7989ffee79ca457d9d51af92526d76af25a9fd57c7117a1822524fd334502eb1

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
Size

1.2MB
MD5

40dd8d21222d45b783a89b9369df6ff0
SHA1

4e5fc4719324b634121b58180fafa83d3dec694e
SHA256

7989ffee79ca457d9d51af92526d76af25a9fd57c7117a1822524fd334502eb1
SHA512

e9c5e6db8af3f98860f0f018d46d0c439fb9e0317b4d5bed8ed3f1d32d2ef4d7a2b0401b0693a50921f1e9bc926f8a376849c5e10f3dbdb6633699951f982722
SSDEEP

12288:+2NXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:bNsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1964	alg.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
5100	elevation_service.exe
5056	elevation_service.exe
2296	maintenanceservice.exe
1528	OSE.EXE
1088	msdtc.exe
4048	PerceptionSimulationService.exe
2500	perfhost.exe
1428	locator.exe
3108	SensorDataService.exe
1708	snmptrap.exe
4848	spectrum.exe
3868	ssh-agent.exe
3192	TieringEngineService.exe
2616	AgentService.exe
3132	vds.exe
856	vssvc.exe
1584	wbengine.exe
1272	WmiApSrv.exe
4556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1021e465b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be24b3b307a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000634890b207a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4c2cfb307a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003693bdb207a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	656	40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeDebugPrivilege	2272	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	5100	elevation_service.exe
Token: SeRestorePrivilege	3192	TieringEngineService.exe
Token: SeManageVolumePrivilege	3192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2616	AgentService.exe
Token: SeBackupPrivilege	856	vssvc.exe
Token: SeRestorePrivilege	856	vssvc.exe
Token: SeAuditPrivilege	856	vssvc.exe
Token: SeBackupPrivilege	1584	wbengine.exe
Token: SeRestorePrivilege	1584	wbengine.exe
Token: SeSecurityPrivilege	1584	wbengine.exe
Token: 33	4556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 1560	4556	SearchIndexer.exe	125
PID 4556 wrote to memory of 1560	4556	SearchIndexer.exe	125
PID 4556 wrote to memory of 760	4556	SearchIndexer.exe	126
PID 4556 wrote to memory of 760	4556	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40dd8d21222d45b783a89b9369df6ff0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4284

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:3104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
7d14b86564a109c9a443a60ff7a8592b

SHA1
220cfa10114974bf1486dba68656fce3aa21f78b

SHA256
03bf63e97a05376ebfb1f88aee66ecb3f48ec85e23f070063c84db4257fe8fe3

SHA512
97c24c46e40a46cc76c1420163e906b182e128b9993f08a279c5b310aef9219f4d2261d221c648d1fe29aa3239c491999ba79e8116c6605b8a873cd88e47eae1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3878a81bac000bae9d2e61ad5edf98b8

SHA1
42fcd88fe19f527dc604345dc4fb3e3e95672dcf

SHA256
fc5478cc047f48cea39cab20a2bfe27cc31422c0bb7453207f269f9460d3640c

SHA512
ccb8a313f9d927543fa78bc6524fb0f82d588f168ac740f31ac9207ace4d4cab467bacd6163e9416b4c783a8f840d10ad11c47f27dfb80c2280f7315a4d00cc7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
bf85e8da8bc1c8c048ae05583f2a144c

SHA1
8075469c9c2239678852e18de6282c4918210fac

SHA256
20cc761032a084692134dde1bf919e5b26f8e075daba30768b9b2df2227809cb

SHA512
40c9fbe84d730cb3f7b47bb290dd84653bbaf0dee29c0a0ba4ef141bbf181d760557253bfda28b427ef064078353b574ef53eb8bc207204fbf839ac3092a56ea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cafce4a21133a612d573ff2a14d6ea27

SHA1
67a26748fca236df78aed9909afe324bb761fb64

SHA256
ae6109efe646f23ba9987aa80e3fd199b20e4af81a72998ff68e9369f735f312

SHA512
89d7a41bda2a58e7a8bcc10091647c69bc9aa2d46692f89ccd52b701dd7e0286a0406e6252a3c9957bd08335c990d7bedaa2a81c171ec7085470a66114f5c193

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d61fda18e081641b8052370cb9b402f

SHA1
983b709d8a236a14be50e2fcf83ee61a0653a459

SHA256
28d7a7f0d84591d065f4d12206be6ffe44e5bd0a84b429b28cd973d9a92a68ee

SHA512
d58f4173a929e919f3ae7632eaab763790b7b45ab82073118d17f40ba432723b8dc55f547242657611b35dc87b7044c5134f073dfaf032659db69e9ae97faec7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
279e41a578c9ea8fb0420fe8ec227d87

SHA1
7559f2a50f1074f0a0380ca8b7f35c14c3c5fba0

SHA256
2f13946ab927704251d7288f29543684b464621c79d8f63be56db84242c0a80f

SHA512
bab1fc1288cb0e34b53bccc6abeb64500a9d5e1fb4fd7d9d16e9158005080a3c137b7920fdb9941de19a76e127a1ee025a79cdae8e94be47146cac95d62f475e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
cce722d9490de65a5efe7ab5d0f1aa7e

SHA1
f6c197f1d8887ec719a94ef76c67c035c9dfebfc

SHA256
d9c4909d4d2664239cbb4c8511d64c7c1561d70bf367b1e08609ce30a1e5fc7a

SHA512
26d6d5cb93864a8cc6019e2903733f8e44a4924d9a19af035706aa726dce2e804455de6cd60362cbb785ee4b3252a508c0debc703731d36b0619fddd74d69094

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
938370c161a3524b79ae2699f274e9a4

SHA1
57ca179ece8bbce43b39b2ebc248aeadc17eb1b8

SHA256
79fad1f0fde7a55a82c54284178882877178bb466ad6a50c0343c2228e567901

SHA512
cb174ddd72dd0e3c2b55a40fc53d19e551181b9d2593857fecc7c59f42203633df167a6296c4ba255a53af7101e37ac457d0b49c888c271e8aee462348af5f59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
0639876e5f30ddd5922267500af54482

SHA1
9daa1a38c1754fb884231c83b1e17cbf7026c9c5

SHA256
f33c4bdda5d74e1f13d338b8afab7cddcb814e73da0473deabf39b82d93d64bf

SHA512
a49eb660978cd23734d6bb037e318105f816846d0be9f5b4f786df3783dc9814fcc9c13ebdf9e212321031cbebd2ee078fb1f17895e8b11dbd2d8920ae998718

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
17c109cc7506596b3d5ca3b3ac6785b7

SHA1
1a7ff0d659e81caf2e3e21a6eb32932e077538d7

SHA256
863d4d148c5abaefeb5c6486621be8d3b10fb091a8f154c9aef7f85dddf5ca97

SHA512
fa35b6913dc478268a9041c6a5e0c09d3bc452a28fb89b4007b371d5d2b3ce8f780304e321d72eb6f88699bf0d2b7024e6d82078c02a010e11c7d9f0f4a30f6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
100e5a4d690cbe1c6d2246c78d0d7cb2

SHA1
4387c10b3ce5edc462387ffc13794955b067d0cf

SHA256
0d946f5f94993921fcab9c3f902a428b1f95f129dd6ef38a4fd5f7c08655a027

SHA512
e8611509db2ecb934ad7147fef302884c3a339f833d4e8996492dfa15ee4b1cf2c78178fa16e284fe158c90abd8cca045cdc3146b644062c6f7d2a69b54775ee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cf1b4877068029aa8dab160117914592

SHA1
963b5382a98f986d8d03193f019230dc4f42fe55

SHA256
68b617494a290e8021837299bff771236694bcd99712d66f4b7668e9c21628e4

SHA512
90b3a5a8af8f05ec9944a3033e60a1118bf27b3299efb3edb14b2589a17a888fdd6052cbf0cb9b703046fda775bb605241021b9d511987b486cf946c8e294809

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
342962e3d9cdd99518a9ea78093e5758

SHA1
3b505132bc235c618074a7af41cd7f8578655647

SHA256
25185acc02c4f9c1c491353693240bb3d22df12cb2d6eb065642bfc56cf23971

SHA512
b2319100cfefb32b7fe9a735f30ca39f19ceaf116ea4f9daada96e3cdca27b95bf6067923e9bfe839335cb51019208338bcfeb550da7647f228579c5d1a25a2f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9b1e82b834daa0a5fc1c5cb0a27f76f7

SHA1
8b1332595ac2040c58eb5424bc8bae7527fa35dc

SHA256
5781515f665adda27d50b3eb04f4817b56b19e17ae05b050990a929725bbdf03

SHA512
a64cc0a047977a9a68907223799256bae7f44d92b711288cdc0a828befc19d6940a2a4bc99ef03479d72d8e01b19fffa577ca87501fb7917788a1756bb7af0f7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
071e3a95957e7d7e20f43a6f14067b77

SHA1
2ce001fe55274b5f85808e6ad36f2b59910fd12c

SHA256
67c45a788af7442795e75e373e8709b31fba86fadd0711633910eb35c27944e0

SHA512
4a7c05b417cb2b506904eb3f803008d4d6ec4ac926fa30b2bccc26a7442c84837a23a2fbde9366217ab02d21771abc3963c26eb11c99c0180617c3ab67d6366b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
e12a1831dee9ef3d340a399d41de9d0d

SHA1
f4b1f44406e8671854a128e77f97444b47257d0e

SHA256
66809c1296a6714fff2b7ae95f209cc774e9a0f3378120c92556846ab72cceb8

SHA512
9b7eaeb700d258c37393f3563934579082655051b664fda184f8dff83664e5ee33c2076bd8499339aaff9f116a2f8343ea59ddae2c9bc706173e3f55dcdce251

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
87bbaeabce28c9f436983a2fe5e05965

SHA1
506c37ff49c4fd52a557663a4f03651062ffd662

SHA256
ea233eb506200e7e9cbcfaafc45b320402e410947373f2a138ab6bcd2642cf31

SHA512
6cb1b55525ca5e847112583e6485d247c7c118d6ee6e454acff2966021eae82ee0ba58d3c19d209ce16bdb46069e751a8f7cd031f728926c0ab3cf426b26ad81

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
79fc8d8673d13bc782733f6d6a0a5b05

SHA1
6a8d57e66e4320cd61e55e192668a7a5a45a977f

SHA256
037ff6ccb5ebe41db0387255f1a22a532b98f01935267599c6e346775db2dae4

SHA512
c110897f0f216ee556bb0efa11d264e366731c21ffb30ed3b816f87d54d2e2ea39acf494f0218d31ebe4e225949ce073352a615dc1d3b663c85bbb5be6462073

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
808dff810dd12f1a6e4e6f8acc5c670c

SHA1
85b8e76f5fbcc091c1d1def251fb0c53c2ba9c3a

SHA256
68caea2c07504e88f137d843b2d1adf91395d760060f6d18e6e5458634ca6069

SHA512
bbe551c5fc41550826dd66e87bc72b6f538ec9a492712b2bc6b0fa2c4a0c6aae4a2b82cc04a799d544499808fd1f1fa7dee203c0afacf370972c7a5efa6d2495

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
f653e2440d9dff43a62a49c6ee0b9bd2

SHA1
c067352565da0512b05f3636f88ad225928f252f

SHA256
72d8f508dbd81b847609d21b55a68a716e6b2010b04ca2f92f1f114b3a29b7b3

SHA512
40dba06cb988f0614c1f4bee27b169ec04580c4262db543775db91dc73f68d2464c81a54836740cfaff99d87c71b31f88551b195ce2baa3c35de731a07e5e778

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
aba20b85ddc1eee1e669e5d7f98dbb6a

SHA1
7a7317ebb18b3b691058d140cf675e245f0bd813

SHA256
82e867a4533ae1a30d0e89a33d0a8ae5e3a4021415948eeaa05fbf9fb268489c

SHA512
df3fd3d6934053f9c97ee5a196030f7e18e60418c7a547d2afd0d02d3aec729149cd981644fe198e8a18c983147b779cb7a25205913cc815d589d1043587121d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8e050a6d999579ba35e69304a08132a5

SHA1
91948863014687ff2fdffe5e333eba8d6a633130

SHA256
13ca83e29aa72e9c5650609bb13a043f4304f197956dc30946443ee7ed23dc5a

SHA512
35dd00358eca63feae1fd08d4dd9bdc323e69b915319a773487d78b474d561a6c189e8ddcb31a90f634e87b5dfcd4b32b87741ae4d7a87df8dc70bd8db272c22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9804b6d3b4736540e6f8b0ba8365f6c5

SHA1
2d56c43ff94b2203550b78a1779ca7749c5fa63a

SHA256
f17dec32e14d27b4c09da52ff25a585344ff62d3bb483f6db1e58633e71e4acb

SHA512
8103fa6c927e0378cc844a0dd8161df9ebfefb97a94619ad0bb8622330baf525001bf7b301692d1b0b4617b9099e8b91832090f4ea49848ffc8b7a9d1f2eff63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
964611735302f6785b7b137b6039d841

SHA1
c39339e00ff0702e48ee0de2a280eb78114102d8

SHA256
61ca5d53a43bf3dc76139ebece7f1f82cddd67b29068f1e3404c590235ae45ad

SHA512
b397ba06d6d3c1382da1fa17898f79727a2db68b9f9687e9479456ffa1dc8874d0cdf903493e2d710a979c7b642bcc55cea40761409db57dc965cc508194afcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a4421516a3a6ef01a7abc4aeb4bceb7c

SHA1
dfdfd336cec90bf9abe11e9fbc865347b5d74937

SHA256
2772e8659a58aa9c5592ac49ed4d9d042a50399a014bd5e96be3978e001232e8

SHA512
0f4fc4770a413b179b817be2e83c1bc298f8e1dba3aa16ce2a9d5ed914a269180164d8a18647a65c61422729f6eb94fcdc435db989ffcbacd865fd799efce816

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b5b00166be69da6f458837d7d4602116

SHA1
0298ec6b17337dd3566ac7f81fe6a58f3ce28ed6

SHA256
17f2a76900dc9d122e2cdcb654a8098666b13faec084e8a6a2689ce2bf5ab3fd

SHA512
b6d6559b11a61420a2be343876a0bab5d7fa47fd990efb212063153ce81e5f0626376dc17d2e89588356795909dad66f31a32b133436081382582e7694048f50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f8efcb4e7fc4fdb6ae9aa3f77124e70c

SHA1
cb7657c63840992dd91c408af8c776efea6771f5

SHA256
ba161730b334c2314ffae07a8346d1e0fb37a910a4bc34ea56e5da4065a3fa0c

SHA512
a07a84c7b761c4adff889803bb955a3d71df1ae484a5b9d90292d620a1858d8ab3f86657648feb76b01cd6bb82aaccd2971ed137750ca4f420e7522caa26f408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7126f66685927872e1fa607400c88313

SHA1
1f480dfee458234e1d037ae62f2c85f487df0170

SHA256
10ed283e952146a5567b429e2182b79d9466f43b18e96350fa7b1cc46c457af5

SHA512
cb8a7b653d7c9d8f51ba7b9488647afd69b3fe397803e4f8b11da9bec5fead8982880f7effc25d2501083156adbecb3d8a972fa5357288cf8ce3eed3cdd0fe2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e6b72de580406f0a675149017b0c3253

SHA1
0dc2ebbe4ae2571c8cdbd401c0897b0bd5987273

SHA256
598dc8b9e213a1bca50e4c6e383a990cff3ffd1cb19b4314231cc49f91bcd2f9

SHA512
32cce69251877fe94d7a91a922252488b2e06be5a312dc53c5a48755cad737afbca5ae8b3e6735f9c2d4c5f4961800537a8066187d21257a3746f458e9f5daa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4b0e47b8aec604e4bd6c39307b12ec0e

SHA1
4356ebb21c3ed07bdc2db47294657dae32384424

SHA256
216a737736421d5a07eb66871794c099a98bc35f5ed171d429c9006bda1dfa50

SHA512
4610991db4cccff4bc7674c87f077c61921d4ddf8c4d21ef773d2c90815b663d768fece06c6b67f7dd351f4a1de2e6d16ce9944df838ff5a55c47a822b4d32c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ece56310fc46c941af2149538bd5a031

SHA1
e100aa6bf0b283af3eeb2a336867c6ef9edac83e

SHA256
45af5bd7b582b4f12c0459f99af2169e85b9a1556f82520a391901845fbece6e

SHA512
1bc22a0849ec000ec2a9bf36cf168ee1b8cc31d1d51330ddc9b0bb9bb1d5a4588811039387ee0c9a4e619c79e586c5debaf4d82f4f5d8d84772c174fc46a8a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
275074cac2dbe0bb1c714fe357339068

SHA1
9cc5e14ccddcff1ca0e2489217e952ec786f47f4

SHA256
545439e8a14c1918a04e8d22a59d136e939c4bdcf9a4ea1635ad32139d182530

SHA512
088ace2af0931efbbf1e3a305d7f084dac7f5f2a978467017d38d641a2e40b52273b5291bfb4e6fba327e135f9cff8255c353c99d6c93ce03b3ecad387cbfef1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fcc4555dd7c0dbf2871993cf95c8af64

SHA1
e68752967f09fe52af3d7b7da1b2234fe266e8a9

SHA256
a3e18daa1fbcf07b503b878242af3788ad62ef369d6566fcfb85652d0a5c4a91

SHA512
53d17ffc8698841f64a129827d46abce61ffcede8c2f6a6791f5ba4183a74d257e6f67bb183b9a05a4943c1349e6837d8fc0f1c5af25ef7f4dd2fcc2eb4b236a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
baa66443fd5a59508ec9d9603027cdfd

SHA1
6e2df8518b91dcd741cb8aa04902e364e6e35883

SHA256
f1ae4422bdf57aaafd81e9487e33e7ce48a79dc851edcb35e6a53ae884dfbf8a

SHA512
7e24f441a2dd5053c9953568577179e5d291902d2f23b07db5a6d39ff4a37bcac0598a28d3f47ac13abcf5ac8546a76b0f9753b649da4470a3e2414c0e24eb7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
8a1314db11ec176b864a1fa77e1eab1e

SHA1
303ff45564b40b734af3e83ee5195e4b44036882

SHA256
3bc173669326748ac3d10de1364586d621a5f95b742459d372acfc9c17ed681a

SHA512
c2278d169ce9b493f2ed36a9c3440ea84adaf0f32b3a250f0260da9ad2e5321d64783a8ef29afe00d3e41140db6c907bd729a9d1c3c36378922eb5448d12eede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4059d42faf3c844b3b5802ac498f9cb7

SHA1
105f2fab53d6e561ed002039a58461e1fa515350

SHA256
0cc71db25d2957a85eb7c2d5a167b44d62922c31a3ee440734200f1ba1deac80

SHA512
6631419b75e4d995fbfb156c44b880b186580b7be27494044da782032fc42ec838a9905e8bd6f05258b4b5018b40473bae4107d6112baef27445b18ce09ab3b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7770503e04f87dc8269894842a42ce3c

SHA1
ad41b95711076d6237b8b913b0b431695f99520c

SHA256
7692fcf65fd4152659606be96317b08f65d2c3f16bc91fc0eac31eeff109c0f5

SHA512
89440e61ac90eb4eec2b64e20825a928acfde38d35dd1a2d1d04c3d9cb5fc6675d7628b351303cc6bf3d0171f5721a8f25ff0d230d13bad64755fd7734a8eab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
46a3284ea245411d52d237aed118dd12

SHA1
e47dd5a42f20a48c5a1f0565155896db166ded4a

SHA256
61f6a427376c999e1cfb3ac58cc2f40d53ef1f3856d3457dcca14b74789eb733

SHA512
f56ab10051f50ec903c24d8253a11eb9c00ace6df4583a425bfcec4704c68f2fcb204bd4e16698e66e59e5fb7265398abfaa7b9801bf663c8bea4d791ff4626c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
1991af24ce5e78ba44b9fa82a951d17e

SHA1
3f5823ebe4270833d03fc90edbd42d9f99576a82

SHA256
6e503d212a5bbf91dd33060206e53a515ed78c4f99bbb00b054f0872df6c246f

SHA512
ee9607ce4c4d8c9102347810bfe440d00ffd7950c0bec4c50ad744abc66a867435eae8cd73a2e509159c34d9b15604432d217b4d6473fee06bb07ccf9cdd3553

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
bc0c0c87317b1106873cb8bacdce1947

SHA1
2bec2dc11c30a93067e287e5f35701b686569a1c

SHA256
eeb20934b630a7f252190e7b165ef8cadcfff665e2f6ccf3ea7c10c91fc806be

SHA512
80efcd382a73486ec3b3231bb0694b9c49c8bcc5f882235d1f18413bfba686b8466b7d6cf9c5e21702f75bc4b8422a762d7c282f1d5d61ba3f22aa0109e4a015

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0cac7f8b2d458d5042099ef8e50531ff

SHA1
633542caceb3aa47b43d47369657df3afb1a225b

SHA256
92b0d9f3bc53a63ca6d77417440f45d005ba2096d4df79cc5e5acac2707e0c42

SHA512
f60751fdfb7fe5fb2a1568b948e3717c0a4ba5ada55f042e01bda472cff00a1cf73e81e751f52af81f9abc0e4b3fe456b1f885dd6d29f5413e4574788af6a8e8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7cb1dbd9091b856225a548b2ae6adf44

SHA1
2e8338a1c78641fc607db7cba4acad0ec0437b5f

SHA256
1db88eefc609ff70282b3e3a2a2106ab5ebd08b9ba81eb870ead057e4757d5af

SHA512
7bbe4056107b44b50f761050c06addb1afc34588bb57979812da7822168c5b2fe418c1f7cb5fdfa7a68a0b1e3ea3b10ae75fc1fd51b1df98b50ca4869cde3f72

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c9c9c51e68a415dec473fc7383394bd1

SHA1
981886960aaf020639ba419a679e6c7c023b1f87

SHA256
96f75a1149e4bf0581d2d08deb1a4b7a786a46bbcb2566456af32fe2977131b8

SHA512
da34c29f387f848609d0b16921d67059de21ff40c064b9136e4c95b58fe5cdc5e1616b5ac8b35d241123e62fa2323be0e79620636b4b97c73e6bd1a36086775f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f32b45c525bcca94297f47dff72fed14

SHA1
0bc7f03cbb82f1bf0a0d0dd174ae3e3c9b390476

SHA256
788bf248c99787507f7f4e1fe8d9ccc63ffce052ca7486b5a27f0da15d3fbddc

SHA512
74525c5e838b79cc44f6d43e4f335db8d7fe4494edd81815c38433f45e408e3e6512c33c302e46db04ae12fe59c472b5a208cd7134a8406bdb02c77433ae0dcf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2fce5ca99642fc9a83201d0ec2fff2de

SHA1
8d7fc289a2e81b7c9646910c6e9c2dca4f13f8c2

SHA256
a181ecd4cb1f57f51466de83d87536d7814a94fdb46da2286a217196f23d8e90

SHA512
0c0953e18420095d61193947453b977319cdb9ae3d775a7c06aa917561d0df126eb0a3526b33b66728a97a9bd0734f2df8e3db159d41d797caf7df7777d2bf73

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
166301f6a1273ba02f5572ff5cef89f2

SHA1
a672ad07871f33ebb633357fac54933c51c80650

SHA256
ee72c5d156a30567cb75bcfc3d833802c6c078186467b5c04710a877ef3817ef

SHA512
ce37a704f0dc8ec217429df42b47bba34091c68cc2fe687e3a7a1b99a84b51f4625e446c7fa62b5ddf8f52bd466c64ad21add7f0dc36fdd2653be62d5bc32369

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d9dc989f335bf1a5c4231881d7fb6966

SHA1
8844556132d580504b84ee2ffcb0c2353bf02380

SHA256
ab5078277c16480a09c1428da476cb51eafb4fcc56b9cf4cdb63b69cc7d9ca77

SHA512
0ab2562f3137f1595161c94b674328e114c11045ee4d9726295609cd338484a406db1c5f697ba35d309c7051f62229472b3996875d6ecb8aae6bb58a90c740f5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5a37e1b12a9ee615cf936b011312562f

SHA1
ee9d3199e7d6352092daaa012d98a2d1c8cfedae

SHA256
ac3e8d6c40bdf4035fa287ae5af05f16368263293e3f36494d7f87c0e982c0db

SHA512
4aa3a872fa8828a4f2f13b8ba8c2809299b005512b8849c6bbda0fdbe73ae1d1d078f0aae5697d6e253708cd4d02a97796b03ae8b022824040da6e7400d61e1c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5753bd96b6af15dee97eca632a0f670e

SHA1
b6e8fa2c1ec86600d39fa417b2f23bac4b72c51f

SHA256
a283be44ab25b61a98ca791ca27920ce2b212aa64a8635d95c561ffd40133120

SHA512
ad6a76da81651007c172ac11b03f538ac98f001f97dd9fbb76b6e901cf16b5783db8d86fe734dee0d1692f51fdf94466db27e9f529760d8959ee7b9b019e87e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
46efecf3afce59047a9380aa6765496c

SHA1
6f6113254cbc6de5a56284a6de144d9c1b97fcb8

SHA256
f033d9d1d9a5292cf5ba5495d023372af0e6c608b0168f0c8a59a48b9f36c0ef

SHA512
ae514b5fd0866bdad0c6e7b421b09efe5c08db99e1a07d21aeb8e0e26950ad332283d924f74bcff2a34a46864d100e4cfdeb0f1b5c9ee8ca3b08902647472ccc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a5f7f17028f18f48c5d4a5063d772ee8

SHA1
4b1d602afa315fbf287cf3fdc4824f3d96ce9992

SHA256
673a82d803d4b7cb832fd7b0231d84f284dbbdddccdf6d64dbb78956c5e1dfca

SHA512
ec998f2325f041bf7f848b36313521ae846fc9e7dfe9f6cc4a36d0d42aad2557d8a112df879f89c27d3c564c6f0299065f6c611e9e751285215e464d6998e779

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b5c8a49f17ca1475ae6dcf76e2cf81c0

SHA1
053178318b9bf4796d39c6da1a0a5ed9303e9e6a

SHA256
4a553d43a7855bf42535d46bcbce750d3ba36581a091b2b164b269a8d4c7cb36

SHA512
a0c8f858fc71e6ba75d9b0ea44e423df6eb00e1878d68e06dfdafd483bbd3341c9ca697f18964e5b0ac185baa45eb222b428ee6fc756d0027c513fb5aee16ed1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1079cc2f539c6d114e7e25b221704258

SHA1
1438a5ff870bfdbd79f557bd4e977b9b69285347

SHA256
be84dd34ac6a4d99935e02f60e9eb2eab8b3d58fdf7bf47aa4fddb159734bdf4

SHA512
b7c1be145a96c5f8e9560cc99b6b6d24fa3258cf06b7e1080323136b8671950aa058cd89c748424e5a9d1d67d531d6d2d0293be598db9285e61791be49b60c8f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
fb22140be79723fbb1afa5d38b093781

SHA1
40822a37d80a276e4fa9db0384981767470f4d50

SHA256
4a03acc193545e7cb8179481e2f578299fd2a2b39381a06147256ca0f1ca1711

SHA512
d534e78a8eb3cf4980e0ab10e116bbfbbc0e8b8da2f00234c8ebcfdeb3149f37a1e8d9d132c19399f2220ceba95082ac066ecdf72316987d33dda1e60e310163

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d6fbab960ed9368d16ae0a27804700da

SHA1
de19851e35eee8a81d3e7e1dbeec32951302b7c1

SHA256
3f3cb4d28f444a7d7c8f70ccd3b8f492b3db150217475f937efe105b7402d7f2

SHA512
0a80c76913e4d7304af1af5cd932b2eabec81e185778e5818be87f1e82d30beb9ba80882891e1d07ea4721a6fe107a79759b43add117dc5d3a0989681fa6cdfc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f1f68c5f28b0399eb2d55ce9e737b62f

SHA1
1d9078b811c4a8b8779f955692acc6bc03689109

SHA256
a9e6c4d2a4daa139d33d0bb8acf3ef4f2220fc05e19a26727f2b88aa1e303013

SHA512
e02d5d7a873983b9c4dc4e6f230988958f5a8156bd92cfc831020f91a7d63835d5f344dc9bef99cb381b2515005b7edca11dd862c0c96718585105f9b1307034

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f0e20a87cc933fea7677c9857aa7f604

SHA1
a60f5f82a968d4789cf33b02e4e15b4ad04037f2

SHA256
eee3276ca6153671f053aa58dad0b6057c33e8c3d53c559ef116e71a2ce7370f

SHA512
d91b6e6e929c47775012bae320b134bf31748b0f45ef484ba77bca314124762401feb28ddf5f14f0fa3c5a2acef530b012284766b58274c64e80ec7f20cea320

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dd602388c1f7a3ce1e63644fb1cb7554

SHA1
cb4e0e50d0d9b66d41a34168aec02793965cc6e5

SHA256
b8379686deb62edb2743380898741c3341da84f8985add6398ace16bc9620d83

SHA512
33d008a890a59deb81e31501e9fb32ab9b65fca78793a6281f500f50164e75daccb6e89d7f76e3511236aa88de55178dc30ac6e407a43cf840811d2f1f2fd4ae

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9af14ac1eea8aa093cdc30a19bc2b8fb

SHA1
dc4805a15e3d59570df6db1e8822fd3d531e4003

SHA256
1479416cd9ce0ebf4d619e1f47f192f740dfdf04858304b1386deb13d098d17a

SHA512
27de222bf8f64b3e8604c043e8bbb5c45e37f04c396272973de61761c45cf63c5cf71c3186a7d5fd428fe10e18e59eff5107ea8f04e7d21b2c8c30c548fd3a59

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
d076bd0b264edfe0dcece9e0d54c93ce

SHA1
4bd99a30d5895bf357bd29975a8b00845f145368

SHA256
14ce96e1c5b5d9d612c2a31205e6c2b88be68382dd5956a49bad1f8d0b7da13a

SHA512
ba8431bec2e6e646c51c257a4f21fd569106f3487b5491b16da247a0380c9360688a691cb664068b05f56e7237cb93b8b8d163d10afabde600182d063fbdb991

Download Submit
memory/656-7-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/656-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/656-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/656-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/656-58-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/856-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/856-519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-323-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1088-255-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1272-335-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1428-283-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1528-82-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1528-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1528-76-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1528-243-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1584-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1708-413-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1708-290-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1964-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1964-183-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2272-185-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2272-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2272-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2272-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2296-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2296-60-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2296-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2296-72-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2296-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2500-274-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/2500-272-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2500-331-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2616-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2616-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3108-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3108-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3108-412-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3132-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-316-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3192-418-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3868-305-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3868-417-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4048-266-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4048-259-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4048-327-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4048-260-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4556-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4848-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4896-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-56-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5056-240-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5056-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5056-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5100-40-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/5100-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5100-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5100-34-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download