb125d3384dc74d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5f42b82f40bfc6b513710d86d3ec28ea

SHA1
f3bf152cb31b7576f8835c93dba02f7d6233c457

SHA256
15d8a4854a190ca0a9e4f536c5a845578515ee24f28e8bfca45b6786f6279de4

SHA512
f96d7861747434c3ce9e5bf52470f1766194e5e53cc64e5fd340f9d38a0849d385404fbbd48e108098371d200a6870740ce7078002d3527e833d4fc1a9a831f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c89c1d0f00e4185b6267cd5b0bc3a609

SHA1
2db7c8e827a9ad758646142b48a471659b40c96d

SHA256
dd82281e05b3e6266a7446cd435f0124c06af0c912887cdbc81d353f472d6f03

SHA512
1a173c821effbe5a5ecce58b2ba8fdcd1f79c7897ed7aa5e467568f60f8f4f6ff642458beded3717f3f8bc3386e67f9867d530da9c16f0e439f4dfbd7f1e7f0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a8d47b089136a8d077f9fc6590c9f71b

SHA1
1f54892eaca97f212a68dea4a079a12b752c621b

SHA256
1c456447d0fff889baffe19f2b4cab28e228e84181fe400a026f4dfb87aa23a0

SHA512
b03644e50f89d6d567e3acd0012efdc2d37559002c46b32e07c61af793790444fa0f54dd63dc8596ea05eb60812da495bd60532afd26637a0ebbd694a111798c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
9381f7c9867a4cdceb0b42706d15b7fb

SHA1
bb46486facdc611d771227c29f63cc1f0d264d2a

SHA256
eb048740a4a9d4e9d6833f1c0a3dd8100d667d48bc898508c5acfb4567333bb1

SHA512
6d45f21e1c5f1962ffe7adb64239727f6788e299fed5b5b4ca23ce0238f7fbb5ef908c16557715e7b967a34e231d70614d82790765510771af606eb132adc342

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2efbc635a1d6c8068bfdb8b47ede93e2

SHA1
d54f665a3fdfedb1cadcf38ad83657b0287c6fd5

SHA256
c89a1a41c25e968659f6fc1df10bd8e7d627113e67a8ba6692ab7bde0964102c

SHA512
a428b0a6bee1f50ccebe05cc2a53891e94f1edd2c71ee9cf1cae5638cf9d30939c7fd6721d2654e417a6165117d2ea7aade3ade4f31a77351840ba3b832d59ad

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc606539e3a1e4c8e16204ff0b7f5548

SHA1
8d6e93de89fb1551625d3a44b59f8d2de36de1c7

SHA256
1bdeb295d61a9dd5fbec8a59c18bcb7b789fcc4a343e52a1b2a3d87a68def898

SHA512
ddf8272ac717a78cb8f211882e96ecc197a21f89c8fdf4033d1039dc364991432199c90b286d83f85fcfd1c07a23c16492d7a689d363ac334387499191b01189

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
75b6a2a6bd71aa6cd76011be73237d08

SHA1
01dcc11f0e653f650aadc66fcfc266aa541984f4

SHA256
8d03a91a246c3cadcc5c1086ab5cf71fdb314ea59717b1b824400702aedd0fe3

SHA512
3e3d095280082f75df43fd0986187b3fb5ab2d7e2c17bf52e5c2608238cd4cdba0c4ab360561f31c4e80ae2da83b0e6013dd77961ca185dd8d2ac77017046cfd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2ba10baf932c1ef13ae368aa3741dc41

SHA1
ea3091b4e1861fe72321d18392bc66ef1a0ad858

SHA256
1fbc3d7f4067e182d29875f99ce45632b50ff476ee528b63926a754390c983a2

SHA512
88adbe33ab892dd00edc20be5860a60f341d44df41f99d94f6d24f086a8e8f47190648374b86983f4d067bc673ed28e6479e3206ee9aab1fa677a9f235738165

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5fcb6348cbb23b4ce1b05d615723a824

SHA1
c266434701407b051741961829cd336fc62b76d9

SHA256
2dfa298556b407d6bafe6efe6bc1c727b172fd2f8dcc65184db68dd3a437b2e3

SHA512
9eeb0aa18c092be263d7f449d7914607bc05bfe7e674d824497b5709c6c544b4b4018361b6ed4a515de3ceae68230929c00355f53132c5979ef7e039b373db32

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
7ea305a572a8aa1f8a326214ac02b6d0

SHA1
7dbb1a31782cd8758783c8744f8bd6879fe092fe

SHA256
9d47a8c468befdf9c7213a746ae6fcf39d7cc2da15be836b7968de766ddbe9f1

SHA512
d253008591d90753947ff669968bb7771129bec1865c0eb44a1301144001ba1e214320268a4c30d2c8f86e06b90a501ad3bcf45456d2d10fe202c4e991036c11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
67ee68e9ba838dcd61255e1e890be28a

SHA1
49da5bf42461587ec4923249418267df2a1d6150

SHA256
1eacbe58bcac0e6f696e8eab9b4e3a7629273644974896ae79033c66ebd4f569

SHA512
959d1008cc65263625cb7bc02c1f2494ae41c9cde44b36106aa236bca4ea2531972f67f2937bef96a9548b29138534f58b68e1548ebfe57e4e5529d163f67a1c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0dc74e57b0c7ca693db1b29b481aadab

SHA1
35e2f367cc395c782443ae8615cd350c43b55091

SHA256
b2ea404a7c78d0ea51d9b3d49f3881551e8fd1fa05ab095d3e1196526c3cdd3e

SHA512
d093ed335ebb83d6bb25944f80768c2636b03a517ff8085da3d48f23a0f8b11daa85e2f1646bb0fabfcc2d59c4e31435334eed89c8f523a61df647d35d41a227

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3d615b10ab2097a8e455801233399647

SHA1
6de6973512bce2416357fdabe1d95322daf0eb0b

SHA256
a7b27bb956325d9a9ec87dfa6bee99fb597df00380e8513bd097b3a02b9e8fea

SHA512
4db4bba279bda3344548de94d2a54798d56a003c015332fd597855e71a113729ced635c1986a9811fcd91468745d1f0b32bbaadaabd62a38aae8a09ff78e8f99

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
3d7f7c03e89d99844601fbb1653d34e3

SHA1
a27a444598df68496af8bedf4d57ac932738018c

SHA256
cf04c4efb4e3a0d97d98063db036f6c4aa284a7252a4d67d04c990439516947b

SHA512
6cba5d51c8e311026aeeb10b127010c7be0eb06f2226cb8390c0c9284d5276e4d33b1c36ce472469cf2d356b20f291d971a115b098371131f991e27cce2aa1ed

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68b5482ba9dd36152ca8f705b6b451d4

SHA1
4f65476789553d92794df0267921efeefcb0bc66

SHA256
a207f0035d34b5ada8506a8efcbb50cdc7cf2aaab358ac03d099cc16a759673f

SHA512
8f55259a58a2e6d27ae3b82fc17dbb020d706a791db63101f77726da988bad71983ba3895c94ddbbf1ae292e34f0925f56569a01fcf86e6b70564f8d2d59c04b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
004495feb2909a10d4276610d2dda2fb

SHA1
9aab549c3971c196f177a483683fda9254b2d692

SHA256
547c786a332a9d33ddb38843d50889f0d5d132b75d239d2e5946aa1abf161af6

SHA512
ccdff14dfad1fc3a16efe2da2f205f2ea3dab04c8f426a612846f0186f4c740d56f084cbff345b800cf396ccdb0cddcf97c12eb9c87feae94d07566d6a0931f1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
4b093ad501c1ae8099575f9eea71f10d

SHA1
e0761e520181067257534dc865b1e9474fb84420

SHA256
6e5ccfed6a3b5b53b6da5467a556526f66ad12f29b35a3080757c606815ec790

SHA512
bd9c88099084fc793b6dd8fe5e2bca2420bd2ef5ff312673318aa8af830d55d81d37bf130875c05618a853b8eae5b580b7bc708d7bfa7e1e68bdfb26123b33bf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5d6a04039c3a88b82751a9cdb2805109

SHA1
814d25616696e7652e73091253292d27982535f5

SHA256
4df67ccd1ae698e49bd7ba2e8f3fc35c2cfa2ca139d5a9421cbd609cec5f790e

SHA512
4412812b45bb7f5280443bddffef305d06635d86e3f9d83493d65ff9d8e13a8b63397e0eaa73746b130ae117bad42d5537cb37ffcf10e2e26c1637fa4d79004c

Download Submit
memory/392-479-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/392-470-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/392-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/392-483-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/392-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/392-8-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/428-598-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/428-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1244-260-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1248-263-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1608-265-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1908-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1908-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1908-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1908-314-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2104-262-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4008-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4008-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4008-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4016-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4040-76-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4040-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4040-82-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4040-70-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4048-274-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4108-258-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-619-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4156-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4176-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4228-257-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4228-56-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4228-618-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4228-50-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4292-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4344-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4516-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4516-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4516-615-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4740-259-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4740-84-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4788-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4788-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-261-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4956-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download