8c993e9bf8ab7cc0ccc5f11bbc7af737f5172279e0c085f9a619210d3284dd45

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Size

712KB
MD5

7e513428c4310df868de1538a533bd30
SHA1

37792d96ac0af869f8528c56809c9f9637d8c064
SHA256

8c993e9bf8ab7cc0ccc5f11bbc7af737f5172279e0c085f9a619210d3284dd45
SHA512

ac8423c1db9b19704d7f35c3234ed3788c7f442f223bee917f74903e989f7c76b5ef1b1010ff90add87ec24aa56d4a3dfadfd19d1cfd12dfbe0bfdade9e15b10
SSDEEP

12288:aQCB0dchmvqOoix9lnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:aD0SOn9l11tmlNQ2OnBdFQtP51llPupY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5020	alg.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
3916	fxssvc.exe
1176	elevation_service.exe
3136	elevation_service.exe
1212	maintenanceservice.exe
3644	msdtc.exe
3980	OSE.EXE
4232	PerceptionSimulationService.exe
1408	perfhost.exe
3904	locator.exe
4616	SensorDataService.exe
1500	snmptrap.exe
2312	spectrum.exe
5036	ssh-agent.exe
1700	TieringEngineService.exe
2160	AgentService.exe
2288	vds.exe
3000	vssvc.exe
4556	wbengine.exe
2916	WmiApSrv.exe
4292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d2bd698c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5e4aadffba7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe9b20dffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000586125dffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000595bbdffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f7438dffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c65d63dffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffe92edffba7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7e84ddffba7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c995edffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059375cdffba7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f95f44dffba7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeAuditPrivilege	3916	fxssvc.exe
Token: SeRestorePrivilege	1700	TieringEngineService.exe
Token: SeManageVolumePrivilege	1700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2160	AgentService.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeBackupPrivilege	4556	wbengine.exe
Token: SeRestorePrivilege	4556	wbengine.exe
Token: SeSecurityPrivilege	4556	wbengine.exe
Token: 33	4292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4292	SearchIndexer.exe
Token: SeDebugPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1492	7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
Token: SeDebugPrivilege	1968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 5476	4292	SearchIndexer.exe	122
PID 4292 wrote to memory of 5476	4292	SearchIndexer.exe	122
PID 4292 wrote to memory of 5524	4292	SearchIndexer.exe	123
PID 4292 wrote to memory of 5524	4292	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e513428c4310df868de1538a533bd30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
222913a7cd3aba857c4fcb8019d126fe

SHA1
59ab319a37036648a01ba9260b7b2159b251b2c0

SHA256
4ccd19d3824509f50c0348691bfad239a94d0aed35e0c89301b54e2f0a62789f

SHA512
af127740cc7a9a587ce9c15e53a139930072feec28a5c2add32d7111ce89aaf70bed109c05bf8e04acb41dd5c48870bb6419f6e5bfa76bb6caa29df3dac4db6c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
dfd458f5dde66dbcba189b0a0be91e1d

SHA1
266ae793be8f5b55962c66f08607b44bbbdfe1f1

SHA256
e63a1c0854d617364ffd1dff1a8d626dd4c2497307980ddbd0c7e5fc5546ac0e

SHA512
d3e0145ddd25c46fa93ac25907336f3471fbb92e5eb6d770f0fb3b1ae2ef32a4de49e3dd761dea9c0f7560c22bb8547adc4d49a2bf1607af2980fc3c47ab72d6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8006995a9e94e32c12548d7a8a82e827

SHA1
48d33c4eeb2cab1966317ee3252d5f9d737f5b15

SHA256
8f23dbe38ebf3daf5237891d1548c2cca6bfef9c121e82c93b013b26d1576da0

SHA512
bfd25c88a42a1e90485dacf023563b619d6212f024eeaa68da562733423e1817e54c538f004204a0b40878dc24589a8a9088c49510f5b1f0340d7cfbf086c139

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e7cc3c04b5d4dd1336dca40e120a23d2

SHA1
06534020712e2e4c42a72d61c415de70a2f8961c

SHA256
c339bed9c84978be832305a001a89148165b683294ca95742a7675f560b8551b

SHA512
16efe64e79bcc46fa68ed8802d5c5b1fc33b7b17e33ef42d91a7f038ba4685a7312f3966f3650262e78c22d56a1f0f358ed58e5b85829a6a4e085492b3046ae5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d29ba04909508da880c246fbd5fc05ec

SHA1
d3468bf785faacf765e15a4dda92d3d3ab2689a7

SHA256
af6d3327b50c0647e9062f5858361009b2eed462dfc51440c86a5657e24e2d38

SHA512
1ddc98c99af6783c4f1f0a2a50d651b2763b82f121969e8515bf2f6572c8b88e0faa2314f28f2407283298d6469ad08fd808667881da9f80906e48283287cfd6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
49f27d9cc34f58aebe6755ad050ed85f

SHA1
9523cf522dfad71c91f5a721b9fc6d214c0e5702

SHA256
4392e909d00fe86e6fb44c24716ebff5847db17ed9c14dcb139219cff79c4f32

SHA512
fbf74ddcb857542037fbc5cd796c918815258eb2110b060ba3acc20a1d98064e2bbc18907698c062e19e884674481fb092c6c87e13f8807c9f87c4d1bc029d2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
08b7a8f1012d3cbeb73b82e1e38a6de0

SHA1
d93ef627a3bdef2757b1c3341a681b0098761ce3

SHA256
35996f547623fedc9267db65921d8f6b72ed29a20c9b380050b7bc7c167e3505

SHA512
050e4890b62e73f360e7afa61e59ac0345f2edef0791cbfcaf559b738c3752bda952e25cba229fef8249f1616cc1955a873dbf2f84338b4c4805ff7984c6367c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
412d85643d1b9013fad7fc359650564d

SHA1
3b1e2a753cd962012b2f9e0af55632e845f992b6

SHA256
b7de1fc8173dfcc050dc7624cb2f73195dca80709f0cc6176ee2690b383b41aa

SHA512
dd77dfdc0cea684f0f146d063ca7a4deed694837f24f876e6e64ae4b127a3431f746a1c002ee8d4e956fab06901e3bdbd2ec7255b36dad076b8286b896256b3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d235ecbaa52d178ee4a920b7a8e117a5

SHA1
d664e8ef1c16f49c14682124be3da5f9f2ba78e2

SHA256
82f9da341e84325f1b92f32a84a3be7903eb479751050d01423ab2f4abaf44f3

SHA512
e66241eb57f187fcd59dc9f69612ed8baa1f1c3fe290db6e336f60487728977381d4a285a9c05a4d77ce3c384699365e0ca24dfe3c112cf82ebb16f1a689e1d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
521233ddc230bb318121b26f263afbfd

SHA1
f5e4d52cdd4a775f18adf25a1688dfe1634f6c62

SHA256
c72f95e6ca17653dcb1e86587a6907163af7029a7807308277e900cf70f43d4e

SHA512
6cf88b9080277e27c4c2200f0391f8de86ba5a5c54be498c002051034390c13136a105932c3464f2f22e4e8fb06ec6dc91d080471ab7a0ad026a7b18787df011

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ff3de60bdba2c4dfdf8f98e30d9cbe53

SHA1
c1164f8ae5b559ac6d23f5d519ce14a1cfbb110b

SHA256
6fc622044e83853345c1c7bc0b49007968d120b2c3274f5f4da8a25b4b0da36b

SHA512
5c14534d8df3170d0414f0b02a9440cb498fde66355480e6d64b0dd039f9356ca6c0085010397357e8a8006358e5e8bdf7ac95a7abd40bc6eec4bb638c94c556

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c159c83a9950878d62aa51ae4e92c83

SHA1
ba90d8ce026e9180bfafa61d8ea8989136b6bfc7

SHA256
f23e31e21d93f03cb6f4e76cdcece4a25da4fb001ac06b5d8c9ffb4bebb78753

SHA512
b6e1f29f4bd2385a9c5ef489ed027a633285e6a6ef9210c286b27bbfd958cd3e45971a8df0fcde492fd67e1a4d18a362be668e09dc68e8f86ac84b8c15c57862

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8791a0c5d6297180b5a3bf3fc0e8a509

SHA1
13a7d9b0b69c0e853a0ed30b2912a50ed610813e

SHA256
607fe21f1d22675d6543785ca3bcae0ecdd897c8263e43aa04db53e1c9183508

SHA512
5967f11cc2dcef3c7a02c3b2262d38b2b5e4e44e07ae5408195683378c9d8535bd0827fec2d9e43fa75eb37753a73dd1b5a327387fa3b26767358d83f6e4137e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
504ebf45ca5cc5bf0762e88c912d8bfc

SHA1
38fdeaf49b7ee4af2db9aefa33a88a70ab879c29

SHA256
0ed5491082c4630a4f5062c2aa818d72a5bcfb37987a18d30dd2b34d3f8a8e3c

SHA512
270b9b8a9753424d90850cf615c96b8508f99d0d12d5d5e54a24235e5097c34b62ee24589d02ea2ff82f9d8a48c3ae523888a355183ab7a43876cb8c41a0df91

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
277882a99bc1727dc2f6779997adf5c6

SHA1
15d1d2af45d8861d36df8d0a2ea11e8cd1ee559d

SHA256
dfe8cfc891da02410b91ff5bc48c0f2578b6fe320640955944bbff015c31f578

SHA512
7e4c2c7b4931bad029bb8bc01270cc15ff597950645c31207fbc787ace9a805f6bc09653f2dac558eab586abdba201d9f534924ee85ece51233d1359f2936aea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e576c35327ccfb4fbaeb3e1bd5bceaa5

SHA1
3982f88cf5e632ea887bb519b8db97ef61e87052

SHA256
44241e6ad58a13da1ea502d722da37ee6323148c42ed055ad1b6cf123066a4e1

SHA512
6e0603a50cbc5fa73e755d08ca9d9861f6dc08579b2bc565660d64efef76f731f898dbf6d5c20b449d7ce86d3bd359f33b9a045c10ffe6ee2d1c8294ae360d12

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7c19068daa36388c60d48b959f692ace

SHA1
699cb26e95bfa24d4670602b20a7281facd50f18

SHA256
80eb0ca265571fecd86f7ccf64f94e4e59aa276520122850e9e61b3996328097

SHA512
807e90eec50e1d5ac6fbf5b57e0d99e8604ffbe7d73ccec822883bdb4cd1abe1578bc91702a82b3fd5621de12c3a91bbc829060b31f5aeff51b8ad230d5a7db5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6bee840bb415c8c6ba3eb56096d0b0de

SHA1
a7e0b2715bb32a3fe54bd648ab92e8239e6c1f63

SHA256
1741e25b5361b5984d6ae9f5382f1b2557936bb640a79c1080b94d850ea80d0e

SHA512
fbf6fda26f9da70f465f3b24ba5819000ae94a49df5f6771596dc180ae97e1c1558252037c4fc202cd00b944e5247c5c27c05718ed8d7c433b65ed9bfa60b74e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
21e32f3b0c4367282bd4986addf3c9a1

SHA1
362109afe2038c47255e1fc2ace7604493bcf1fa

SHA256
38983293a964d766bc544e5105eb231994fa29a463808d6e07070ce2dc37e54b

SHA512
75f94d7d549fda36f7c0c5db918de17a40e93ed2de2c333272ab011a07650a9d199a1b905544b07257f178c62851b559b0246262557f517678fcd0aa5af79ffe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ee1fa43f4c6ec7c524edaa29de767413

SHA1
c9f6bdb572e6bd8f4395163df668911d78282a95

SHA256
6757c5872599bbb146d0917b1cf5828df79f4d1af652b21efcec9dfd28410f8d

SHA512
7dac845e0ce95e506a301094e0f6313f1dc0f28d21e222217cad815408028f798e3714f8e996f926916660adf64ab5eea30e931280360108e9f507a2aa0b2b8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f93cd82268d41ab8ccc46af477535a62

SHA1
7639fed9497606d0fc5b3e9532a1d2f4ad1c0f23

SHA256
ad4b16117e6359ca7a0b1d9a99e37b43eaab29e7ff8dde66798c1ada2fae9bf1

SHA512
4cf79424eccb9007e4e61cde8a940a8cc4074272a6ddf38dbdbadc94e45404e9745f07ff6519b5d09e6fd638452a53699c181712241c78105b6573c41baecfc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d965ad8cd8904cbcf9b010bafad0501c

SHA1
6ca8d2995a2ef4a68a72e27c0af832f20444774b

SHA256
ce90c008c7bee8dbd76cb68b094d476c3cf6911fa5514e9a290d8356ece8316f

SHA512
224dbc4f9b16ddde2a84eb4ff7d8d0c1b7845d29e8f266e16c9d5dedd1e4cb6cb6f8266ee112c25b0e93941f4ffaa903397f66e615ba397667817cecbffb3087

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2641ad22a9aeae5607d196bab95be803

SHA1
965fd1320844977bf97500c7a19b07beb68f452e

SHA256
8ac0423768e81a5c49c144df25103924dae0693937209e78fcb701836627f867

SHA512
e8951a6ed2dc8ea5b983a24b97764881205c238059e248900bd11ce8bcef910920096484309c40a80f39f4584ca7e1778b48893ebea3b259e9b663c9e85e52d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
18b0140b1b6693fb2561d8b1e0d060c8

SHA1
47c4dff87c04e0e9791937a5e204dea8d2b1cf20

SHA256
e6968313b13b21044fe4b35dd7ded013ffdf7a4c039ca4283262c9075ac53ef4

SHA512
6e91d9afc43c8dd9de972b0118a22932c17ab0f05ebd33f816dc97d765eabeb6f559496ac37fcefc6abcdd0a9c7bf9de748e7248104ed0e76474da4b88c3af04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4337641fd0204a4eb3c9ac1a6d0b4d24

SHA1
7656da06217895325064959f78c20087e25d7fae

SHA256
07cac44751294317f5a135330c8d40d9524f801f5b8fc21ff6b70775e38a3f54

SHA512
bc8403e38a01727afcf22c4b2446322fa5329b55c51ce3722532abf5831b2455e33f868e37d7080ec16f5383d6d4b6319225e8ca060a02a7a0b99ac11ad33154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
392d2b1e09599fa34ad2e8441239fc07

SHA1
a01a8214d4fbc4148db3a7493ce702dc917f6e36

SHA256
42124d22a23fa8692f6450826cc7837c7a05c243d93ac172ae712072ea98cd07

SHA512
81423a5763f21d514959e0b020ff2d83725997e51eda0b0df7e1310be341e0843e3e4fe0aa40c64a3aec737999322680ec4a7cdb9e7bbf955d7e27c89c3ebce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8ddc6a05e1d6fdd68779301ae24b0653

SHA1
4b4bdba46e7d4e066085991a7ba0fa5acdd0ee81

SHA256
e2e8c2c7528b27ba50f33cea1cda8d834527efe331bceeb36e283007f8b6c310

SHA512
641656749794a9db6fbad80c6bd81daa33eb9d8aa416e664254de2725871cbc6c158b72f2aec4f9686c2efcaf6859cf405dd4a98736774f7b901d4ef8ac21b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b190192fa7b828fbb744a4ceadfe03fa

SHA1
ae7773e488a91e7b878a22ee5cfbcc617bf81b84

SHA256
1bd12982c924295dcbd7af1b75dfede72b1f68a946ae78b7e61496d8d32f5de9

SHA512
bdf334dab6539f6214ececed265fe94478f6c0f16468a3416f177528b93ae60431386ec60911fdaf344b336cbc9db90b6e40e3719be7e59803348add1f1a5663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4bfbd26da4f603e44066cba4ab013d9b

SHA1
3f69cdf35822d17bbd5a7c21782a5cda2937294a

SHA256
7cb6183675e70901e78b034db723cf4c615050368b3e1d74114e6d6e4f209d19

SHA512
6502c98c2f9ddb94154ee91cfc7bfa7eecd340422d85dc5b0ae9668175bebb641bf5b3ad8b754ef5c64b0697b75bfe47d3f0682e4c69b8a704fdc91ed23d14a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e1b4ac9f23cbe36340362ae1206ca5af

SHA1
7aa79787a2d51f3af3278537c3ea178ce860f827

SHA256
f5727ba115bc7a73750b4f0f9f6dbf5fccef9af537b31440299008f79db3cc4e

SHA512
6ffff4f9f4f775f8a1201acecb800e0d2f35d204f7e069bd6e4900016aa6dd772be8f8fcde61d4a13a466c24df5ad114a9ca2243d30dde50b80443771e436a6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
277ad9d86c03efeb7c82ad1242ae2773

SHA1
146e24bcacf4bd9b0884ef6581b9a9c81ac0c5a3

SHA256
bbc4208bfbdb9cf4066a18f5a65bcd800c6de1972ea231ac194b74ae903de2b9

SHA512
3e6d42f770d1c69dee1237d252e33a56056ae2fc8ea53c5288bddf865b1494606a127a860eb44b83d19a9d17054b0765d66e6440aa7904cd80fad31b7856e79b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
74b83a9063550d968d2ca73a9172eaef

SHA1
82e01c64c50c609f5c088a2eec73246a4dd1ab5d

SHA256
071bf7d1da253f1ef2e9007b251236dfbb54c2890c9496c08faf6f97e2019bd5

SHA512
bbd95ef2dbe85111b117f8ec9deb51aa1c8a8067559ce89b2caf591fe40a8ade8564d0c5440a678e5a1ed470dd31004df02008476da7b558f7028db2ee6b06c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e28d4c3561e5c5d29b653971a438115b

SHA1
80238f55c4952791cdd93e428691ba2f3bad9f42

SHA256
5b0380ec6f70f4d136f101cdbbbd4d7e9b06adb2eeb9b389a8e8899d90b857fa

SHA512
b7bf77ff76974d91edd41cec74c6dbe7c95ab72fc3586c21775bec217972abc45734902a3a54f116ae4ea60c82faa362deb2556d4a7dbe15592c73b6b601e412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9c4d10680ba1aa4de8395798119e4fca

SHA1
26bdc098e297e62160997057e12cdedeb4c2ccf7

SHA256
2e519b7c365fa2bea68c5aaf430cf7cfe27a5f904c6a9ded3b928edb6ad05f59

SHA512
d731ea199fb588f32c6fb5ffc65cb144cbbbb5dbd59e5bbb401810a6067ab92a232365b6f0dba1b31099a0516822448a8dbfa5d06bda11e21210324098ffdc14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2821143a78f15b8e6175b3e407ea56d1

SHA1
0d0b2c0677305907c34a91519e37038eb9a26015

SHA256
e5507534405e64cd6785934165b7e1e3e240c8de7dc329de76ab63b4d5f2536e

SHA512
d4e12796a03fa675251f21fa45bffc3af42b92ebea44f8cf2675ee5ada7f9eab96bc4c4c6e800695d30ac4f50a55a7976e72688175312579538fb46b777a4425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
af5b2032698f40eb909ba070a80f390d

SHA1
993dba5d7033cbc79b7b636252ea7b5c0a5a2669

SHA256
3a0a5b7dac1abfa356f46dc835da359538114698d6578da8f79cfc3040823628

SHA512
010988535f3205a3e70ddf045db51133253e755c60e1ec5585dbf803a81dea50843d83d157666068fb45aa86f4c8e1cd4b04385ddb6ac8fc3381f2720531eac1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f1aaf5e09e1ea422cafc710618b0d7e2

SHA1
48beddb54147fbed6b34bf21c2834e8c68a55226

SHA256
0884c0884838e5890b35c9af73902cc069a5b1f18a39c86fc3d15b0ae3e92f0f

SHA512
24dcf61366fd898c2d3903683cf212701a777f44a4894c9971817b43af25eb2df2a393cd2f81d8367ad27ec1975f350a2da705f1520272c892ef18e8082bfab2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
96fa810438e3d942c5e643a26444e479

SHA1
4ce69b6f50c93efdf23b4b5d674cb0cbf8f7e384

SHA256
0c6c74d85e8b8efacc4967b45fe8b85b0f97d78200ec063ba53c25987ccf79b2

SHA512
0ac2a8d752cacf62a693b25eb57f42674d146de4b734dce717441207fb87482f03a0419eccd2a4f44862cc3ccbf32da4f7e81c7228bcf470e7a700584785ec23

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1a306e3ede0b5041d232dc816a4104d3

SHA1
f3fc8990d6d7892220951cb7330a0c62fb08a70e

SHA256
03dc811a2b1d14c2d97ad176d58f5670162ad4457b0fe730129454f912d2fdcb

SHA512
158cc732bb908365eae9eee063f858442d563430858d6d55676546aa3c5e108f3fc44e7ffc28bfc01b9d59beb5565e967c720ca7732853c901e800b19c05a708

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
557630de2106987b2f00b68512285350

SHA1
cc06baa7af1b24f162d6cd5015528bb6f03d8377

SHA256
42c22e8e2c6b2e34176e9a51021279843fa2aa6bddc8f25cc204dd76076ee4d3

SHA512
0f672b3664f2a4074c9c35c4987ccb54e18d506f07abc5739eaa3ed231a135927045cf0cc7a7aa5bc6b601e027443b7bb09e4b13eaacc6ba3d3f5dc795387b14

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9067d98405bd6b97c71201ba5bda71b8

SHA1
24cc69b3700d3334e58132c903558be54fe0eafe

SHA256
a4c6272d16669261b1e09459dc4dab481b19cb24780fb443dfd0d445d0be6034

SHA512
16e8ace813dbd0c1273a01a165bbae0f973931a229b407bb5948f6df07ff83c890487be1c09713e243642c6fcdcba09614acf25f5ecb2e5d384667ef9a82e546

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d13308c05d5915d5b0ad821a93faac0a

SHA1
1de85614e05dd0002874c1084c83414a2562597d

SHA256
f5bd0c0b51f07963ffca8daf6b6a1217bd50e363dab4cc37c1886b36668f0f87

SHA512
ea730e9a8f541072fb49652397d64204866c9f5bf1499c877972899e12d58e4b96b1beefd6c8bc33bd11177102c4180c71c14416a82160f07fd1ca093f901ea7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6769231d84a7c96516ccbfcd26c42038

SHA1
89dc4729c8a893737b27feef52da6aa0100fe48d

SHA256
d583ba9ba77b85f0c6c04bdb47ea5213c04b71f8c20ca5cafd8b2cfcf1434c36

SHA512
c67d11996d69981c67df2d9d8b1b99b0d7daa8e254b595e0200e1ec5743fbd138b2604e41d22c685aa2f90d9fe960fff83fc28b35db5e0e03def1d379836d2d1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9e5b59bba252cd65941498ca49f0268c

SHA1
c0525392d59441157374c6855060b274ec501593

SHA256
fae4c96822757442ced117f92610724d74d301d11fba3c2fe7a53bfc5cdefc06

SHA512
8c11b3671822482dd03117e6d1022cc5b3aa2bd203b575c0ec6b18a869f4f012036068aeaa3477b0fe226c88be09c2c1dcde9fbcc1406358d63910ad934bdfda

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b3eccf59242e3819d259a578fcebb82d

SHA1
8d631826720d5372bfd2843131dc99472c230d61

SHA256
e68cf6dfd52beef2aea9d33929354c81951461d06feea461208e90e6d222ab20

SHA512
dbfbc9cc0605174e1704e83d460a89d49c18aba766556d6590b41d34d6c19a92d80e1a964ee8aad3abb6a0ee4a095ccfd3d6dec31eae375e2d3cd13bf5f3a6c8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c2a9d37ac447bb5f21db80cdc99903e1

SHA1
7e2438cb274d84e3485b57783469d07f94396c0e

SHA256
29630ffd20d63c8518bde9e0c65557977f3b6e678fdf5d636a9527b3279fb765

SHA512
fda2b034f3a5503df88d6833dec078c5b7d6b01166c94cc301efb337511f288ca5345d85642bcd672185385e5422800f3dea784f011627cab38feeaf28255d3f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
30f9cb04a6dbc8899af1179e491f7b57

SHA1
ad634c8025ed781e7de1b4d4f7a1db6f3559d8cb

SHA256
d2612a7d7b33a243ed61e586fb9c881dd147613ce0e6bd7a32b6966656c94669

SHA512
2a7f10de59063beb0ef051cd21607c460f81105b6849ae5b8c9ede7e06dbe4280ebbdaf980341bf3dff70eb08851f72ab62bcb42926088050abad241c58a258f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5917191baef13d6fdbff19de1a9ff164

SHA1
5b3f34134174c0725ab4c4be7d8dfd2b809116e6

SHA256
a3e0105fa5bf9c84fdaeb476ba8f2915e7b2d94fb3474cf4dc40ef5e60e4af24

SHA512
842d839ecd57bc598279b8cf4af05ec082c631799a8c888d25fffe72cfe407916cc553907e29450c40cc0e4fe6b2d880422367f3ccf008d2bcaddcba2e350666

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2485bf3ae31bc7ada00b3813126dfbd3

SHA1
c526e4f457904b988cd7538528b8d4142fb54c8f

SHA256
099884d47981e2fadfdbb9a614362541d3fefba6aec9b1aed649843c0846fe49

SHA512
d8028d078a4da69b66d95ad6ced4e8af43063d1a0f12185f2604cb54fd7c70a66fe53ff09ccd2da7215c6e0331e8e8f0166f896454b7d9367eb523af591a9e17

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
52472b9fa5d0c9180c0c22e09b5f3e2e

SHA1
51bf867e89cba2634b61e12bf0243546eefcac57

SHA256
d651ddfe88fb75e99365e516b38d688d9aad3c718852d31cc7970eb33cc90950

SHA512
a94e32be1a1f635c6a94ee71c0e51d665423a4289342d133005d568bd440b7c1ebee2390ab7ab4b9c608519d30d402da3a8767d93c4c537d4dfeb961887760ae

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a107f284835bd1f7ba5c6b1447f444e7

SHA1
f7a8f545a62d4b6fce050a23e5466fc83a140bbb

SHA256
dce6109c0d845088c053beee89705a71a46c63a23c67469bf1693a4b69c1e37e

SHA512
9f103e19184aa7c2d02014b6e6df49b516bb713f0fc92f72902eab921685a8519bbd738285589f61d9377b1237448f619faf301093b48c6290de6154cc939eaa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2690753be308afa4fca937a5b5c7d5f8

SHA1
990524425a9bca9d3cc754e69abea348a5f3e6bf

SHA256
e4e4a3894a8d8f392978b012d19124218f3c13ea43a7129003b4e2eb78af83ea

SHA512
bd15164da7bf9fcae8d0aa0ec211d90adf4da8c693ee749d118bb5d2aeb5827da3b6926ff0314b9aab53114f5c722079e89af38985fcfb6113a503a5cf95d165

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
082ced1c5388b18b0c974a9eadd75070

SHA1
1fc55d308b2ab512ccbee9464606d10e0b2236b0

SHA256
09e4bbaf81d565c62a3ed1a5037aba6987837459aca52ba071a6053e8db33020

SHA512
2f458e45a0f0dc726f984532ed530051afd4c88e1b2c6e505752b60fe61889baa053e2ca81a36f2dce32a753c9a12e8e6731a765c265e1356ce661629238c3e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e42f1826fefa5c105628c0ac2e6acc44

SHA1
78606a3865017fdd8b4d3b8857334fc3dd1c19d8

SHA256
932233fac3dbc6a078c6aedb1df4873afb5f74a8fe3da88874429269e0b3c159

SHA512
87727c4a2124a48c03fbda5bdf55bf83cc972f5c07a83104e2a31fa42280e49a6974e1c09494f2f03165e1aa51425e604c45b1894d50332180545802eb38fc8d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
695b38d3a19962c4b589290afa8c6134

SHA1
f8085652100fdeac9d68ae7b4808e9972199ac61

SHA256
b8280fd48b6b2139c17a6301552e50f1eca455afd494fd2103ab7d2045f29543

SHA512
bdd2f129b8f14d3460c67c23da4b1a1eae7eb170a2da0d0fdec80a09c3288f802cb6e9929c5d7c4884ec6e15afdeafd4cd30b135adb0d8f3e66e020906df11d8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9ee0d147442f96e1c94d07a12efbfb2d

SHA1
28289d871e4660f58dcf79d713f8a62fddc63d97

SHA256
dfac9599024bc7781995f993d958e9d9a1cf06afdcf221465bddf7a15d58cc51

SHA512
c2325373aefacafddce8d7746b6c5715eebcda3fb7460921d60e1b1bf6091e67839d20443e4f76966c83df5cff1fe46ccd274b056dc519b9f3e1dfc5b6a5fa08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6f0854e49f973f304337179f4f882d41

SHA1
4ed2189d9b0bb338f114d3928d9eefc5fa7e4855

SHA256
aa54169337d2fa36a0197e713ac9d418bce542e646aae07adb0020685f82af36

SHA512
5aef7e150677dc27e4430b64c6bfd254ab218d8b9bedf2aace6cf5ba88948d1828465ae1f54305b4155592e5f7770ddcd2e3bd25daade76ae3459edb05e0f8e2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
46da24df6ade3f17a77a623dadd512c9

SHA1
28053b0302c18836a1761d263040d7d2daf63887

SHA256
d145e619263172f0ea5f7ecd34e6638314d87a90d9e30639bdf0858c1a6f4b73

SHA512
474bf23087d4be2a80eec74599d38ba0c233fd687e3b1c0f06098a3476dc4fd11c84dd23638210643f3cf2e92480bac552f530b0c54bd2f17a89500180181427

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bce13a5a39b86d7154d74b7f40526785

SHA1
af13aa47d3a59a22119e1171d361943291911b0c

SHA256
ab9ee1b0cef0e2b1a3a813ac8300141fc80f0d9b204eb8744c6052876390e5c4

SHA512
ca8e96628dcb9bb3c8e6816607c96e18bdb1c5bbfa403afa320d96c6152af8c7ec3b1dfd15c97b5c2922736711351959f0495345f31838e85bd6b51e89b0ee6b

Download Submit
memory/1176-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1176-37-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1176-31-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1176-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1212-64-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1212-61-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1212-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1212-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1212-55-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1408-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1408-100-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1408-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1408-105-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1492-1-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1492-6-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/1492-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1492-87-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1492-461-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1500-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1700-436-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1700-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1968-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1968-113-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1968-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1968-15-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1968-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2160-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2160-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2288-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2288-439-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2312-368-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2312-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2916-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2916-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3000-440-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3000-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3136-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3136-43-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3136-134-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3644-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3644-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3904-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3904-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3916-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3916-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3980-76-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3980-83-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3980-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4232-95-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4232-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4232-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4232-89-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4292-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4292-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4556-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4556-443-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4616-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-402-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5020-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5020-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5036-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5036-419-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download