09273ae802053f14b09873cdae03aefcba1d887e991bf7f0257e6a7b6ced8943

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Size

1.5MB
MD5

2c07ec37cd04259fd1f922444cdc54a0
SHA1

205768da55f4f11c1d14c925813c3bcd637abdd0
SHA256

09273ae802053f14b09873cdae03aefcba1d887e991bf7f0257e6a7b6ced8943
SHA512

6468b354856e01149945000d03b8c1b2fb6aab75c19b9fa17df2f481372d4e4879cd4f6a207aa4ce13b9ab59ab408ba9477f48f67d288fddaf4bdb3e4a6c4444
SSDEEP

12288:r95a0X03/pF6ue0NzWUhCLj+0t0b/SqpOcNAQgOADb/sHW6Ef+kB:PHEPL6uJN6kCLj+0te0cNAz/sbk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3804	alg.exe
2252	DiagnosticsHub.StandardCollector.Service.exe
1612	fxssvc.exe
4732	elevation_service.exe
4864	elevation_service.exe
4788	maintenanceservice.exe
3752	msdtc.exe
600	OSE.EXE
1220	PerceptionSimulationService.exe
4572	perfhost.exe
1932	locator.exe
4476	SensorDataService.exe
3712	snmptrap.exe
2116	spectrum.exe
2284	ssh-agent.exe
4320	TieringEngineService.exe
1572	AgentService.exe
2508	vds.exe
4564	vssvc.exe
1788	wbengine.exe
440	WmiApSrv.exe
5076	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c4c9efe3b4b1389a.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e104d5384aadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000116334394aadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acc255394aadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000163603384aadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000165f72394aadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4a7fc394aadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000134d5f394aadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000516a7a384aadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1612	fxssvc.exe
Token: SeRestorePrivilege	4320	TieringEngineService.exe
Token: SeManageVolumePrivilege	4320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1572	AgentService.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeBackupPrivilege	1788	wbengine.exe
Token: SeRestorePrivilege	1788	wbengine.exe
Token: SeSecurityPrivilege	1788	wbengine.exe
Token: 33	5076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5076	SearchIndexer.exe
Token: SeDebugPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4772	2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3804	alg.exe
Token: SeDebugPrivilege	3804	alg.exe
Token: SeDebugPrivilege	3804	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3596	5076	SearchIndexer.exe	111
PID 5076 wrote to memory of 3596	5076	SearchIndexer.exe	111
PID 5076 wrote to memory of 2476	5076	SearchIndexer.exe	113
PID 5076 wrote to memory of 2476	5076	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c07ec37cd04259fd1f922444cdc54a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:600

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6f18363e895f97bc25e772962817f1c5

SHA1
73ef9bdae07dd92734711e20fd306f5e3eb1a7ec

SHA256
c702860353d9599c536d5ec86d6ccb9585a1949ba1a0422c985ff132e0107296

SHA512
64e0659e60a2bf632be6bc2d5752281a7c81dd14c43eabee9bfa50d352a8e7ea83bb35a6c006f55eb972e3cab39948407e453c1a466902251c8cc22a7f98a9da

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
9189f00bb05e66fbcdbda3e01dd93942

SHA1
638e37d0ca57b5cd986e4e2928896a493fe4880a

SHA256
4f5b83da023823f474618b6e0b34df69ec5f70aa1533011b57d882c2d506c51c

SHA512
a31a234880c5466a795e468eb7e131065adbc1187e63cf4e0c537d0b3cd48040bd6b66bbd37634dca59ed47144856d821d4d339899324bf5d5e3592d58831e7e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
899b26902040f6b6661d96151dac2af1

SHA1
db14e3bbd65786add4da806d542e5e114045879b

SHA256
25f009524fe0fee5e820a9df302daa52303a0120115fda45ede19e6ddae97ddd

SHA512
7b8b9e8f594ffc17399e7a3d36a879bf8a9267bdfade938240b09fd0271974dab0d4f4f91321fe9dc92181ef192932e5bea744e1561037ce65ba10350dade005

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a71c28df37b7d62c3a0d3b6ee846730d

SHA1
855b4ba34659323231b8f457cb5b5c4fec7ccab0

SHA256
7378b5148524b516d95831defc819a50575bef01965c424fdb83de6d0e87f4e4

SHA512
9450384498546e987ba37ff5f52ea35ccc712dab47604de5cfc61d78372416f1f1d87b564d658a785d980d8127a35b56a56a481138b6ad5d088a9a7e14bb57cc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eaa18a3f86532097b4ab9d795413e559

SHA1
73618d23b4c852e442ec198e2d15861d74563554

SHA256
1007e698563c8a798501f455296e865ee8566a34311b279f6b0c06bdbaa78aaf

SHA512
40c35489a38acd169d789fb1d628dc8f416ab192eb45e043571b0d62d8f896678c29808ab09563a46917d7973467be44896b8b25c5fd9680a3021f6c6e67d414

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
49833d25a1256b466c4b46b35b47d2d2

SHA1
4f6f7896abddcf63752a021b9b49ae001f4bcdaa

SHA256
3fe23384230d7bb660082849060daa06da34930b2fa81e237aa1fc410e918e2d

SHA512
64d6f62cc6a7dfe41ad0e06c78760fb9875673495ff03fb2dc8a91799b596497e995fe6d2d103e44261eaa196e99ee14450371d2d2768fc521c73623d433463c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
2b4460ea1de3a7d7c45ff70840c821ec

SHA1
ac8015931d713c962b9d7dd029608f76c4890f42

SHA256
7e99442bd0fc755a19b568db2b6cc65bfbf7ccf70a52f0eb1366d44df5288fc2

SHA512
c25d5415091ac3b9a97daec207cafbb5dcdf2e253b8b6d47ed14f429ca592c7713c33f15b72b379cebee3210489bd9daa5fd172e42da9f72166ea3ae9d72901f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
556821e832f661d36828ea4b62016fd3

SHA1
7082b5f2b116d72a7a5f0f0c29d5947ac55bb24b

SHA256
38f8ed71c6f60d8de5d9ff532be602f676e4a8ebf1b238320ec8bd9dd75eec2b

SHA512
2c2074c443f91addd2139b7f24463390f6f717100521bbc85f12e2e02f0de423bd171baae0d2cff153d076acf348a6dd31652dfc243f547cd5936e490f9813b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6ec1d46fb75eab4e3e70252a71bc0e32

SHA1
7c0dc35e75c122a58193094a2fd07ba2ce9bf99c

SHA256
b65c02a005f7cbf584cab55ce19b0263ac0825226c9b9a1839325430ad022ffe

SHA512
812e283c0e46cbed73792b788c2138b362cdb97ac936bbce72fb18ed144a4aa6540448cca0529e9e255480fb68453652ec1d36ec728b1917a5c24382a87fb622

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d0c6e3c7475d947471363d6159257016

SHA1
c863b07f03ee2838fac268b544fb6ee23538e8c9

SHA256
573a46344cf02a658679f5f0104b2ed0cc0ea646c3d5d94c1d90042dfde181f9

SHA512
39d84138de4e6ef65fd169a6457e58202be62df6cb3d998c13247747f34179807a5c636fb68644e457fda59d1af1b250d621c45d3ef8f01400425d570f47d056

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7ed98f31942dc9c847be3877261fdd30

SHA1
009be07007a6923edda327a11d5a8890f5b352f4

SHA256
827b44e947990b74bba370f6d13b3855bf0c16bbc87d885b99b9e2a0944c4138

SHA512
5c13424ac69605f15263eeee0a6c85865c9ae0a9c6837764e5909345ffd6ffa2501c23900e904bf8671ecfdc496abc0ca16c54d9aa4676e51c72cdea3e61e826

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ca19b2d92ab08e4422b1196e4ed8159b

SHA1
523598a62e26f073c909448c8415fc7770ed7860

SHA256
8cf26894dc91557849a0100cf504f9da27f58562b60b02ab51a4d053e00c971e

SHA512
ac57737fa3bbeb6ac3d497ba6ffbadd8abf971af886640e11750be7006af49040ed3affcfbd5c3b121f68a9db45e9d9d2fa365e948c653713daf6398686bc58a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d174f6cb73ba0ff401c5ae9c17b500b9

SHA1
e2f0b4085500669ddf8db2aeafc2290300a62553

SHA256
fd2f3d16a911f3f34788efa9db4b2a162bc1cae113baab639474a12f16fd48ce

SHA512
3b645bc0a661315f2cd72758047f036b55f12ea34d8c25198d41cd79595bbdc8a628b03bc623fc9ed6164daf32cbc4efe1ac4720de1d73e170b312e2505f169f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
2561e346026b890f2a75fb2b16d6aa26

SHA1
25b8c545db5e213f2e9af850c4b398451f7e099b

SHA256
4a901943b814e26a1eca06039d92f2f68ea52b01af8e19f03290f6237c8fff75

SHA512
0fc3dca6948bd1cfc8ffa9d5309096eccb0bb45d0b1eb07026a892bd9d642e288b01f1ad5a2eb02d5d8c4efd92e7a4a9618d872693aa06b0ec0d128b83adfe6d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d3862d6dc5d6a04dfe2eb4a0f9d56fad

SHA1
8486763d5cd1aed5f67aebb4a99fa62a8b0ec000

SHA256
f62ee07c435e40757f9117eeb65bf4a6de4385fbcb923e47e5a7667115b70830

SHA512
ae7bbee2935ce1f4f7c58efbc9ee847b64645d39f4ef23b3b0ede85d130694a03255a2da106179db1119c6b19908f2b05552f1b38ba4e12e5af29fd807d1cbd3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
210e30628a3e64624d3cf0c599021cf8

SHA1
13320f52f3a8ea5b8179b95cae8a7eddf883bae8

SHA256
92bc2cd0fd23f67e40e1a0f670d91a86dabcc3618da2c4ae10c91e89febcccae

SHA512
1e7b4bd96e1a68f42d738958d19505e6ce6fc0d05bed75ce3da2c84c7820211905855a352de16363343c574a680cb49994fddaa4ec6f1e1f16e05933d9e2c950

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3b655e216dd6af92240c50cd3345eb01

SHA1
77192798b928375dd9a1df50e648457dfcb06bb8

SHA256
f2b326f25e75e4909037eea1d1beb5c0e86ec6d719c67365d1db7fcd2a5caf9a

SHA512
0c636d7bbb1f964d27edf92fe6d9caad5b6c5152dbee75a5da82f1426215b2f77cb7b268fe8077112a3dc313f8b6fb2c68eaf0800d046ca6443b885039328b0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4821872a959f6428dca7d0d941af6bf4

SHA1
5eb3bc2f12aad11afbd7f78bba35f512c204eef2

SHA256
7450ecb7b8d1c136854e955d492b38b5f62480b6a64620b27307289c37954c4c

SHA512
5927fac7d00de0c186891e451fc5a0195fbc74915889c8b9b1190e3dea64bfc3f86c35842c96ba25d94a06d55d587425bac504232417dcf82629daa687b69e6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
953910f5a770f6158d40ae0f8634b5a7

SHA1
41d42d02b57ea7dd31bda19bfa5d7fc9303b1d33

SHA256
a0e58710bbaf94757780066dc1309e244a5c7f85a9359fc7c2a0d8f46eea6a39

SHA512
2c1e7ebafdd27b7b9c0a1042f065cd5b4502d1c37dce5c3d2ea209d64caaef4a06b8c8e33a49b5513005be2d83cd09959fe7f9016f8f5a9600cb365a389a68a4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ccc01887ea97a4740ef51c7feb68433c

SHA1
1fc4d079373c048a7cdd970c63fe829bbe399b2c

SHA256
b6cd9328639e616797b96430befc9475d29033d37f12d220defd29e3ce43e354

SHA512
9f5b24d6c0fe412adcf919a0f3e024398d86a9e89c358221fbc9269ae431a5502f6bb0901ea5cfc78621f6acd2d4e3c591779600067a0e065d6852efd2a8624a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
4a8de1e03cf9b038d867a678a29eeebb

SHA1
1aedb65aa9fb3a8c9611733dd5da54b62904dd50

SHA256
b08030e59ad35bed5144673b09330606794f4cf521b30ddd1acfeb39b30809e4

SHA512
f603e4409b84dd87ce96cc06f19032342092993dbf483b8a8dbf3dd35701998a8417f13fff251d6aa235c882019754b154388390b7bebdac6295f13ee04053c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
bd94c372bbfad75bbd3ee1b93507ca52

SHA1
26ee3171b3b91d6db63129aca4a967eaebdfab59

SHA256
9852c686407a0180419b7a56b3c2de29a229297ff4d071f43b34a50a7e24b2ae

SHA512
f37fa7c678903c7b29651ea5e766f1211e208774bef10bf9447260ffcfef3cd58e3871ab0bb7831e255083cc4d7e92412b75a69a778a7cee5f6906f2c00f95c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b054e6110cd3997e0ddaf67e0d4b0825

SHA1
7ac933d27894daa6a030edc619f427f924781daf

SHA256
0467d4c73e63a5a216ec715bf15563d3ea1410da20a5948c8cbab9728981060a

SHA512
8e8a32d91f74218e88fe277665f9f90d41d3374abef211afe8dcd6397f0d910cafaf10c05cd89f65524d40b190a2248ea133df47655fd76bade481af61fd0cd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
729ba2a6988942fb24e0d46d3c213801

SHA1
8efcdbd724eb4f367fdb3c51fca5b1ccea207700

SHA256
06cc9d2eab5ce38044f90e1684aa52552bb8dc04a0d7f6440d5932d6ee979fb2

SHA512
bab817dcf8c59878ce3883f72c4672f708264d05c59ca76145b4c0aadd399614802dcc300e6fb04e6cbac659aa37de420a53a315589a5a9c976baef4bf852204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ae8aae00dcc94af0ef45043561f872d4

SHA1
60f56ff8e53b0d2b39e88fe331ffbe7a2d6c0d16

SHA256
45d17cf18eb5c7969f170e65b6ed3f5f617a5b98567e12304d1f7cfabaa33500

SHA512
68ff316c81d06a6876f71aa383a6ea9d3f13e15cc81b4ea2aa594baaf0e3cceea25c4278f42cdb8abff4999c8afa28a0b2d0467186f41cc9f2d47d8ee5a02548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b50837da8a01d9e339add074dc2a292a

SHA1
6d201301fa25d318bf0e219b56099ab45e102d74

SHA256
8c5f6258238d15885d8666af2667844703ada7cce41da3f3845582ce649bc7a0

SHA512
e6454fccba65cfff1337164e857db99148e11365386a73f8edcfc386977067481e97811c793e029e5c9157d42c0751b2879d82202737097d6fde9c6e4c730b09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
d04968b59dcd1f836afb6e87ba088307

SHA1
1b02c16d0932b3e2fa425ca813d2173572caeb73

SHA256
c871cf16e8f1e724f5546f77d0b80136dbb07190b47134f4efd095d26350b995

SHA512
ba6d4b6bbb882040c594c0c1f3b47ca3883a95cbb5d15c61e3786dac3eee95979d050e3206a542bb3d508499b40c81db68f546c0ddfc4899fa5c11f74bb7e696

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
5a71a5d6fc0d504737c94e2d0ef3beb2

SHA1
d2c61098377d462d4e4b33e24fe438f6048b27fe

SHA256
f49bd6b125dc892beb0465cdd8f51ce376095adf9e0bdba55f9bbe1c249f2877

SHA512
546dffe0cd6c8f6ff62402fb1dd1b81383b118a8e4671f3edba8a3af1018077c4aa3d151516ab468c0f78ed46a3b1fe7bf2c3fc8aaeca4a086ead604694181b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
9d317978226850fd69f8ad33ec8bb4d9

SHA1
08be745f679586126f5b6833928c3534f6eb0dc3

SHA256
8370a8510719febeaef6bb0fb460212a6fc55dcdaae95fd6b693ba54ddf6a69b

SHA512
072b598bafd747e0d20ef5f476b5c5357e232de987198b9d107209bd9efb2b676df5f1a985afa1129bd844a59bd05d2cd2f194ca272b53f5dbcbd4fb743bc8c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
654908aa99bc37998e5343c82ef41851

SHA1
1671ef9d54c059ad5115c93c0c27b3305d81ddfe

SHA256
d354000f12fd313195023f474e7aff1ea1bef0713083a95142bc156d896f84ae

SHA512
01a1f00be674415cd6fdca19e4360c16931c86084f09474bf83748e657c6b1c138af2daf488801280258eadf565523eaf01837e516ba9e82ca054d6f7924dd7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
36c393ec1132c20612322380ccfc6d6f

SHA1
504806a5ab8770977bdd76c32b7cf106392b46dd

SHA256
5866a9fd87a0ee2b103c651968f1aebd2b7b3fd98d283d0801d1cea6b149aefd

SHA512
39a2906e1fc814f2eeaaf3c5bf2c415af2c972af13f69a421ac142c1ffe896616527ad378bb19bdaa076635485230b66ea2d0d8c958f76a65a16165d4634a7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7565c8effd7e524be944a6f648c41c43

SHA1
19732662574845c00da7128d19378c8e8554b3d8

SHA256
4b3cd27b33767b5a9ebe77676f5c3969cd32d1ad3ebf2a929bd178a85afbb875

SHA512
255cc70ea7a09ca14d13706d471cf4ff2d02e0e669f5278bbd791e881c18074f2d7b3c50493d70508426fbc203e4a4581b30a0d9c26ecf195b2ccef57dab91d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
180747880b938a538118ef7a9034cf14

SHA1
8500cf87d1c76397ff8ed40b0a35f18079e565e5

SHA256
d1b5a0e9939f13f800af5deef587f810c92ccb61f7be60f1add93ad335cc6670

SHA512
c3779aafec5aaa15f0c5f56f1d93df1651c866099e58118c9669c36f80bfc21df961189918c820a4f3065aa7e23a12d7a90ff206e588dcd3926a3b530b6f6c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f75c2c38f234bd339beae5ddf9256862

SHA1
7f9c37da6929df505c7a1aa5be81c6aca4da0c27

SHA256
c4c1c52dc668b9f6ae0eabb99a08923e86b19df6f2fffd073c924035dcda694c

SHA512
41bff3b78a970caa2d217461268fb2ea498502485c779f58aa4ad73ead215fbb01b42835fe9b9397182aa6b09510dc846d09e5dc947a6b552f350004a03c66fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
8cec76ba5dd8d25ef29d5bd5f1839841

SHA1
343d7046ac5a808288832936de9f10d4b457f55d

SHA256
eecb06af664e49592125a95352f9a3e7f829b0bd15e8f224b4a6915823fbfd91

SHA512
895efe4c0aaeee04f439e8a19c7bd0c98f60fd038afdbf0e6c6069ace59149c69822560842da9075cad71d09f313e0f28d2fc536f7033c07d0f982e055c6a769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
eef0bc01370bd6611d8c1cbe17414977

SHA1
2013e81dddb9f85468ba59b2b87acc49a105a453

SHA256
2f325cb76cb4c05d2ba69be4ef488c9720d5e509f552eae400fd0a13649b19ae

SHA512
af56fd44bb740747bfac753f7115b797f9e327efd2177dad93cc87f36af9be843b8ed49c4b2b775e987d7557c67cfa6c2808cc79c5649c6a112335ac2b38d849

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ce0c254ca2b8f952b3a8ca521d190347

SHA1
1feeb1178bf06793f6d7fd39aa26139f6448ab5d

SHA256
856e8dfd94d65b4d4fe47a4361defe5e7e53f85a9da54470d8e1ec91db4cde82

SHA512
81390c2c4bb92a5fbab119a0ed5204624cb107c5d6d77efc215811775605ffb39e9d69141a2f52b51fb77f61a967bbc0787c2289c02c65176bf345b9232b793f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b45b0460bdb2c6c06a60dd887ed90f2f

SHA1
02c6e77c3fcfc077bc3d661e78b7c6d7dc550a75

SHA256
e98b8c6e9cc8b8773bb8ceb3bb9a6627537a44879cdf7e4f679b49d1b1b4485d

SHA512
63bed9d9c4323922241dfda5c120021f506a2794116991f9300dc6ff4963b83ccc9604ae0bc5fe3cb34b12d0d1b4a3a8ad002f94381c7c8d8386d171be5b3b75

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
e61febf107ebc1757ef6735608d270da

SHA1
35c11edf1aaa859d41ed02f194616d84cca996cd

SHA256
bdc7dcd5b8531ce204a92ea1ddea900aa7ffb7e5902cfc0a93a9094c2b4777e4

SHA512
daae2d58d0936adeb99825921aeb9fa598661e0c50f0e3e4765366df2a7cc28d8b7a6cf12db079e3db53c2e7d99afc1bfc272d63a3e4c02b41365d5cb0d3fbaf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
131055144b89ed653ce4a9b5cd4d5634

SHA1
df8a4af5acc07f4204fd1ad09f801c764fdafda7

SHA256
95c744e3fc8b4fd3d2e43776bcb309ba1f0d7df1909bb815202b8bf7efa620fb

SHA512
0a16c3462562b6770b6b26787e0a9eb665b09843276a31e9522470355226769f066b781bf7e4b64c1d8addef972fd7a3c67cbba22635648829d2742aab139d0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e48e132c9b383b74eb9106c6616cb8a4

SHA1
7ef660ea9dd824f51bc043a6f8181a66b1869442

SHA256
fbffa693dcdddd966abb5255d12f6f0413fc632392a1fffa34cfa2eb81bbc25e

SHA512
56250867bb8f1c83963fc880a2f011c781ee494cea6240dfd16a65f861eb7f004d2696b9ddf54b8433ce93d9f3d6a6f7bf8ae29b32173707998b6b6993c3410e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4d79a7f3f6273164bee766f8ef69f163

SHA1
50865287e3b0b9d5f283c7a8ef3534681837f5df

SHA256
51fb590db9ec88bc254d2c2a55b58cb42df0f4ad11570bf649e5ac4eabc5c433

SHA512
486b2368b5e4602f370f10da06d7e727f5ab36e3f3aec08043d6a47147b0db40243b9746816fd3621c8af6f023acbef81cf003c7240b3dc9378111cc466a016b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6823bd999eaac57874c940acd7d3595d

SHA1
97b04eb0601de5ac3be92b58c920c68248eebf5e

SHA256
cc220d9835abd1f412274f7669276d0b74617924a18d65283748d47aa4b0156e

SHA512
69cc32db1fa344eda9080623218ef884d34b0b94ab5a23edff1e1b4204fa54b7a348f27402dedb2f7e9e8ebce3073fc6fdf3c8a815a26b16405ebff8fce8b4c7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
23bb1782759b910e9e7af3e5a8d42d17

SHA1
5ec4a6edb85e442b617d33b1c68204878c595afd

SHA256
a11880d384fc4c49035105a4e628439e9dbad6b5bbcfeda47aafa0e5c31c4f34

SHA512
68a74909fe46702aa486fca06c2b3c0623ee3adbdf079d5017075692f433c4a1539ad5d37d9e9104f6bb504dfbfc748d77110254b2d4f796444e95b3829df244

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
bf9d798735955c042ff03057ee64fadd

SHA1
ffddc251f2fe212bda75f70950ec37c8011d144c

SHA256
84533657aa2529a6f2caed1747488721ca9923d40c90e4c2dfd4e86d7c4b2ecb

SHA512
9c112af3303dafcf18497ebf130a812483a88041a7f0140570ed85af0388286f538a76004af5ba5448e30ed248d9d667323d8a8938448c1c702345fea47012b6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
84cbe1c535e652c076baf10af5ffb0f0

SHA1
75fb2bab4e7afe1533e3d3c4ea58b79f0a92e064

SHA256
78a0a4da72a10df5dd44368bf63a698dfbe033d35dd948bc1117256f4b4ba8f6

SHA512
befd83c8f0ea48cb27664dd68240596161a37b5c17d779e823f90a19053388aa24779351ea39c99c6f3d521a1867d2be7269fb297759942f87f31419eaefce24

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
42f373c740ac81a0b03ab5c61749a058

SHA1
38c053c98d0e7615e52c48773f5bd80db9e48c99

SHA256
2660061eef8e7cf0869b9d6ca6ac5cb43cf128d95171edce3a5f072e07417c6c

SHA512
4e10c8f829b0b5e952e1fcf3648645e90abb905adeee25221d0fbea6a58d5565d550eeec1d205d04bf1afadab4d01ba793be4ab4aa890e517fd5138c179a5abf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1e4e1bfe0476ba32f3bdcf76a8689be9

SHA1
839652610b01a049861add41d48262ca8c64ebcd

SHA256
f3cc8668f7a282695f9b0688caa0ceaf42c23067b88f393f1192d4a194d36641

SHA512
fed1b3b670e58ed0d0ab0f992e94afa609ea91a2e486f203090de6ee3690750fee047026942ec5c7c5759672b8b6923a20ad4951e2671f2b67f688277a6bdb2d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
260ea773cedc4f21752e1a75a4a60bbc

SHA1
0aa4f4bdf5223e2b90883a8e221bb9ef9004b6ea

SHA256
4acef41b29ef5f85e4af9397fe19634721ba15ca1e45db5764b242d77a934a2f

SHA512
b7dec95f993f36dc45d5b1b54b47b4dc94244b476298257165a93ad40829975d63711e581e8c2574a6c8760228efaf442d638efd2a7251624ccba87103d14b14

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8f78e3b111a5d2e8fa1eeef6ac63b56d

SHA1
3e9702c0fed181eb63470a37384772d7fb8a3031

SHA256
9f7b8f3fb768c8c8a449dd4fc65e130fc955a7e1235411b9745df9f6df337bb3

SHA512
71854c6043ab2b39ed092dfd26bcc35dcfd2803b3adc504f0b61f4376a3c430ed7e53d6e591003b63ca36cb9c12afad5cc80f2be1c62a86caa1c1fa8063c5baf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
18be883b802654ebbe2c5cf8ec53ed60

SHA1
343b8ead622885d633dc7c735393a2d477ea31df

SHA256
5a9060844e2a82cb4a17e4a5e7dd95f0e5c9f0ddf36c3679d2b3f696e93938c0

SHA512
ef8d1bee15ed0553194d8c730cbefaa03afea8fed96455f602f584e766336641ab17ba2dfd78b0a5b3fd99dbd05726259495c3fc33846e6bafd8e3a0fb417fb1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b82fd530981d37ea76358853f919f62f

SHA1
5ee52e42f775a287944b0e2bbfa45ee8b0741886

SHA256
54312e5fbb77f47129f9ba8222f2bf7995b6ac518ab9777ad88318e3a4a6d3ca

SHA512
65e42b48e643fabcbefc3dd750b9082b17841659e4db245dc65b8c5e26367d87e6c4377b261374c76b0efafd6ca922c71a0344a0cfaa2fc9117337942d380251

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
f2dea9b52eb2c427c5059c7c5fff60e9

SHA1
d7d0b1741d9a19e843519c04aa1cf347308d3966

SHA256
f4a1afeb6a9bda7d379bc0598d4d1015603000653cf2dc82906ee6e603295d43

SHA512
41105137e41f60dff971cd855f1543d30872d06f78cc8b83f6c4480ce951501302a80846ec63f5d8226fdc783fbfe61440b36677938798161ae573622e520f8b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8f8a91c8114400aa164f02f8213e0c56

SHA1
02699493585209b01b027ebc35547f9ee4a64117

SHA256
c61d2a2138ef99be49a3dcd43dd8c4f802504d2e55d22c7ed95712d1d1a3aaff

SHA512
d041d5b5c4c04dc2d00c213ec12cb0221ba2fcc43dd0f18bc2782d48dc24be0f61491089b38565a6db4181b64479bb59371845275ed43307aae52d4da6863555

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fee06ce0a29582804d90b6e412711956

SHA1
4686fb5bd66187cfe873ac28d4e451d8cc056824

SHA256
e1b4c5c30f77f14614b130d931ad5e4d48a6608760eef6fb92bf38a5a44a3afa

SHA512
4eb557f726e2646a6776813a07eb1ec17215dfc4feae3cf760b4bd793c138bef469b7ba9efb92c3add24d37c7eac9636c3f1793bf61b125fdc6b4a1879fe05d1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4d1b8e0ddb27732b4f45d37b6df2fa5d

SHA1
553634fda746842a8d9e8ec01e609d0a3fa8fa56

SHA256
8a5d9320a6878858e190988dd9d682788c9b7d8073f7cfbd29d167e12b62a79d

SHA512
bc1ae746344b7f6495623084ecbacf1a1b04a91ea858cb95bb2e1b38b40b64f5b8bf5c8a403df5964eda8a4fa86395efa77b07a6ae07aca71f7466a0fde2c797

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
007b8fe09fd1d8d8b58eefa298b7057a

SHA1
d3f45f57333edb43e0a35318296002f7be23f44c

SHA256
e7e13587c74b6d550c529a78acbf8158441a87e8803da71312ad5159c4e0e61f

SHA512
f2653de2e864a2f9a84d9d0c9095124cbad939c78ad731d52c03dcef3ecad138f95b2f5a6f264b7adb97776734afd0daaa2d7c7df488c3f36a92a4eb83046369

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c459ca951b3ce63e7423a283a9ab2b34

SHA1
728187e4e378be248edc15d8aac5e57bec89652e

SHA256
c14bd7ab7347c6e3c218f19f383dd8ca18df6af48f7e5ec57f666753cd7329fe

SHA512
2a28fd1484158b25bcb54d50ff83792f7ed0d9869260c2247652531479fe2709efd8638004d4a78b41dfa43c80f4707c84672108a7474089d12d2b26077391cd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ecebd81948c61778d049b15f13a087ff

SHA1
91ed27b64a7a479ce27aa18b2867d2c3aa97ce7e

SHA256
3835e981fb74f0730813688d31063b235433541a4c386ca37277851963b8039f

SHA512
e62d686274b98f2e6aa2e290a8ffcce8e9813887aa5969fdad2b6be66872e39b953275304c4d6d34edf66d05cd241bb776f2a63a9f6cfe78fbec23b1a7842074

Download Submit
memory/440-350-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/600-264-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/1220-266-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1572-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1612-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1612-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1612-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1788-349-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1932-268-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2116-271-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2252-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2252-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2252-487-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2252-36-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2284-272-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2508-274-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3712-270-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3752-355-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3752-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3804-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3804-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3804-463-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3804-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3804-13-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4320-273-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4476-486-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4564-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4572-267-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4732-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4732-509-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4732-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4732-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4772-1-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4772-9-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4772-0-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4772-352-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4788-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4788-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4788-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4788-88-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4864-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-510-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4864-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5076-512-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download