90fabc5cdc03e2998b06ae7cea6add4086e1e74a1d938e944bf06debb27d0dbb

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Size

1.9MB
MD5

e53b257e887c160980d7ffbd7e0759a0
SHA1

163e52a269125ef5fdceeafc50671ef6d2346b5c
SHA256

90fabc5cdc03e2998b06ae7cea6add4086e1e74a1d938e944bf06debb27d0dbb
SHA512

b3ecbcf7180c6ccb4f3b29b22a8401c39b7f82d973e7a5122b4ecc2957be789f74da76df304d820b5993fe1ed71554478222aa89296488c6a2b5cff2d204eb44
SSDEEP

49152:A4Pxw9+ApwXk1QE1RzsEQPaxHNKDv66mG:AD93wXmoKiDv6V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3808	alg.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4652	fxssvc.exe
1664	elevation_service.exe
944	elevation_service.exe
4332	maintenanceservice.exe
2016	msdtc.exe
4992	OSE.EXE
1748	PerceptionSimulationService.exe
2788	perfhost.exe
1516	locator.exe
2972	SensorDataService.exe
3500	snmptrap.exe
3328	spectrum.exe
3908	ssh-agent.exe
3992	TieringEngineService.exe
1496	AgentService.exe
524	vds.exe
3396	vssvc.exe
1532	wbengine.exe
4608	WmiApSrv.exe
4348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dcb7a044b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006c58cccd8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2127cccd8a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000634531cdd8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f70cbdced8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6cd59cdd8a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adbdaeced8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca5dc8ccd8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be21ecccd8a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
4988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4652	fxssvc.exe
Token: SeRestorePrivilege	3992	TieringEngineService.exe
Token: SeManageVolumePrivilege	3992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1496	AgentService.exe
Token: SeBackupPrivilege	3396	vssvc.exe
Token: SeRestorePrivilege	3396	vssvc.exe
Token: SeAuditPrivilege	3396	vssvc.exe
Token: SeBackupPrivilege	1532	wbengine.exe
Token: SeRestorePrivilege	1532	wbengine.exe
Token: SeSecurityPrivilege	1532	wbengine.exe
Token: 33	4348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeDebugPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4444	e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4988	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4836	4348	SearchIndexer.exe	111
PID 4348 wrote to memory of 4836	4348	SearchIndexer.exe	111
PID 4348 wrote to memory of 3748	4348	SearchIndexer.exe	112
PID 4348 wrote to memory of 3748	4348	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e53b257e887c160980d7ffbd7e0759a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3808

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4200

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3328

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4836
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
18888a858256d393b70dd34a36fdbe9a

SHA1
f1b45ac503da02cdce6f899daeaf1b6459d8b1d5

SHA256
f9b20fcccc18623fd6b642b8a60cd4ae30afb8bec9fcc71866d47ae532256faa

SHA512
e5f5b278b85c8419085a46738ae4813a00800a23e7ad43493f2eb7f897dc2bf6f63659afe831322d3f647d9876f4256a960ed7bfaf32ad6220f4fe48e3886d14

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
9a6dfd576d9185e28ff775e5e9e4a3c4

SHA1
bb29cc7ca520078d183a39167408453661b5c5b3

SHA256
7770d97e1a73b8adb884b2540fd09d5518b12fc96b4158a7d05b530ed6e6ce0d

SHA512
91639579314e40edd6130eb4937d1e73e7cc4ba750394829a17b396be398abae627ac29dc61a8d9e557269b3d275506927d464b192fc62754fee8a0811dfdbd3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a5f1beae7383af978f03410902c2421a

SHA1
e70452e34004fbd171fc1e1eeeec8982e6e38468

SHA256
88208d69213d2b56334d10dd3fbf6d015441c673bcad7622cd3e51ce77bc2faa

SHA512
698b8d9695ef946f0d36863301e32e52e95b0fa87630c1f1bb26e5d8350ed9d45202b9625e062e8f2c1dd1c79623a2148b2ff55c0bd836107a2069de45eff8d4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bfb6d0111f87d195bd45fe466d2fdc65

SHA1
81b6718191cc72a38661ea6526ed7b0f61b2e582

SHA256
a425b2efe2f1fd07bd4057eb48c57af62c3c05b140fc1747e2c84df792ff6ae0

SHA512
a3ed539d9ab7030e8bc57f938209f33780335d6b41cce4c6d0845ce046b2293a218ce6d3ad2e137e6a20b7971e929a1158bb6362b8c7fbffed051c9cfa63ee5b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4f8799a0ecf616fd506f159ad356bd6d

SHA1
69638394a0f5bb5a73d85e584cece176a972d9f9

SHA256
b6f1b9d7177c041f2571a3915e4e3dd122bf3fc4a95c6d94a3aac1da75822fcb

SHA512
6e2356967713938344b4d84b618bfeb449eaede9153d3f332a32512d3029e25d664c2c228d2dd771def2c4f0c60d0c8ca69a0b65bfa950a06041fdd7e71208f7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
418fa93b3d1db98f2489bb53752936e5

SHA1
6a6d610c14caf57b0c6d843ed695453138b498e8

SHA256
977d1b0d77eb692c2bce0a57394c05507a84681bacde80baea1a964fd6de08d5

SHA512
879376a19b4c10fd0143837e46ca30f443e8009591e2dd2e04c2e7310c827ed17bd8a5dac52fc0734e55ca06b8274b08a547f7111ebd07dd855cd2120981f24c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
1dfdf02c68c367d1a495a42ec71e23af

SHA1
c93377406fc5947998ed933e625bd76d4e6708e8

SHA256
52fb92fd11d3835af93667056680867d06802c0efe668ae2a8a73f3d309a9137

SHA512
6b82419e944ce2d6791d72579e1519303fce8f67c7bdfa70602e65b01abeb6e9f70c9ab491858a6a22f59f3fb1e82aa1a2aaa8e472ddbc40f653261efdc5fdde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
562b7d31ba019c2994d90580e10afa71

SHA1
dd619c4348547561f11a78ebf66298fd05146877

SHA256
d47facaab17f574a20141c24c1de941173b1281c0978bb70cbd0045e692a071d

SHA512
92ee85d19344c24e06a79560bfafadf0be8dc2b72582f00bbb8456c0878a2c999079220f5aa9205723f51037070168f1d4c74e248eeece8e631c21afff3f28f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c72f3386de49dd1fea73ae398cfbafd6

SHA1
0bd86ec0345c3bf83873d5fef8932f2fc74d910c

SHA256
e3198d281a32cb42ce7088b9e88f9d64df2c2e940b5332d2ddd98f1361e99f83

SHA512
2ae7c2bb2fb5a342aabd32a7146d63b5d8037bbefad37c297fd733d04d8dbbcb7980a5d557ea577f61f2f6c79702dce5e3ce6ae5f248cf91af2201dd96b26d3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8302d0bfb2ccca21ee3fd7a87e0f645b

SHA1
becf31017a049223b9ae3835e31f5f28f620c6f1

SHA256
a4ea5880557d88cd6b5bf6e9cc2b987e67050b2d08fd9d1a732975c44ea002d5

SHA512
c05a306859c2e2d8af6d3a3d37697da6bdcaec87ced07f045e3b002a58c286df1e3e6559a6c8a3ad23db8c3f21d66860471dbd8cee7b9b7e6aeb5ff052c0a3a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ec17dcc98bc55e0ba76eb3de06844208

SHA1
7795317f9cc4f73cee930eaf90b01d05ef58be90

SHA256
ec3cdc214e41193254c5d4309a2603a2c98fbfc6d45fdef1596593c1a9a27619

SHA512
bb16edfdc79595201918f97d2e389fe42b61ad75c74f826af6ed8b1141b56d51564c37857250aac761fedd788da765bed87a3dfc4649dd69abd370e197d4d857

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b814407f19d571ee66ee341f49545dfb

SHA1
d6a0af8559166a41727fe7ad5f9bab4dc8479471

SHA256
b9c58bd62d88d0052056ea0a79cc5c271ebe4b6540ca4bf5eff0e459f2ab5075

SHA512
1ef1efb467b46a870a0c4a5ba8ce8aebde399b8f451cd034bdc77bb594bae4782a57d9fdf47a888fc3e7fa1592cf6c62e905ef7c58f081f5160414df7fb86633

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
4948d2b88073082e1c674502f4ce1fb0

SHA1
c50c71ff2734a3c47f5ac8d157ee9fb09185b78a

SHA256
d95cd0172f938dbc143e423ff772a3e8e6e597a130b60a5f8e044819d4491cdc

SHA512
c4fff68fe2fb684fd4bdedfe63f9531a98445aef4ad9a90ab3683f318b6e3980af576bded666083a2192341c40b38899c819ea10b77de8a0175cc2fee05d222f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
56bffaaa0acbe4593332c41a4fca2623

SHA1
004e11ddb3be0c0d9a12cb9fbe5ecfbfb2e45d16

SHA256
c7fc8f584f334e3cf12150590ce9103b94d9ca74397997697ba148c0aea3bba7

SHA512
31155fba75131012e77ef4fbe3ec9b159353a1c1b362ead3a26522ac75b749299e98203cf0507b343b0dbda52f822f59c07822bed8e7560e65e8e40414f98561

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d6bd3d9f6b4a7f8826d175fb2a1c580a

SHA1
c4048235ce036ac0938afac97796fcbbd2081fb8

SHA256
5aa72499d450592933435318ec6dd9b78b738481f17bf14cf5c6d4ef6da644f4

SHA512
748c56874e384e002171079fcae3a72d0b311e1bf32f79a77f620652ff929cb8dea78bf19f2b2c3d449084734cde170d6548b66909c49d732f08cd8fed8c784b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ace457b95f6366b7e2e1be565ebc2f2e

SHA1
835cccf02da500bedbc70fa3f3d7c065b5c0b80a

SHA256
89b4b2d65d12ac99da3233eab23a681c6f87c368fd25cf73ae94fe7bc2517e1f

SHA512
d349b11043e5009ffc4a0fec26f1297218ba09aa405497f7e1b942e1a09f923ff31704e02af61dd1b11e3e4818622985b591c0339c137a84480cd27e2cb9ff27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a146c5e0053998b77893d2c1daf62dea

SHA1
7d15f3782b7d8efd6ff2f6d814250ba32a77cb6a

SHA256
ba6583d45915590a8b598f431d7fda6d4f3f1200eb154762787c5a3098c9d238

SHA512
c5a59a6a2d929e128edc1ffe9703bbc5f644163c53316ccfea9acaa58710035f2e35b8a8b5d864f3c34808090470d54d975c32a03156a221155b788daf4a9575

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
978741638f7941df1e30c21bebb00fb2

SHA1
b1741150266bcb76f4bb90bb108de479d5c8bf2e

SHA256
cc78fdd40b563411b3f9798e196a27640cd172d6f8874d08ef948eadfc84ebbb

SHA512
80794d559a416296297f6d91267e52f8a4559f011bcdc87b8f2e358c6b2b56d4af2043a5019bc75a1975130bd4de402d1ec27922dccddc1c9b82f8c1b535dcc7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8c4acc465520d916c8bd9a76ebe5eba3

SHA1
2ffa83638df50d88a8b27725c756807e8e5036c1

SHA256
b10d3baf665d55f8f8d75008c7dcbb44804bfff6abcb213e7f266b03f309307d

SHA512
4767e086bc0af00f5ec5a83d92c298b882e1573cc64869fa8cac2243df4828daea65df94453d4e98217b6f2e42d76f957af88b614436408436f59e1f38199a58

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8873effc0535234368ca4dfe082b362c

SHA1
938b8f1a8337e00806bfc6a3d03d4360b22e1449

SHA256
3deb7cec1ae661dd8432e7a129d3771b8bd113aaadff31690990ac4c95ca460f

SHA512
ddeeba688906a7b17fb8dc0a818f70b6d68aff44798e207ae3957c4b6c57426f08783f2258faa494a4e63cb1c629e9ebfc0c8416a3d4ed51a7698b12902a98bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
0b0338f1604473b78b92982d699e9956

SHA1
c740e93f2694069768371af4204a64c3b6675092

SHA256
6c1becf9da180524c6162f2b2498a24738f151294f84729154c54b1cb68aa9cf

SHA512
407e5a92bf5674f1220943f52e360821a94cc654d6f480c3e1fb4f19b8560c899e6e6b354a2218fe37b500ba9dd3549c2f48bcdaf652edd126d60d0454b5ffde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
4a6093d00633b2719b439b5f0fc81b94

SHA1
c4cc3d256bee53c0c10513f4ddb13acddbe172aa

SHA256
15da455fa455f98c146a674085eccac80aacf9403357d5a07fb3c03ddb06e532

SHA512
c031743a96e1f1ad475b6baab3b6adcd0f5121cdb48db90e70c97157da8860a0ee1020eff8b58fa4b51c538bbd5730981fbc7bc115014f7f7e3132163babfec2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
8199a986410a6085d7a3a851373b594a

SHA1
199aab15ffa243edd095aca3dee8859f1b5e101f

SHA256
3667650874581776a23c3b465be251846cd47cd19065148a48697a025006f0bc

SHA512
541fcf3b510238f6dd7663a3900f876480b6f996571fc34ca70a1b1c1dae504e3fc5b9aa64adbe6af0e6484c2025a4256e01f88b20948181484ef0613a2edd61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
84281eaad0ff06b149549d64f17409cd

SHA1
f6d93cc6807a39d6b3761832e968f6c13cbce8e8

SHA256
9957cfbbf32b60d4ebec7cd1ab04e9d5e79799f9e7e654686b124947fcaa14be

SHA512
002b333235fa9ed787a8b7e287d377902fa581545c30da5457f4e2257b74d441bba1b0bb3493e6fbc6ddba2168a6645563a3ccd4fb5aac06f7d9a7a85b44430a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
16cedc965da5dfdb86f3fd0cf174c534

SHA1
38522766e492165ff1e295d64df01901de7c9f08

SHA256
6be912d5fc40c1514a8b5daf9e653827dc54e05e58edcafbf05b29093ad46e8d

SHA512
e9c19791bbea6e6c8f7c984316927c81d0052fdbad47476a5c1d4721855536b724169020caa292ebeb1a72a3926cabdfc01218ed60e01408530a9dbe766e4b8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
1576382b4a5e4819a22d9078fbfb1901

SHA1
61368810fdca1ff5be744a7145ef5bc0d86fdb72

SHA256
e8f08fcbce78989964689c9b05bb66fdbf16d94349c391cf002607eec351782e

SHA512
ca6670f6df4413c5f1f6dcfbc285e91d59c222706de33c16253c173f7ac30b14410e409d77b8df532d205bc32eb1c66b79b6defea06dcc2078de7160c7af44cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
bd03f37f02b0b4c27c71b011ac5a1068

SHA1
c56ae8f41039aa6eaa47125feb3196d470a5fbcf

SHA256
f0083e8fbba2375db52c7c20eaa3da7ad657eef7753fbb43884528cc77abe981

SHA512
9825845a6822553f424d11ec0759c6907ffcf6611cadb13ea6fc3b7377c5d99b21d6bc705e3b51df92be5235ae155c6b4e7b16d33c677fe32f60aaeedbd4f3be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
bf668b571d830e24829d7f7badb0c104

SHA1
e6a58b0f4c70d23c2e99a4ef8ecb62c7344078e5

SHA256
2295baf6292bd47c5c3514017c1abd07db329727711deeff694c4b25e3afadcd

SHA512
e03191a740c84b2d4f1e3e9774b44b289cf4e165261f6173eab68a095747f0fd73d2abe6e1f390e2c04a8a6aff8e2c36e344b6db046f1b0903e5e6a9b2392e6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
5407cdc8331b07953413c7e2a10d54e8

SHA1
4d7d11a3a87d7b5a37a039571fb81aa91ed5f76c

SHA256
71f3538f45e6731da76209ad7c8004b0ee57ea9dfffce9c62c4a8e208aff5999

SHA512
408273bc3be0cd308e180d15343e7212593546c5e9a3655769ab19ac6b93dc02b8569d9d493b320b0d2f31b983d887f59a88cedf28c3e0a6e81d023f7119bc43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
b8f64a5ab5b19ae6050a022202994e1a

SHA1
b3e9bdb9c3fe91f99a425fd310162b54b85e2984

SHA256
2ef12ae6a3639eb4d7dfb18861d456431fa4bc361bc1d2a39cdf1afc8cca4937

SHA512
cdf690d4a590e1580cbe753bec8b955487d7d48fdbc74acf4d924c9bf0d78fad64b22e9a72614536d321a14486eaa1a1bdd5f8ca6c8e3fef83c2ebe4760dccfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
655326cd2a142a1cac13d3ed9127fede

SHA1
6d7c27d4b05a7c81853f1cdbbc03bef54177b163

SHA256
b02c44e99581e82bcc0038cd7f81af37f5b049a44aecc4f6cf3e70f3419fccce

SHA512
92f22857a15d8406eba07fe0211805595ba3759e20791ab5364a836e25573eda4ef033b024b6c03b5a30198a8dfc6c11fd11d693fb4813827db94d568ea7193b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
b07cf3d851e3e992ec02a6b26f91cbbd

SHA1
4b048ada09fb63fb3133abdcd66d9f0630401b35

SHA256
1475382bb4b443455aca808493cc0ea7f18b4cd3f21344567fcdc42edeaeb34d

SHA512
456804ae1330a289dfc16197acc07a5c5c4151d27fb495c90949e631db938d96a3a243f96bbe8767ca7b1c2bb2f86d6a5561b2c6b53417693ace217b8318ca83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
867bf94b73bda2ec0f071c3ef6dfc3ab

SHA1
da6a6a1abc12c387e47b4ac765a540e64455e7a5

SHA256
79320159f5f507a03de0ffba0d92ee731e6c7345690b5bd9002025b1d66b7268

SHA512
42d502f2960dd99999c540e516cdb065917efd94b7c8bb2024e80da46a9f1700b803a8c6f40495a36b3ec7947a1b06d5763b43e3ef27a91acca09a486bec4136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c937c59c2cd171c3b61861a8bc3c422f

SHA1
1c3f6af2d247de38b5472556e3e33d341db02e14

SHA256
0332fca5d3d7f49e1fe246bd279b8fbc891527039da9cc9844f55abb471453b3

SHA512
b2e31f6a6c88ddc74716a0d368d8dcb606f535f93f63ee5294a3bf57b3cf5ea4c03331bff363ab8c2e2b814baf866a16ee81926b67bdba6b1f589887ea4b213e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
e6190f95268069edb26c1d357d6362fc

SHA1
2fe45e3894001794439a3a1f4ccc670d35e91126

SHA256
af29abc4cdc6524b70359604b623749289ab2231ff6c95c91618ce2e56600c7d

SHA512
59ee8035633f95a4e11607480f0ff36c1ab2b5c4d118ba68401177ebd382c9dc6530e2f082724966f16b523c26552fe86c3a637eb668c0654bcde3aa23b7c9e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
e3a5f2f2448389861534be9ad1b28f5e

SHA1
f64713a08ab3b0e4510bf005998ae437f34f2cf7

SHA256
f653822cfa31b94278a6be07c02c458730548057b54aa30304e567dff16bfe84

SHA512
c71330f1995def82005b6b15ba76858149465e0f9a1591a6d3be3c79506e6ee0785d3ee78ad04a5e315a8535fd9945698c344622bfde52f052a3db43d7e7ab10

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
242dc673f768ecdf453bb740a32dddaf

SHA1
130a75597aa06abfeff9d76e775e66d5d3b7fc7a

SHA256
5d594abc8dbb7aef62684ce10e5247578a67b37b1f815793b625222700745791

SHA512
e1fd025341df49067f9680488a2276dce84ddb63bcd6f947d374d85956daba5c167949254e0b72952cf2295f37e2b2f4964a5fb4f2caecbb1cf64e9583996a23

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
77864011dc494b4085c8dc68ee71c61d

SHA1
6abf4818a80bf1aeccc183e90d5901b696717fbd

SHA256
f61fcb457e7011c3b9a67db8a091ae1b58d2a60b557338cfc34de7ebef575dbb

SHA512
1a07d001138e7634199fc3a5e3bc1c82383c23915c308db764e4fabf7896e72c3e5d25111e6efae63786516c1f2051f2ec1cdc49478d50bae3bc2783e3b3c450

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
1a8bb3b90da30c00bb65971911209fe4

SHA1
a6a9d9c6604418ee30fe2f853007e4a43e658f66

SHA256
a9511f0371ec0c2483556558d3fd29517b8b36203cac92d1f60f2e605a34a996

SHA512
698857c5d9dd2e9e8ae4a12b578321c557a05cc56eb3c1281b78a5b1cbf7ca5fda4bacf5db6d6dff15dab2179c725688cbdc91391433948e4149fd1a849bd207

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
675ccfc3f967ddb636c9a0018be5b0ac

SHA1
20661ecee9d2dab2da4a1fd26a88e9809d8931e4

SHA256
75f1d34434a19b62b8d8fc51a6e9ab12ded11cde68201baf55bdcdd95794367a

SHA512
3db640df3da3cac731b2d33aac7dc377780eba11591d336b3aa501baa5670bf88ca52c13a504ff81684af07a019abdbcd60ad4dc1e7d915bc3704c257971d158

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
1147c1f4e98b4072c6aa6eeb9ff92799

SHA1
b0933ec548ad50fe01f55a506e308a895e43dcf5

SHA256
08841b5a94576c808336b7e27e14e5e37e42fa2320d323813b882a89e80db0d1

SHA512
dc06784823c4bf444b24c0a5cc38b9398847e24d25c8648553af5402f11e6a842b505f2045aa5f8d6ec8a2d5fe288c8a2eb2578bcda9a1ccfdf71bc2ad9e0f7d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e7691469501c7b66c554f0403fc1daf1

SHA1
1b38c68df246f012a5ef3689acad113681f9520d

SHA256
940dce174042719f77d8a376c1524e83693be7e98f4ee6d9cb085180ef1f966a

SHA512
d094502947074f40b107afa8d5312fe75c93471e0b672465609dd7c32aa55d959bed238ac382dec5f8b050a9c63706043d57016a7a9ad193e3a1563bb935653c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
f77deb0b47dfaab1e6c757dce85c7fec

SHA1
1e0f05526b045c0a631874220aa87b6c119ca272

SHA256
817847c80d683b77e112c4190e0730b0788261b4cab6b869cbbf4fb394d10bbf

SHA512
d7628185b9d7b87fb9fa599207c53a656842386d4d24a04e5ff569ee82093dd114c9e3c48a65ecc9468ae9be273de884dbfab69a3daafa50df06a97fc7a9b982

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c78f6738f10345efeb1ffc4cdd93c121

SHA1
8be5f8276707efc549df70dddfd72bc403858f56

SHA256
e40bc5a5c796d424c60840e9d12c4dfd6581d3606422947dbb93f8f0730e5af4

SHA512
3617686185d22081abec85d98b33ae0f4c47b5b06ae6a4f2b62630fed9dc8910b0ebc3a60b8693a2aae5bb20fdece0058cd5a53a7d8a3d913d71404c1c2686ef

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
e0f520acefa35638c0e2ec61e5d4b80a

SHA1
8f78d73ab4119bca148bcd64401aa55177082aca

SHA256
f43f2d520dcf013ce65f87de409739afa59c1c619781ffb9337bfec859399cd5

SHA512
0a181e3f152ddde0fcdfa76cc4bf65fb61f0b82a1e754da9018150c6d1b14f7aa00b2467fa2f4d98ef43b4c1d0f5e569256f6cf85a6cc4c357b21f4b3bc87cb7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0439c22c7f3932bcb5e4b802272e5ce8

SHA1
22e2d42a2ec67ae51ea9bdfcc40f43ec0e6bc77e

SHA256
30b308880f9e976e0fd1b295274ba17225028ac8d68f08a6eeac1b0af8cb8663

SHA512
819bb0b27448f2c2a92f53dc860d93f29ed1c70e5dc937e3c77b31f211832b5e8cf0286eb6251cd21e8c161fc05c1e809d70ac4abc7d0f788d3c92c8ecf17a64

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
82ea2a6596cd37d8269cc73d2a1e9d15

SHA1
9b585f55bc1b2941e3f68571313c291d8208b69a

SHA256
a53dd67e6bb50b85fe97f498e1fc819f872c3375e474eed4c430e998feb52759

SHA512
96f162edd94649c17bb221081e00236226e36903b0f6f9ae39eb8aa8bb6a4ad858f9bea4d68667127385124bc4bf002851f6236283917a44203b67ef84684b4f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
84758f8909e3396b173eaea60d640e18

SHA1
62c3886ff7c31a1766ff43327526fd5817df407e

SHA256
bc0f112a699ad11a03b20f26c3e78a676a6c42aa9de63440ae196296f6e1cfa2

SHA512
03ec0c1f83369a000a81b5b9a5ffde89badd98e30a2a388aac0778e6e994f4ebc3b073fb2b037e9d2ce272f557eaa700cb3f50a744e313e4759028b5becc51fd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
6cb49cceb3ac82b7a4c5b6dd52bd6149

SHA1
463b5aae72d22143d3cb8f8c8382ed812f7c6842

SHA256
aa86f880e624ee008cfdd0394607905d3da8978d70badd579a3bc79e69e4aa9c

SHA512
d0d9b313957195e57a68e92168a9b6429a3137e61f568794b256f557736f3030685a56430033c755462a8a577239e6b406b054fe9cec8d493ab8d6109ec14375

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b515e4f368f6390ffdad2727291d243f

SHA1
9075ffb979c6bba660995967a8dfc7a3386c20f9

SHA256
cfe2c06452c71b8f7ab0c651fb140ae0b16415f7aebd9e555c7141e3c116cd30

SHA512
ffa46655176529437fbdac6d5991a83d7f6efb9ac849eca32da1a4684b3be46f554799e795eeea6638a97d138f5222025fc46ff9685d34432d0679cd4d190fd0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
4559fc948d94ccf1613019239b73fa1f

SHA1
b5d9e8307d8e1de5b146043d6a3f7ac4255eae8f

SHA256
cc90efa47d80111b3385a2a06ae8a03716e4e4a89caedc97dfed32d592fc2512

SHA512
0aa4ac39d79273824b4fba9f21adb116cfe9c89f1e43ed86229e3f781f35543802cf7ff161543c84642f39aa345e15842c304e328988fae3174e91cccf7f888c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
eb599a792cb34c743e0b4ef25a263722

SHA1
f541517903e0bd9c93f894899ca9aaa43888197b

SHA256
f2a97065ee27dfbc4cb674237d243959d649f87699fac9ab6d3fe553e37b17d7

SHA512
b93aeb1c0510b3765227d6eae9a739b7072d766bfdf4345936c717c0407daf633fb063398ee226739fdeb7c7de989a86c8d774cb84579b77310a1e51bbf2af39

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
b5c8221ae5f6176ac9a4d50a62e83be4

SHA1
cddd4f9293768c71737a7c8e7a1e40d9e9a0e62b

SHA256
d0d1f20a1cc540db1a9f64a6d62a306e8e382eb5c94785ad8a9a41a902f35879

SHA512
d679ac2890a7f5840620d600e9cd4bb5462f3e404e99e7690f0ef142a332528690091f80b0a36ef5264bf2fbd4b526593c18ff428e83acf44d3bb1a714034cf7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f0b21b868fffd503581e939a284d6c78

SHA1
96c4a34a64f40a0d84694e647da0d2d49e8211c6

SHA256
afe154ba32d0dad055f5d7ca53ced5d8c7cea5151e11764bf366c4896dfc9efd

SHA512
dee7b1ee48d3c0e467dae0e20376a682054e428d0528b93466233d02e743b89ccb53e8d558f8ffc24f67e8bc3b3db5f6fe4ebd447b77255547ab61f2934a4669

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6f0e33165be5d46af183a876e340e196

SHA1
a11bc008e0aecfc7000d8351c11f8ad7a1e0fc58

SHA256
a6679f26d5ffbbdf3bc66037211d91fee0c5cb179d4f2a1d6d8e6876ca4dc8f9

SHA512
d0a99c370040340c8289888e72c5d798499bda996bc5444c8a5527da659cd374912e5a1ea669bca5e24b309580d51e021469e24f307a8f9be4460b05574c297c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
66c68b38e3aa19c3fb9434adbd7ae02c

SHA1
f8e542df568b139cce099749d26cae6921ca270c

SHA256
56151b32bc665345ae9b461c8781d60d3db8c46d397e55177ebe8b665ffe88d8

SHA512
cf99cb1801b99f3510e73983f51440431fc63d52b9fd792d28411fa7c0dd677bfacffc8cbd41af354dba14dba9d81f38b61c6393728d3c3fcf4879eac06ae7d4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7bf001929446bcf945a8555c6ec942b3

SHA1
f1a03140f09e6b0a27a79d4a26f00464af626519

SHA256
26df866cc013636bd457178cb70f535ac40312cc311cabf0aab801cd81484be1

SHA512
23d3227587561230185110a3fbc80589f5ef5f4c9be356068bed5fbef1acd8560dda7d0adac5657e8741a6a65d6fc6da30302ba2d2913a5b64341dc7ad79a71c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
28d946d76cbe020a6f74d9bfdca01958

SHA1
6974cdf85368b4b5ea23f497d22307c017d81d9d

SHA256
3db1d4ab4a806d803cc5b8bee2db6467e1497bee07cb1466a20f75095d906979

SHA512
b2bd9e15d20a2959459ce6fe0551dab116a094c8c8e0d34fe91751100c22e79bc097b220b90d715f6af056bde415eb3fb4b9a9a35acdd7f28d082c933c843b96

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
dd97b86ee415e158f8261236bfd56a0a

SHA1
94a2f2a2e021d93ce3f627ca081ad69673e0a735

SHA256
cb6846f65419e0f5e5bbc542042dfc3ce00312fe64ae0a683ecc588572611e19

SHA512
41b14064f6a56ae46207a629990541cee40368ffeea47b259495e8dfb9de28ac030c6c2f51fdc709b63761f9ddf6aef7b31aefd224ae573be9c861854a66fb08

Download Submit
memory/524-172-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/944-508-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/944-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/944-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/944-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1496-140-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1516-163-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1532-174-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1664-507-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1664-34-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1664-39-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1664-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1748-160-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/1748-96-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1748-90-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/2016-83-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2788-105-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2788-100-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/2788-161-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2972-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2972-407-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-169-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3396-173-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3500-167-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3808-357-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3808-15-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3908-170-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/3992-171-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/4332-67-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4332-55-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4332-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4332-69-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4332-66-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4348-176-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-544-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4444-9-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4444-8-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4444-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4444-82-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4608-543-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/4608-175-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/4652-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4652-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4988-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4988-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4988-17-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4988-408-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4992-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4992-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4992-84-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download