5c5b2d52dd1be0e1ba1c0afb931977eda833e8afbdc89484c587a25788aa7cb5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 23:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Size

731KB
MD5

90b149c80611e42fe417d9e9a9164b50
SHA1

f2e9ac7dbf0cf6ed43ce9fb4d10ffbab424c9cf5
SHA256

5c5b2d52dd1be0e1ba1c0afb931977eda833e8afbdc89484c587a25788aa7cb5
SHA512

a45e4f3bd4909b34154e9186f1b75013f039acf033897a24a7421140192c5236bcd7e0f59953c6015b26528a5ee14f29f9b06a331bd98b63bc8f97c430a55479
SSDEEP

12288:r20CbwLoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:r20Dw2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2180	alg.exe
2616	DiagnosticsHub.StandardCollector.Service.exe
396	fxssvc.exe
3288	elevation_service.exe
60	elevation_service.exe
1616	maintenanceservice.exe
660	msdtc.exe
3964	OSE.EXE
3716	PerceptionSimulationService.exe
2220	perfhost.exe
3932	locator.exe
8	SensorDataService.exe
772	snmptrap.exe
868	spectrum.exe
1112	ssh-agent.exe
3296	TieringEngineService.exe
4528	AgentService.exe
2820	vds.exe
4448	vssvc.exe
1660	wbengine.exe
1620	WmiApSrv.exe
2420	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44847d1685dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009c14723ebbdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d04a822ebbdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a05e4523ebbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3274721ebbdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cb06f21ebbdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d23ea322ebbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086c56321ebbdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeAuditPrivilege	396	fxssvc.exe
Token: SeRestorePrivilege	3296	TieringEngineService.exe
Token: SeManageVolumePrivilege	3296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4528	AgentService.exe
Token: SeBackupPrivilege	4448	vssvc.exe
Token: SeRestorePrivilege	4448	vssvc.exe
Token: SeAuditPrivilege	4448	vssvc.exe
Token: SeBackupPrivilege	1660	wbengine.exe
Token: SeRestorePrivilege	1660	wbengine.exe
Token: SeSecurityPrivilege	1660	wbengine.exe
Token: 33	2420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2420	SearchIndexer.exe
Token: SeDebugPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1972	90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeDebugPrivilege	2180	alg.exe
Token: SeDebugPrivilege	2180	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 5480	2420	SearchIndexer.exe	118
PID 2420 wrote to memory of 5480	2420	SearchIndexer.exe	118
PID 2420 wrote to memory of 5528	2420	SearchIndexer.exe	119
PID 2420 wrote to memory of 5528	2420	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\90b149c80611e42fe417d9e9a9164b50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3792

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:60

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:868

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1444,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
4416b88b0b3afdd089cb234b06f3c98d

SHA1
e21fdd202519765782ff6cbd70cc5c608edbd919

SHA256
4a8e134e16f4ff320572c43874ee2574b4984e0749c926e4fe3864a82df4715f

SHA512
8ebc15f9c460039755fabfd9bba3f2f48c77e32abd3070ea9b614c3005d7e1917d0067fd578eb162f1a5942f0ec7d18b72e83b255e4068ce587d28b2882442e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ba3707f9cf24667f72205900e9fa4738

SHA1
ebfa07c8c718dd4bfd8c4fbeda96c6095be9dc90

SHA256
f899e4d1fc3216390058be9ab5d313a7e45059eee250f1165ffcbd146264d2f6

SHA512
5c85f1637f94871e122c683d3c6bbed9298198866abc8511694ebbcbddd599ee4c587d1beba2d785f56abbd8b8ef8b4f30b3f9f3e4e9e53f29ca416fbc542cab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f782df21e920f73a136235ef6effbd7e

SHA1
601bfe7546e6dac1fa1715a675df3d82b7ec31d5

SHA256
e68640c1b147124a6121030f6f1a3a0f4f8f3f470297831d24cd4d212e71f45e

SHA512
cdd8b83c833aea28076ea59b424f1f527be7efab79379f9afcf1db00aa0cb14dfc3021d70901d7f8d244dfa4885c4bef623c9422c74386e0c96da8e35d750dc3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b60a1d682e6a878eb91d76a599a5482c

SHA1
e2caa6b3c64f1a6ba20d2000a600d0f32685e7f8

SHA256
c8e3ca0a602ceace02d276f6142619bd1d369448c8a89affb82447c970720d83

SHA512
3682f837d9a3e879f25aae5a5d762b8d0d15fdfd0cd99077cd5c9c1f04dfa5247d795334c4ece788b54c13d5d37e9ad492240b76d5424cf8dfe710abc6dcf483

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
56fa9459aedf3c7515839b42c49c5ae6

SHA1
ae30af55c0205cd6234430de43268e9472e1766c

SHA256
7848e6f91f4b77dbe8935fb03ca92a3962faffef047159eb126f2c0a3c0f0833

SHA512
a79a4e60f771374ccc693ebcd915765a68fe5653cae675b3791fc4a1673b4da076501e303d0c02ec61e64267288f5e478d3b4bf41edfae002337668ec45a727c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9da8fadb6811bc9d42ed95efec85ce88

SHA1
20d886bde6bdf1fde42b2efb308bc18f1362dd31

SHA256
e71e3a7780a33cd94079243b9bec56ca83ec9c04d166cb2e0f6e0005ef8ec78f

SHA512
c50e2fd5491b07dacb2387bf8b2b22e3bd7a029aacb0bc03b780263fb6dfcbfc3b472adda14eb1e3d4bf3dc3678b01cb6019d65781303ac4b3bc597bf4e40cd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
04cb32294ba18b4c393fe5d84ac8c684

SHA1
cd5b157c2ca3fb370a3c0be6cb4503ca37831fa9

SHA256
3943210a49584353aff8bbf1343fb379af745f6548a379a7b45b7032b5a66cf0

SHA512
efdde7700c2b5754953f5e244de7b4b6bc1159de35e81530f8521b88c8cd02afa986df38532f1336202ebc8280fa94110de704bb2f8f9cb524e0eb9e6c84a753

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
60e1cd4f20020dd32e13635014a4e46e

SHA1
772f4caa33a933b5e6a87c0be09b33ea3d6ecda5

SHA256
84a67eb80c66f5aa11165ce9fb05454908b318a50c4bf1480b70dc85f4055fca

SHA512
2a18b0e200cf9ac135da741806d71305ae137be8f6fbb9c0759514e08ef243bcad1ca8a928a3e49b36fd9496a3c27f59f2d2fcba47698e4b7c0d6bf33ca2d7ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8645503bf835a77e2687f1dae8837be2

SHA1
bc03b9eb2cb7ae2e91b21959429c7689b8dd0e3f

SHA256
d48c84329e5c5566e41d89bf6621f644cad40c72e02d89b53827639eb6ef1dff

SHA512
e77706e1c75f278763e73aeaad89e6420ab4c46960cae1d11a3cacade9cd8e50f04d12ce41027bf0ae8044284403e0e5cdbb2ed5268925ab6fab39d79fd7461d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b5a0510c68b356a27516ada591ffc790

SHA1
ae69cfbcc16d093c8fdc35417b89f6acd3aec6b5

SHA256
b964261faba20485876ae6ae9fb927164febd9a2a00dc8b046c9ba96ad5ee710

SHA512
26f1430a7e011783245eecadf3a0624915dddf5cbf2162e5db451b8e3879494f713501721fe08dfa1c7b1ce51d9010c1fd96f337f0116e9260c5504c888460e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aac4984c8c5adcab383d93027379d630

SHA1
badaf320ed9783a3e84499887b1825e72a86fa57

SHA256
0add971247393e9988236be11a0ae5a0ae20613ffd38f160380a32c2bb7177d5

SHA512
2e9849152d702d7d6cb8f52a1c073871eccba69b6bfaa8e540290c6c869d4b29057f82f5eb168d38eaee7bda98c71f46386f9af2e7d9c05d46aa8bc943030a87

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
12caadb6b6da1fbe2e3fed640f01acad

SHA1
5109062c89058875f426e880e8c84374af83d597

SHA256
65787716153ba8ebfcbd25984a417bacf5b74b3b3f75b14017ef6cd5b3f98e05

SHA512
a208b2912dc2ff7f7b4ccb44b9fce02d9e2befd55f796e0e86438cbca0535f0a24ef0878d32610d810d7a3ef6f6dbe4575a8bd7ac974ab7697d889e02e9a0dde

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4a7e8dca7e365792d5b14345134bdc0b

SHA1
530bc9ea1a3d88e174e1869bee970e4f4ef2c9fb

SHA256
7365ba93e1c98b847e9cf11f9767f704c0d04293623e6587931731a937232004

SHA512
60bb7a4a161235c8842f97849ac051ac608a2605cf03e1ec1ba32ea853a110c4ab26b8d05af23cffb4afdd4b2c49047669f914a20c556fe16c2ae26a5649918e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7d2101d9bf5d3d2583005ab7d737b780

SHA1
f507de985413e7246401a1fad15db51e339bf1ac

SHA256
39570f4ddc101f79f2ebfab49c475943aac5e0cb338ad7374fd48c6fd7f91e5e

SHA512
4b40faf14e6d3dbc3948e2e1c89e3beba595d794896cf251a428f78b445ccb6de7e43dfcd53df6e8144a45785bb35c7111cc49dd038ad1ffc2fefd19254259b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3ea3d539dbe7bd1e92a38d52fb02d030

SHA1
460f760c4ef27b4744c2b6635c381080e8751d15

SHA256
4a2f55e08c923dd09556eac19a5b492513626e0b6b0cfa56fa0e4dae5f3ea1d5

SHA512
e682d3cedabc74ac95b4faa2e69ad3e9055c89dc7210bf87c6310b32b7d66ff8817e5197b0c8a46fd9cfac6ed654d9d0507cf2f873bf4c4b5aaba1cb4a0d45f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
06639f7af0094ccc62f13a683a9f4b3f

SHA1
1c8f9d1eb0531a3350a5c635b8fc6ef2b74d8019

SHA256
9c518d726160fe27103f1b7bd2bf99f7270051e8c0341b0cc197a0665e43372e

SHA512
0b25a52796f01c97f9f9718f6e88eb1bc8d53bae5b91dc37919ec02a27c76cff8ec11be3843520bb93b87d47cdd6fe43e458f2c79c8dd1ee97ed7200453731a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ce1d92f7d7a60bff8b123ae28496b5a1

SHA1
d3925253de0c2575aa7870d2de9b59c10505fa03

SHA256
fcab45901f543d0ccbb12c97ccaa1d63a563f02f2da9c07c204b49ee16c2c380

SHA512
fd5a16cf3dc9e0ade712ff2a7207802f1873f106fa92652590cc8852c144a9ddd81aa313bc31a270b2b6fd28dbf8084619d08829af32d57fd7cf2d1d17eaf0f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1fac3bce7902e3dc09621cfde807a24e

SHA1
4a7b7df05e1ac45f99ff78ebd71ebf64dce3775d

SHA256
9f6abf4970e7f6b5d91e1171b40fa4765d7bb0bfcd289e6a4c3655b1705d63b1

SHA512
f7a506da168a7406dfd8f692f6f4e893ee0d8cea1cc047640f2c90ce6d23719d6726dab273f7c716f75d086309ae5bf6a26dd1ce8e58aaa6c26ab861827102d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bf47138141e1cf6117596c55bc3527f8

SHA1
cb8581b3df0143e2fb4c4605c6800aab20b92329

SHA256
05c9fc518fee3ece406b5be2fd652e34d7ae23f3b898f9cda980782424fc5b52

SHA512
d55c47185aa3a4005c2d78dc788604e24931724f7e25062aad6f1fc4473933b07471d6580eebe94be126b2e7601c1cc88d5a739d2727ffeeb0323046c556d482

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
92681f49453b3202572c40b7577db3c8

SHA1
11ba97b636e5583a286126e057ee3eb7cca15cb3

SHA256
1650a2886d0f05eecee3166867b142212e70211d0023a8764778fa81aefb90a3

SHA512
da444e4a737a664d846d8280e6944c07143c613565a5db60b546acd1639c34315a81077d04d0f0f2ba4e179bbf12c27502bbff567b29a60659297af1d0185039

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
30cbe23cf5a450ea7e4e5ac90514e26f

SHA1
1c4b5d8432483b70f1e5e3c8fc1dbac7b598f4f0

SHA256
c3a649af2640241e17236356aef28cc6b96ed271826ebaf3a8346985b02252cb

SHA512
cfe566d37fae1b6ecca4c251540a4892f399a86e18e385c811305976db334fce9406b5a0e554055328232fd167730e889e15aadda1e412659f4df9813ff1d7db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
95002ee300332dcab85fc18aa3634171

SHA1
01ac63b1a1d66e8cc91b6e62136b7ce1393715e0

SHA256
a3761d41d76d2b47ee4f0643e19b0bb37067d8e28ea601c7fa06322eac8a9e7d

SHA512
91a3cd74727e37e676fe3a0d7382c049e4fc46b598e707df7f40a0906c2e9d2f4bf89c24265ea65f84429820ee5d4e8b00c488e1a2b673a842bd81226f90d1ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0590b626892a70a8b08e3e60a113a428

SHA1
eb23022d68a6009bd133eaf442085f5aa2f40e8f

SHA256
264a9f91bef2978e2e0207ced74e0c5d584cf3dc47cbc02efd30daea29ed5753

SHA512
95a800932a2792a300eea96cdce1d76d0e2a4f48d77457c3e235b102bafa96e2f1666e575d4b1edb0567a7a24a2301b2157f3e2ecf664ad49b36f1dd793f6138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eac613bb5cb2d700e700a20501e87cfa

SHA1
d43eef571b5b4409f3950b885ed43f6577598f09

SHA256
42bc8e77f169db83bc72feaf2d16012b14841e140f0781cb613f20e08ed53e46

SHA512
3e66fae15a3ad3ee5b584f044ba3a75932ad62cf2f84dadd1e77b1cf38af7456fca2bc93ad391a9d3fd46628a1fb08547c211df9a18be8a1bc001274a63ec2d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1b7156a65ed5852e36fab9ed65932d4c

SHA1
e10d0a29ec2e93ffdfc9470b0589462e10c922fc

SHA256
9d9fe02269d04f986da52105ffa692a2e03a11d798068494627fb5602b233356

SHA512
aaac169497389a5a07078db381ba23e8cb2f246192ef3e3cb2a3028b0ebc217f6d70d2cb58858dd6e843993cc444f492c646d2196e625cc0dca815cbaa25b26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c65662590644b29f3af754d6334d99f5

SHA1
1ca98389a2744d960530c5785f469aca8855dc8e

SHA256
22bcde5cbcfc5e01b2a7588245a2a1ce147924a5ef5f42ba3a0c9b42d18fd4c4

SHA512
9353986fc590e6c777714de18c63719472a491fc0fd4ab683d5d13ae7125c08fa8deecabd7c15d1e8853034d06b325a53a4bd286a87137e1b77e015576c32345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9e3a905534264929b16a6998b364db99

SHA1
46a37d0b6aa8b3b1944f828e8c8a2f6682651064

SHA256
465a3ab5ccae027bf786df303440a84723a2f4b0ef82458fc1b3a4112ad8c307

SHA512
d3176bfa8730555dc976bdd484da63976fd9cab4b336503c13e1f9635fb209f918c23fe43b4ffdc93fbdcc3f0432e36b8dfe53216e55c8d03ea471f6954af00a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
fa187bd359cd6a143c45c77b3883bd3b

SHA1
08859998f3990258ee2693004079e12befaed5c8

SHA256
5cd6a90308584536540f85599199adaa22e769f7a8042adf886ca9e188f1501a

SHA512
917e8330bbd875c65f72403aaaa07b8f1e61894e3ae6bab89c25702eba6e20ac70d68a335a4c3dc2e7f2aee2ed89843fc86a865f0db96965c6f78b99df2ecfd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0915ccecfbdd4ff7587002a00d10d528

SHA1
4b1e0cd60ed5d5b3d7f1e214b473f907797811e4

SHA256
c9bc2ee5b13317a464044ca8179be923053e343bdad9b25066282ee803ac16b9

SHA512
45200d8f00864cad5cd558c756d01126be697855ca0fbe5045d322a34abb7dd92c301a1dbdf34ce765fe0d0e9d89742a9d70f874ff0de25df62e9e7abe009c1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
94bb2c7837d0c31a3ea0fce56c6ce270

SHA1
d7b5b070910235085d5416a2542d2681abf3bda8

SHA256
b56e92434470acb33ecde7788cce2df925bf39b089eb70122123e7e9414954bc

SHA512
6068e55c5465cadd1e709d89efe9684ab488a549625b70c6722af39f628f903d92a9e9aea42386185518f2856af16a67ba4eec3a126e2a894c88ebd17e49b3d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3d01bec74ca3161649e94eb08738a995

SHA1
71c5c5f4cb6d86d26623d33b6ef786e3370a8bd8

SHA256
d30c3a04e1a38fe1b375fb822557372dc15567904c9d919685537641ff3f9f18

SHA512
9b71084e245c46fe9631b1ead14db458aac69b5444056ee425428dc6a8079e0c033be3e9e0cbd00a99bfa40607d1a74c90ad6a8c7a491a4227373434428d8512

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1bc60b836b6292b2dfa04439394aae74

SHA1
08f9dd38a02b7ac6484b0785b0d6a100a10dc9b0

SHA256
4eb6d2240764bd77cfb6208b996dfefe55ddb39f1d4eedc110599670bdbdbe6b

SHA512
4e9b17a4309911262c4297aa5c8127974fcd9724bbd885a58354b2ca74a49e2ea969cc4f5df6cb2f458a8e047c6f839115fbc623ea31b97fe393c56d88863855

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2046958ea769c5ca60df9b5ccf04269f

SHA1
2e1b2b4cec87764e28bd5cced332b2da5d37d1c4

SHA256
7358d80ec7103a541be54fc52765c453cbc43b4b7daf6f00edd94f0d02f05cd0

SHA512
b6355ceccd68f2fb2a882446c28002ce3fb43c71ca78f0c0077baf5aa836ca5afa4307ae30a3fcee4a8e4440224ba60609e5b7b247ca623446e8f30a7c01ae2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
837d94dbb2626ac3b530419061f46265

SHA1
9e49c380628d1374c6f3fafc3e4e7eb25d2b52de

SHA256
419cc1d8a91bd084e8a8dded9bc813ae1ca6a25dfb7d237fe8f9db5ed9aafc78

SHA512
696e1f431e5f6704dfda88aa39a84ab7b2993e7143adc5d0a3d8ad45f8ae2efc688a2171a2f1f2c2bd67f4c6aa79cac61669b4e009a2e468e343ec22ef415af2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e678a970a00b88d1866cdaf16daaf4f2

SHA1
ae66931911ecf3b84d449e18a76f5cd86e83f672

SHA256
e4ffec0f59b86d476392f8814265e80918d23f7482be0adeb6336a476bc23d05

SHA512
20949ea159f88698db8de65ab039b9e41a77289c2e0592f0724c7d1f72cfb013d2c223b325931160fa7ebc6544a778ba414c6d754d63621863924ec9eb30ae56

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2861b7668f5b7d18ef2df53479fd7bc0

SHA1
3f1a71035dec22b19d17761f59c26fd5f0e26110

SHA256
bc58503e3bb67d53699a63e6be1d2ad39bc1813fa19f42ccbf482708c181286b

SHA512
3168d1407afd3748a39f7da1f50c917151f9574366ff49782404740273516092415bb2302bc8e1055c33508b5667f9cec38bc2c69afe79f03384a0a2a61a2984

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
660b29b5e199b63897a95560cc10add8

SHA1
0bd949a69b18f3d2acc28a8a03a8763aec62d244

SHA256
c8d288b5b1ea5ba6f630a8ca108cbcc1df4e6a030a2438928f53dafd6ad68ac4

SHA512
7014e317387075b5e66496d0babe402f8ad70005846e898e025a4c6b9edc962cd8f6f14a53901548623631d8d0c514402c1ed2b70ec9c79cd7bc92fd0e7e653b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d02eeb92ed50d676aa739c275ec8de8c

SHA1
001ad6c8a49b71ec46d03113473ce53e26d65cb1

SHA256
f9bb97e1ea12b8b5a4ce36886c42b9b1ac762f3427916c82eae9e2382eff10f0

SHA512
57c579aec6c682e772fb8da16a0d5124e58cf0957fac35f9517e8c16fc86bb86b3caf15a511b0fd47802aff0f6156d5f5941ab310091e23a68b629da11d5e319

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
03d294e9bd859c97136350f8d76fd394

SHA1
e2db9d0aee07e71f2a0e22b6da6774ae3b7732d5

SHA256
10e64abac4b9335e77aaec79853d045ce1fd40e8dea0778e9ad186679a4c70d6

SHA512
4e760a37813ed885281df157bcea83ac8e090cbf50450e51e0b9c6f40ab7531c8af04fac98b210193227399844ccbb4fcb1b5c61cfb3866a7462cef1d37ae4a8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1199f78b79795f42b6c3e3c8f1b6d7ec

SHA1
144455b8af2b9fa334e2f14e84e389968138287d

SHA256
574fe23befe04475f3fa44d4a56e7c4677bf6be8de7ec8bf963907d6903a2680

SHA512
e9d49d77a955b1b2ef7f1b2b6fff008a59df60b933f92135eda29fa58bdc2537f5086f26a5b0c6f40e842559771f71cafbd92795005a4d6365c5654f96443679

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5ca0b4cde2cdcaa6778b0a3a42326269

SHA1
07069e90235753dd810b85abf4cc84020c869772

SHA256
e7ba3f856a35458e050f9625c8ab4e345a8a570e76316793f376ccd9a284b05d

SHA512
1aa07bd1b7e6e4b79d8a89bc4dac1436f97b05629c5d54c55691c0014e6441b104faf7acc036e902967f935ec2c78bf9265dbd1d904bca9ae3f58d51ba04f035

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5dd0b3df6f8e8e3ef0f20f26fbe2fecc

SHA1
0d8eeef0d0b7b41b9c1f601ed0671adc0f4f535b

SHA256
04fa69f401100ec60966486b6bab186ab9b73bf0adf93a665e295aee62b2dfba

SHA512
fe808f5bacf883cbff7fcf6ea5cd11d696a384a45ac55a9f3e6cbc8734055e28f42e5cd512c0d510ccefda1cab51c30c3ca96aa1150daedf2fb76baf356c4586

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cb87a4f9ba6bd933cd3830a904354a02

SHA1
4cf4eb808bee61901bf2cef1bb2c2b563971e105

SHA256
5c4687a08f1f845d19b2cf5c3a278c913e75952a6dd76e5d64040d7d7643127b

SHA512
932e1bd0fc64ee24150b33d8ff2ae476510d07c71bc93d80c516b401317ae65b1ae20b408b372cc86ac5fe74edfc3c8b6df65e91a776d7389eb448789570931b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b92f8477d789e08d30ea021ee08ffa8a

SHA1
0a32de0de89a6608916fb7783c7f5942722744b6

SHA256
95852ee3ee9a57c8f2f1f598f2c563fa9b0584f224b13c59a5af248f2550c431

SHA512
b43ba1ac57fefd7cf80476354a10c02229bd270565d78ab9355e24258affc2c06892c86dd68d5f52c4ee4d0da38968a12581ce777d6895156740bc54549226dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
44671d4ef644a95c7fdd46f57bade533

SHA1
5c2412f9af80211db13352037ba77740c8838896

SHA256
62cecf38983771430bac3bc89d1532c8205fc2cead8526a836be7d039b1ad32f

SHA512
f6ca9f36008851224188dbabf11b8ff1a9cdcd70cd273325a8084f569296f03ff278cfd3824cd8e7658e3c77e919c70f9263de3e50da3c91b0b1cf6cd0ffc41e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
46d76904291be176dc98ab34d66250c7

SHA1
94ae81ef512fc905c513887bd8268000a6e256e3

SHA256
cd0848d0892c63ca13b71adb3aba1932a224f2e30428ee1a9268ef0d285afb1e

SHA512
1493722896ebf77f43313c7c750287aa4abb269cfa4eb8d9b2ac28613bd378efca7d05a1526054400719dc51dff65ce8be77ab6f02df8716b0c3e50805e647b7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf98562bc91e7ea8f043fd58fe190e79

SHA1
8ba5afd7ed0ab362f302918c4ee0d2af3455538a

SHA256
4b8029abb8fb835a39ba5b132dc1311fce58a569788fa2163e39f9937a169f65

SHA512
dd370829a1788cf5f8684e6d4dd7288c07d55e5bf03413e52329842e18adb61d8c93d44698d5c7d7e902a8c15f8f3adc9ee692f554ccb62ca89f899070bdff84

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
85c87d20e2c6d48643e81c3d2be9a316

SHA1
05f93447eeefceb5636a135f6c077bef1ecd8031

SHA256
03b21dd74b5546ddf50b13466dbe33e7d2b525c7ad4d604646d93464bbe174d5

SHA512
d334129d187f2753597a0af23f0f5ff5126d001c6840b386a81ba3cfee485efe38c129972517c361e7e361365e18f809dfbc345434124ca83226f8c574db9cbd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
054351e52c19478f45d64de49d02304d

SHA1
02008481cf983256290f129edbebcd1edb450f2d

SHA256
8e87519231f179e4fa4ea0cc9b1a6f2a948d091839c41fe4d80ed4c2da5633d6

SHA512
b0a619be19b8846eff62b8f9e22b4b7c884dc6ebe0ab8eb394ac01e03d70792304310017b30551fe4f2b6ba8c825e7d09bfa6994b86618d550d5932458f8f99b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1c55cb14b8107ebcb98348baf6bf7847

SHA1
2eb0b0860290f92c41ca951b089ef6e00390182f

SHA256
734d02d81e2fe73ae1eabd94c027f5074c7eb96e86c1d75fd8b13f9253e2fa6f

SHA512
2325e0a356bdec8a5d7b51c72a018c0e05088866c35012931759e487ba9ede7fdb86034d18afbc67f0b3967f493fdb8e246985e982a216250510596c651255ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e03047f72d7d00b5ca0945572ee81be1

SHA1
17147d99a8768bdc4df3e2544c53d65db3ee0a03

SHA256
4322940d039e6bf7d2b1243f6f940148ba25448d8f23c82eca6d0207b735cece

SHA512
9ef4ffcbe2ac3c1e10e6708d8ae00d3795c3d5d01923a805f23ce1e02245eb6ba7e6b461f9f4d18c60d95173fa2a8911c65b0ecdf07622417ad090a16ddb8700

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0a0f48ab5420293fda35249f1427890a

SHA1
04d310da92d66fe620628822bcfb7d22c4bc578c

SHA256
d9b6afa71890bd9bdfdfcd147998ecb742f706e6828700561dc71efde844a00b

SHA512
1f01133332350e0dbacd06849ba7b4450caef1158c80ff9edef588229c4977adaebebc13956c16a11abb86b7a2cd7d171370de591445e5ca17adf05821d3c794

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3372abd7ab2b28387758f71782397d51

SHA1
e5eda9631b5c7c2b36acc04c9873c9bb716f276d

SHA256
55d1364161e34dcbdcb10d5a1ff704907e47c44d7391292aad4652e00abea18e

SHA512
e5fb319db419908ef81545067b020593ff5e861d91a2476b50eac1de43e8bcd2f782ef7b4414cacb3b39e09ab19aae8f155e040fc82945528184ff38b36b066b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4814f5c41de05e04164d7defd90b61e2

SHA1
70860eb181ba1831536ce8fa4fc7015487714e4a

SHA256
696c644bf6eb96c16362d7e55134ff112be25d9fcde69cada65b21de48f31a3e

SHA512
881023f8c960be32f7040dfa2ccb4add2c352789021090c02aa0260eb2a12a9009278e34a5a00e97fc44f9f7604077f637cd0eb450a83eee8a067dc50d903703

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
431b6a5adae01834fc10ac02b476ac2d

SHA1
07129592e7aa3cf38978af673a36a2f54cc3a9a6

SHA256
85c013dd69f2b29ec26ff7c5d61b6d66a4f616cc858c769b8f03389f81dae9ba

SHA512
f14258d88d54e04a36bf6283703421cf08a2d841296b65f0b5bfd0e8a6e5ddd7e84e898551684bf9993f1b77699c1fea2e2b807db10f3f4e09ad9053ae8b3d64

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
30c095c2086bcd12a85208e26cad956b

SHA1
328be3e9fe9ad3b81ebbb43baa49dc7c4c616167

SHA256
e95d4f25853dcfa41e2895f69812c161f8686d8b19a22b2116f7d342b653a096

SHA512
7f5aa798adc28c94096e77f64181c88db888ff79fbebb8a1ecebbaed09a3b2689f32b42a938f237345fc00135ec4c6607c0b2ae3cf85b67e80e915b407f5398d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
37e6df77dc7b23d91c48aa6e8e6ea57b

SHA1
1f87cafd9fcec0d1349823cae510ea9e7fe8f572

SHA256
a009710fc1dbe92023c4e429f067b7f75352c485804289b15e23a6e3b2b29126

SHA512
8a88ea0f2114d634cb9448c747ab070843389d4ab0699d83bdcdbb6bb0b1fe52350294b504182979b2df830d494a8393585d98f92bc065215841c0d03d5ea5b2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
219f7ff4435ae7fa0b1034be72d09bd5

SHA1
ebca2410205c742de7ddc0d4c94ff380f01ef45d

SHA256
65918b3b1aff720dd01bc457153be5ae112ca4e6056c3962e562a61f1e955aec

SHA512
7be1ad342f720482033296edb67e12e98c6c52addf66560a7efeb9da4ff25477c52a9d10c5f7dc9832d0f78911e233a4fe63f5180d02b0d4954c9fad29ec2f4f

Download Submit
memory/8-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/60-208-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/60-63-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/60-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/60-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/396-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/396-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/396-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/396-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/396-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/660-234-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/660-86-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/660-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/660-93-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/772-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/772-454-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/868-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/868-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1112-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1112-591-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1616-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1616-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1616-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1616-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1620-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1620-601-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1660-600-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1972-92-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1972-0-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1972-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1972-7-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/2180-137-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2180-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2180-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2180-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2180-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2220-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2220-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2420-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2420-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2616-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2616-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2616-149-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2616-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2820-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2820-596-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3288-55-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3288-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3288-49-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3288-202-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3296-595-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3296-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3716-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3932-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3932-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3964-122-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4448-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4448-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download