a45fc7ebee2b58c1f62f981755ba7a77047c6039fac1b8583923460dfe9a536a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Size

712KB
MD5

d40e1914e75d6ce9103a03d6b266b7d0
SHA1

321ec898a1ee43528784ed679c743bd8d6bc44e7
SHA256

a45fc7ebee2b58c1f62f981755ba7a77047c6039fac1b8583923460dfe9a536a
SHA512

b8c92e8e48fa654add5776ce59ac9d808bb9cb4126f6f62b6e6fc900ef1e5be071bb275858666dcb299ff048b26060efdd3ea9de582c4945226096b5202b1b41
SSDEEP

12288:BtOw6Bax6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:z6Ba6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2548	alg.exe
4648	DiagnosticsHub.StandardCollector.Service.exe
3504	fxssvc.exe
620	elevation_service.exe
2816	elevation_service.exe
3632	maintenanceservice.exe
3160	msdtc.exe
2316	OSE.EXE
3668	PerceptionSimulationService.exe
212	perfhost.exe
3908	locator.exe
1548	SensorDataService.exe
800	snmptrap.exe
1384	spectrum.exe
4668	ssh-agent.exe
4644	TieringEngineService.exe
4320	AgentService.exe
1804	vds.exe
2340	vssvc.exe
3192	wbengine.exe
3888	WmiApSrv.exe
4000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\58d3befa1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3569cd22ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d3fe6d22ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000571cdcd02ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001317fed22ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a08c6dd12ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000400baad02ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008de267d22ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000115d20d22ea8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d79459d22ea8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bef212d12ea8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3504	fxssvc.exe
Token: SeRestorePrivilege	4644	TieringEngineService.exe
Token: SeManageVolumePrivilege	4644	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4320	AgentService.exe
Token: SeBackupPrivilege	2340	vssvc.exe
Token: SeRestorePrivilege	2340	vssvc.exe
Token: SeAuditPrivilege	2340	vssvc.exe
Token: SeBackupPrivilege	3192	wbengine.exe
Token: SeRestorePrivilege	3192	wbengine.exe
Token: SeSecurityPrivilege	3192	wbengine.exe
Token: 33	4000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeDebugPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4736	d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2600	4000	SearchIndexer.exe	116
PID 4000 wrote to memory of 2600	4000	SearchIndexer.exe	116
PID 4000 wrote to memory of 388	4000	SearchIndexer.exe	117
PID 4000 wrote to memory of 388	4000	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d40e1914e75d6ce9103a03d6b266b7d0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:60

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1680

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2600
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
161ae603c62a9b9ed89ecdf90e624df0

SHA1
8a3ac6a753390c72ca0325f8dc36b9333a0475bc

SHA256
c25109a1ffa5572c8694b7ae30c2f7b38cb5846c664584a2d5c24835ba3ff346

SHA512
1e43c10576b89353ccb9910a9f6d92a2753b4c57631398c6b99cb3c0372979580abf63399b19879f439f428dc82c9a964f848db80057000aa94338d33c822165

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
aa16d3407357567f3b6f1ebb81c420ea

SHA1
fc27aa79fd2b904ef9681a734fc3551d22056347

SHA256
1661eeba0198ff4399ca3979e218c01ade6f02ae4908820c43433d8ebc535cf9

SHA512
26e8dcc68443b3e8d5840d3d9ca73cab92f9ebea252ad68c04da3cd8dd2e8b6de7a63d0849fa3ee76b0483285039aecfff28c7dd28b855ca2633c75f523acba7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bee8a48c2687c09c41de1d700434399e

SHA1
359bd94bbf4d1b24543355db720f3e3eb1d8877f

SHA256
709aa7a2f94382458def061b2d731e3ab616d752b5bcdbd645495d4e80ebb20e

SHA512
60697487a118135b97373e0380e20c677c32a6b601234591570660e575c341b6bedc5d53e2af452e8dc5fa81cb43906f0eb8d7f4be0927e853ed9332b0c4916c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ccf76a009d7ff330e1fc0149525d080

SHA1
5e8f9b6c29d1399e91ebb09de8382cc0a34b9d22

SHA256
d8c6d09af20df34b1bc1c39566f9041d523938ccbb14414f3154b7ebd38e3062

SHA512
76706df22742342d28e2447cb9d9b7b9e7f6ac5ee41b4dfecfc5bb6a0637f488e837450f0817dccb6fa5ae7d94dc0bc8945c362ddf869548201e30a438c1819f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ab43ceec9cc4450388a4c7c677f98be

SHA1
9a46eb0ae3d07812dd3409177f0930d6741bae60

SHA256
9e8cba239f6e4b1ac3689733d0c98dbf102f33ac965e3c8eccf2b302dc68db60

SHA512
3e593219a5546a764f627e82d3257840a72affc2a8a18a2f65cc9ef34da6832df88333b014c79a14a39cc2ac1663f8a9d5000dae78ce83657433548a16edf3ce

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b28443e36c97c1ac262cb13f2fed0ad9

SHA1
549a67ed1a36b5c72f4faaa007bdaa2741722634

SHA256
3e8c7cdcf2902ffd12448eb9e0a50bfb298d52e0d6ba3fdcdb130d8929bafef7

SHA512
00555c3a0a9ba3dc38301bbd6c2560306f30d861a02b744f74648b21e33e057a31c739cb571991d5f31e6ad8ea067ada17d40907de6c12a5404327d0ee69b1c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6416bdab244678209a9fcdb7da0190ee

SHA1
42e8cff304613af1627e39a90b98f4b4352cc524

SHA256
58dfc6570b47a7b9c2ce848c2e26a0572031a02d1e1ec394af8c22f40be6d602

SHA512
da08245cac3bb542408d63180fd29c52dd056e202b197393ebcd27fe1e914e49a74d01d3d54b809d2e9701faba813f951b741c237ca4d17918e28e17e8d5eb4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0674bf7480e64c23445d7a0f7af09c2a

SHA1
8b070dca9a316182344bdf45eb4cbc9e66c431e9

SHA256
bbbddafbea2c42d19ecd54665af38e3e41060b06b6886aad4b4191cda176b343

SHA512
264360b6b84c26ca94f1493163996b46915d1e9522c64e0302b77b0686a306cd19f9a78f9b4ea2b98e4a7f1ebbdfdf35b4aef695a3ccd3f794bd8aeddd8550f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6ec68d8f5808fae9a2d839882f1035ce

SHA1
1d8d9c24fc69f8771f1bfe1f667a55c7bf175973

SHA256
92d50a68434d30df94c15a240cfd7198234b6c5e6d3a9a2ea89840dbad612163

SHA512
af8f0d9b3a42a31cb1d6b92f5e43e50762fe1ea7310d4791c6b96d57db8cf49ac95379bcf7a139ce3e862f2e738ed34432b2b6a1d86f5584e9ba276b07f6757e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3c5945807d7ec8afef329e4aae273b9a

SHA1
60a49007235c9c8a5cc1db404e1d1bce060a8068

SHA256
a3f255c187068ca817685c416cbf3d5fce9c1d72471fc64886703802fa7ee014

SHA512
8d20818fc2721ffaf0933d9a7e7e0c494bfb21afb4b885ec6939019af76185c2c6655226c2edd67f69ef1611c5fe65b38ad71faaacbb5410e852453e5fd50c8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
581e5649b74d49c59306c782469319b4

SHA1
4e0674cd6e20b05ec83d779bb46d071f750b309b

SHA256
4266f980c5f7633c1ebd0f0768df5b0e3e83d9c056f44ae3e853d7ec7c04cf95

SHA512
34d8a387c5093aefbc31b4061ea0a6ee7e7d6dcd6c559f4398ac63291b8ca1f4182238db181cab02dba3943366d55eb171e3cba3d4a5394d772c805ab8ca98aa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6f211a477e1c23cb51af3e723ea65d9e

SHA1
08f387a5102958d7168d1c192f5cbf4629e04948

SHA256
597437ac2a41ad8d835822012d1a6c6a5eb78e06f9a2318baa892eeb34276394

SHA512
f9fa46db25f1542d445d6955f7b72764fbb041f87613744abf44bc4bad64e0f77dbd6b6c8e60a69a6f2cdf3fde2f3c99e2a9d64145279c07d02978ae0bc93522

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1b51c81e3b334faa1d2b5f77e5c17275

SHA1
052cabb2126c0ec6ab9bdcc36a4b8dd674670392

SHA256
6f2ca767be684a7c5a53bbe4061dd41e6fd4cf63e63a45c1554ff3befde64a6d

SHA512
e0ef5024632e33132748a08d4d15719a069f99dd2768094f5a5ab1b2046433036bf195e83c4f5e8aec20291ea318cb7652376ddda2518326caf19bb15bfd68b5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8aa71587bc226b76e7b256e9502e3b2a

SHA1
a40f1423da9d1f02e286dc3ba42c529457fce613

SHA256
9993219c86da111e280c18a7636007fbda785153796750275e90bf465b3e2e74

SHA512
5780e8e565bdb1e750467234b1edcecf78bdc42b7ef825218cc941e3d8ed196637afd1c80156c70e61868c32534749c88f94bc3373819955248be8ea21ca954c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cc2b98ff1b7fe09b7390102cc4a92a46

SHA1
cee0d07af82a0c0f350f3cf9d15be9285f7b66de

SHA256
726a124cbad8b196943848ee333080d392c2e2f8faaf1ecc3c0947a34fbe3901

SHA512
03b77070bdd456c2459fc5f5b471850d1066cc073de87f9c692090db32f67d9f3cd2b8214b2b677c1cf543140d82a971ed0d4aede07478c0fc6f0ac1edeb6683

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f9644b7d4150f41d6e770795cf351e33

SHA1
107f93f1a896e393e87a3e5f51165a2e2d0e53e5

SHA256
1107e6d812f9207493e7596b7da7f617e9c5b80622b358d7ba4e71651c945bb8

SHA512
265f6e31a50642e8256d350759c7c1fc85ddb10c4e362a2d3046dabb5604c7a8fed0148c431a7ae581eaf12cee4be8725384cd2723840ca696a4668e29be8463

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0d28d14a788e861f7deba06975f0bd5f

SHA1
784aeb2009f55d9d155c0c2d058253bd242a933d

SHA256
3019aa0d57a23e43e97b6a02022e5cbf6bd5bdb3bc3bee3e37f4820a65552321

SHA512
483dbaef5f9c4994357ab20c25f46a3ec2918aa955f245fdc0afd80cf26b5a8815b9ce537b8d8b7fcfdacee229bf26e4c615ae845cd1648e38809ad2fe316b9a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
765556f0826d2b3c93719b0268c95caf

SHA1
d1ca8461c7dc6e4876ba64737ae9adc493084660

SHA256
d9fc28f9f53a667c7b50f01e8a5f99279812c8021adfcf00a3def16957c34442

SHA512
cf7c831eb5c38d1d423909d35f89a71bf6e4cde6bd733b9a983bf623173e15e16bfcc887babb96226b2d67fb738238763dfe6124aa5bb821cf967a23f9e09165

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f261a395f0974e2476728e06264da79b

SHA1
55d06c6e1e000255bb1381314f13ff62807e97e3

SHA256
128e0ed6b9adb6ca5ce79c2276d970f8f5e7e7a1676541934a4f185fc65d1ebb

SHA512
b2b1588ffe4808dc48d7b2916789d5dfe4ff2a1d32a2e34fa6e41b6baab186362a684ebd3553dbd3c3a66f8c6fa2565fbff799d82eb0471e6a33fd9bb4f6b79d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5bd4cb7301b00fe0c81bbc0b79749970

SHA1
492b74abf25836a82d898aedc934501d6f5bb278

SHA256
0be1f71d405ee6c4a1595c9e046bd1e51e186b55be9f1b1c28416654f53dcc2b

SHA512
eebd22ae8e68229608e222a8bc790bc4121deb9294c65deb82ed2c9838fd38dbc02b5729d8a23091fd6cecb15353b7226a8b02bdb6abe8103364ebb0ec472eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
caaa60f591fd5446ac3b16a9a640e5f6

SHA1
99ddf4d5242d6c73587672e611ccfaf32a2071dc

SHA256
b6def865caf6ef43fb363d0861e2c61d0fdf0d0245cec685441e5a3a0163f541

SHA512
39ee8add8bdcbd11e74cdd1fed8c3c77d1959404296bef4c2578b483a6896ec88174a5c0a5f3e583e8cb4eeeeee640b25ca459b9036620620b20d073fd6a8545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
15491f4a4bac462b109d7efe7e8b1d66

SHA1
5a4fcb2fee963767392121301e7adc36fa441096

SHA256
4cd6b5de88b0490d445e0f9a6d1a7fe08f48cf9332d25841499aa807885c381a

SHA512
dabe440d6e7dac91500764fc37fe681c685db063a2005c8a05de6636a74f3154db1838e32c02dc0ad44df08ba253016607ad86df6d2624ba157f5015af7f32d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a1a8a30a6bfa9ff6a44ca5b9c4b607fa

SHA1
15edde481e09fec827a690c8a86ceee81d56f480

SHA256
c9617036f216a7118a972fd9c8ad8d286baf0d334f501e76607889a1eb5272d9

SHA512
9c19765145fcc78d406b9c292e63efc948b3891e43253d40c5903d1d8a4c0b7c0ff7c0bbffd6d8058215c068456e63ec1b602f791dc8a2ae671318f8ce44c783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4df31ab700ec4bc330d720144f8ff38b

SHA1
18b4367ab44d35d9318496b52cfd06455e29e73e

SHA256
8afc8e1365a8761ec972e6bb349f81dda5ee5b6791f16961f7cf69613201940b

SHA512
4cd2ec4cfd3da9013c70421b0668405a50c5dd46d1d4103765e0d5f53d14ccbf1b271cf21e221f6ebac95fb0ec51362a15532d7c52c525ca22668b888b59025b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8de8ebce49b7231e8ea1045d41b42203

SHA1
ed6799eac34d94c8f14fb87294cba6846813b0a7

SHA256
d921c66b515f5d1886a1aab76def0bf7e020a8f9d6e35db09c1ce0ae84b1bf5c

SHA512
481421eb3c344d980ae11748eb8a1d2dc70f292af67ec77965152cd22b716c31582bd0b1cce781a352a3f83eaeba38f0697d177ffda41639087d2b507c41082f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
54fe28540a310ab8e6b4b4e00d992736

SHA1
f332ddfbc2b82e5d81b786789544c76474bd4a44

SHA256
aae1cd023ae0653b2db7f941dcec42f6318707fc7ffdc0021ce9c3e0cea69ea3

SHA512
d7df5b9279651e763a7c42ea2c86938bab3aa22f58544d6e7f2841662f6e34a2044c48c780c628a9433d43a20c3d3e9755be8a2786684d1be584457cda8a1da4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d45525c4294b810fde8f2f7815b37d79

SHA1
69323892954973a8f082fc3bf1c30e4cb937777e

SHA256
2ad9df5e7f1439a9f0ec7ebd6609b9ac007776f20ae38a86c7c57d1d76097533

SHA512
037325190efffa22b396c246fbae7ec8f97cb54552df97202e98609453db12e4bc08ca010f092c652546561983aac0a666b5df5962dc62756464888e19a0fd03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6da43c0ca664edc86377e2855993d8a7

SHA1
9e02a15c289b92e181b278ec803b47b2982ad35e

SHA256
67410b5473b425003b188807ce69f4dad194d66ef8dbacdda27a7f9d04276bfd

SHA512
683fbed73481643fac7ae76ec76e0e05f09a447fe6eaad8a9cce530e9f9fa1ade25f7a4918d6f5a3eaf4327112c70ac26c280aec571df1fe970907f2451f804b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e14560dcc1f48217f4f7051b87e34c51

SHA1
b894a69b8b3fc98eb3dfd4f6cc542cbb99b169f5

SHA256
80ad133b7730dc01c32d65a6ce6b1123e988c44e4e2e1a1af567b342730f268e

SHA512
aa935017bb3ea531c0b2eb92fab601c6ea32528bdfa25c940fa3e3194d8d3e8bccf94aee876a35f16519ca3f529a97d385b1817a739a74abd31ad665c435a138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e8d6a3cc4d1bde355ffcad41a7f08252

SHA1
73e9bbbbd15e02e4d7274da718e4d966d4456988

SHA256
a75c94e33628c531f14efb1767a282ed88b31faeeea6f2f3e2fd2526af4f133b

SHA512
4539a42b41dd6283b0337beba4e76153ac797ada1886aa04fc58e7302c1535b41f01d18135e10acf172be7ad758cce9dd7c8a1ea8286786510572301b5466a50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4cbc63d1c3edf79a4b8bafab33113ec9

SHA1
5bfdb46260204387765e8e1af57146ee6f8d4e78

SHA256
38f8f0ef730b609f149f049a6fb13bf34c687bae14fb64117e8380bcc229248c

SHA512
8f1c2b22d84eae06fe478a199e62937703e7ec2cacd2b522350b703a7fb0e8cde0a4050ec3ec1c2ff57b99a480bf7a5e445079cebb94475f6a7f6fa3ce498f06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3f8563a3942f03c62ee1581e0b788591

SHA1
e456d295416aec6c22daa8fd1f4528770b33a2a0

SHA256
7a4d4c63c940e2cabba9c3dbd26e562ef1041a567e1ad4d1b4c27f973f37a318

SHA512
3df78cfa0ea4835b0485e910974d3ea73ca67356eedb20af3cd7128cff0c8339903e99be70e250893066b461e91cca8e105678895060ea08ea4ef187a706dc8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
81822f029ebb31dd35c3f6d9680bde18

SHA1
2b98c065cb63687c87144f0c9f1c57dfe25e38eb

SHA256
c7c96455f303947966f690dfbf29430da323c035a9a1b34588fcc44f8782971f

SHA512
69850cbf46fbb212b1b1aa00938648c920d4c46447235da8122319a7615d15b74e1f1d709a5db345fa9e30682b15a5c592a725beca5d4d952b5707a340bb9f78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d8901984db398d2342854843ce27a560

SHA1
246cff2322b5b0341987bfea04a9be10b9efd495

SHA256
0a83753cd683d3d2d93318c23f36709fb1f3256aae5774eb35c8b67f01f2506f

SHA512
2eac668558edc780d3071e948e22dc09b62082d5cea12660f3259ce8c1e18b99864b3a146b102f9c7678660a9c943f0dd756b4c0d8bff8e5c5a57c7b9c4ec164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6db9193dcf9e6285e441d677c7388249

SHA1
757ece235f43e62e17df0019aae14e4ba0db2d81

SHA256
0aabafe719ae427207c384bcae63415a66a16919a276d7a9154d4361d700e65f

SHA512
a96675f3762108175ea76a3933d4abd890400baa4f3c10118d771bcb75b789c45110ae6793550c6ea751d79b1e2bc8e8fd77c372f77e571be23eb4307bfa52d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2610cd6c8089de70aa7bee05ff8f1a36

SHA1
e4f4f38195eb2fd6b630244a02faeb663debfe14

SHA256
74950ca1759438933a0a4aff5e5035eca8a929546cdafb2e0529ddb989d7fbfe

SHA512
c82b465c8aa0fb22fb2aaf520c40b45099cb67495767c825c9596b3a997346bdb1bee6bc3df03a9c9a6a9e5f6d9ccea316b6731bc7356ed4f41bc3ff99965a89

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
65f63d514c81cd9590e0b93707b679cf

SHA1
70b4116123203187833a3837f17b8deb6e29a6b4

SHA256
aee70371045d166fd15a5e92af76e60edbd521b095f872ed233e34678ee08488

SHA512
bede0b9fa3d01975cb804d4be60e74c3fce86c9ce2e8b7fe558bc2638ebb3f3277fcdefca5ea1ac84af0de1b0f8f063f3c4806e676ed578e6e98ce0345bbb068

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d6d505670d5e3c437bb72f63e0bfbb88

SHA1
e7fb1fd5318a099769b2f99573c5ed404977a847

SHA256
266881185a6b681f7faed022593501d696269b0b1d09e807fada9fce108d6265

SHA512
f98a117d1133645376f89c56b36356b2361bf0f0d17509780ac11319ebaad2a23e393a312d99e7d904af4fccda3db763d432d218bbc7fe636ee44d0068b9e99e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7e6970625011a2966a606328a2fe1db7

SHA1
1f53bdf4edba2fba23ff2d7e48886819eafacd1e

SHA256
0e77b0c308fed602a909595e78b3e1cad6bee6c920481464fad8d28960e3659d

SHA512
38eaf4ca9ede624f62ce3f1561a5cb5da43316c8ca39b7509c395f0a188fd9f8cd31b4927f01123b1b503d79aaa3ad49f2ab229173181cc7ccfac89737857329

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4f542c59dd4e127c56f71685a8915607

SHA1
91291c8e07553e644bf45a8cecb218859e078f93

SHA256
13290c53ec9eaac5e7ef03febfebb105a42ace386f1c7210e730875f59151661

SHA512
ab0a1dad390d0499b6c6fcf49e574c7b16ebb56449ef91f3e7402fa47ced7cc17a6a837f9d524f9555d3e139e6e6ab3c5ad0f6b1652aee632a15522d2e4a43da

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6eafbcab845c71733049ea545e17316d

SHA1
d8180872c9d8fa76a05fde374f78de7eeb81e651

SHA256
db4cd9924e7da2ecd6a6a2e166b2ef5eaaa209722f47d39a0fbeffd3cee9fdf1

SHA512
e3b55935a7f9d6ae9d2e113b3516407140944f9f3fed408e3afb5376c9dcd482ea434b6d323a813ddf82c6cc5fd074d2998879ab3139eb584276414d74c7e913

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d5a7bc613c03ebfe9366a9ad7e7fc998

SHA1
1de652cabc76bae7efeb2eb89bf6c7944aa705c8

SHA256
439648dd57f6c5366e0a53f2626b26244a5c1d6fb979222061d56fbc3672f4bd

SHA512
c4576809ef576930df2f9b92fb05d0e3f549eca1d06fe8ecebc2199f61f5533d1e57aaed591a9bd511cd50708912082da9404163899512d4be9e5743b1b96efa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b43896b223628e6ed5aef19f967a9fbb

SHA1
e31548ef815c5060f5b82c6f56a5d898c2f009b4

SHA256
d5ed628654fd3d8c8731891372296239b0c14ea4c6f4fe17e5445788deeae0f2

SHA512
50450921a5dafbcd1795a8c359af6a10a2fd28eac2e13fc85352f99ad516b73ea25a6388494ebe6ea056b95efb9ece5db3045d58b808ed36fc69eceae2037d7d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7e6e6bb52e4a0268a5b0d339b52a5ba0

SHA1
5a0d3f108266b69523b7f19565498e00588eb62b

SHA256
9b5910215f5677c1ada2564cd0a7938fb04ad11bb1f28d143677620b3eb78247

SHA512
4688c02131b8bd63335d7f3d615e57aeefe91d13859a9a09f92cfcc51c08e55b47f5e6dca408865677b676ea572dbbda4bec963a55397649dd590ee8e97ae534

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4d18a824fb9054076f2a681e7f231ddc

SHA1
092a92d054e81a2ce84f57064caceb73da4c8def

SHA256
f9ed4899d1c372ffe65bf2b63ef49f0fd97e3ca8aeb1e2865f7d1b388cb4f53f

SHA512
edb56a4ee2a162aa7f6b68a387b8a242fd379505c221dcc1f906332c74f4835ec762b1944fc16761f2c971c0d7d4d2ca7176d8cc6a05b825f5694146722f9e16

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fcf1ad22d479cad1ed9766c6eeb0c0ef

SHA1
51623a46db39b672db8cb435ad91ade5941c75d3

SHA256
b652094094c6cef502f081cf6504d20d81d04bf0c9484a500a1c90fd88cbc957

SHA512
45a9ba64b8d1c0f8b4f2aa243c37de2e8bd359dcef1e046dfeb7c1ba8d3dac5128fd50c5c9a8f5f5b38f69e159ae758afaa68f7f3fc0628bdf8d9dbdf04cefcc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2a70e80bdf713f09a0f53fa3efc7110b

SHA1
07c25bf8cb8ae694b1539dcd15c1d9d80c97d134

SHA256
457f0a94fb786c06835aec4c3a3107a1f0820ee018bad0ee52f23dca4cb8094a

SHA512
d88c0a636b1669644906067e73647eab49cf22c09d676b1de10479e2cf22d3e86b7bfa787cb48c92ff1994b741759cea01661f9a6e5457dea7a3dc2afdd01199

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eb83b577edb7ce780e399ab0f8b34136

SHA1
98eda206ab78b3875e110f4b567fb292f776bdd5

SHA256
9d6c5a92fe9096dd361ca0442d6ad6acb6e4d05a5db6a4c4ab95f88e44db8560

SHA512
b8329b70ab198128f248b326a8246db631705140d180f09f51d6b7861ff2fa9aafc4cc02f5967b3ae7cc72c20f7e0a4d4ce39afd3b342fe1b5085a9decaa65e7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
195c120348c5be109c5bd04ce92630e4

SHA1
5b6ed0b75362193af030b5a0c29b95df742f7cff

SHA256
9362d4f8b4adadf8c02a0c685633c8cbd27c59dad4fea70682b938a22827a852

SHA512
0c0c1c7e40b9efcc065dc1be1ee95259b30f0402f73de415b811a6c73b82df9254bc3919627ebc5e2ec910faad5a7e207e707c572ba7ef27f68b5725f3222f38

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9846e6dbc3575c2673d570ae0c87834e

SHA1
6b0adbe91bb98856c521cce9fe5c39b8b71c7f91

SHA256
7a3fea9a12a4df1a58abe4f99ec9968cfe2833f6d521d805c7c29b5d7d01264b

SHA512
7522e3b9b3f3ce99054cbb75e04621d70a85e60aae1382e6f96bef27582479c722931b6a242ef220762a6c7940d8c5a0c2aa0ed97a3a97470b6c90a9f0e753e6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bf4e2223314b4076365600380d707187

SHA1
b8b86eaa93623da4f81b8a01ffbcbbc00dbad732

SHA256
3d16819f2f9149240948583b391295b539acfe6d810d6f603476bd85d218c14d

SHA512
ea40eed995cb98146b6fbb3f2901466200b7c6745e752e43d68a8adfe38ebc71edb28e17a1e8be6865bd6a53a685f12c796bdf3e5d090f1707b90ac38c0b41be

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
49fb3ace4dd8236cf6acaeeb716d1d11

SHA1
04fca15941797e909a47eb77ef5851e170fef9ac

SHA256
4e4e93e312a532afaa07de9c85fc1e4f0356b141c49f5be4b4cf4518afe62823

SHA512
2bf523470b46c51a5e215c940172e4eae762c3664f80a87ce072c35ec1947ee62ded8a8cef2e2c4dbaa843d98a01bbf95717f4e9e3e9af9f2e2b25ec139415a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f63e7b8655d8743dab9ef32b5587dc0b

SHA1
4bab4ea14c76d0d9c52e1c8d3f94c63ca965e365

SHA256
a5ec2aa04eb656040838f80ed8cafc17fea3c71be1292d89ac3a16a3c3aa7dc3

SHA512
870ddf84d854fcdaba5e710742fe6f32a2a656bcd220240e022e7397f63946e5c13af2c5050bb63b454890efbca8bab35fbe1fa53dd23e86dea28ee3c5e536f4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1435a40e1676bb80a8c3de981a3c90d8

SHA1
56f82155c2409ddffda3df76b998385caabf0057

SHA256
b907abdd5a6a7e9be744c1c0089f07ca74178ca54b2b8394d984fb76fac8a479

SHA512
3765946f5869bc122e3aa202be89568d143ad39c091223731da74d5205ea492504026972dd54535f8ee12d49d23112d757b96c868499c30a260ebfab59360237

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d9fe04dc2729708f66a1ce99fe3963fb

SHA1
7693c31f7efa69bb0f3277fa0283bce9de54ff39

SHA256
a300c09e01cb0f600d0b6482f4e4603dbed72a477b01ed15768a281227176fb4

SHA512
96667a8f6da9f747937c706c79cf7ea557cca2dc405b9b68f44851fe4ced2a6b41868a5f67de35ba25321a1e9ae9e49b7090d7cc3e10f47bd1521379c9226133

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c5e4c88aaee9666a0af815077e2a8c09

SHA1
39d8ccf5097695e58cd015a8b505ffbd19dffdd1

SHA256
d49d80597d73d5d6bc6a21cf21b3ea42e53ac6517e16bca5c6a80d08e9845a05

SHA512
2b832e525c39d81122bfe10ff0e1381a1e89fc7f2bebd624491316fdc639313e87d0d5c0ca697727d614fb704f6672e16d83e2a10fde643d6d28f73f5c19477e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a95beb1d20f6ab1080885ba1e34cb46a

SHA1
69b9e9e66317e8931236b1cb917bf5d9c69522aa

SHA256
6a459b216b238d9c2dd47e98306b53d9ef4cc2df16744342187702881267394f

SHA512
26ee24ba5ef0896b8b173c9bc0c09c4949bb0360772e5ec98a4c83eaceca485b446c28a7871a8bb8c1b9b21028cee4331bedd7dd6311ae9fdaaf07c997c58fee

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b2f80bb7f40b10508a2545156f00cdf1

SHA1
6135cf11713d730583f1991af833b55bc43aa68d

SHA256
37bb6b808d4231fdbaa51253fbf906b2b16e94794548592c46d207f6e1fcfbb2

SHA512
730bd6ba5e2a07e70e40dc2df5bcdb2397ce5ad7a29b2fe03e17febc139a8974308c79c70447271793bd7255d14dae1f337b2416fd6e337ee73eaaa7eeaf53fb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8007273652d9af06ebda248baa7de9aa

SHA1
5a944f08db32c2436516e8f4aaf8d156c57c68be

SHA256
a5842d0d8f7cd50c1513a84385075d26fa0dda3aa891ed0e743f7121030f4bc5

SHA512
7fa6f8e11b190ea1e199da61a95145d28e9250268372f976c2027121ff26ec2cb47de85e8351b85d361c1191e613b2861811084a12f0775ed6190a0070bc8925

Download Submit
memory/212-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/212-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/620-50-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/620-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/620-56-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/620-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/800-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/800-430-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1384-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1384-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1548-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1548-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1804-512-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2316-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2316-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2340-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2340-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2548-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2548-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2548-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2548-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2548-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2816-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2816-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2816-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2816-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3160-89-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3160-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3192-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3192-516-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3504-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3504-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3504-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3504-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3504-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3632-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3632-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3632-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3632-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3632-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3668-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3668-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3888-518-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3888-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3908-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3908-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4000-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4320-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4644-510-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4644-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4648-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4648-30-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4648-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4648-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4668-490-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4668-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4736-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4736-73-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4736-1-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4736-7-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4736-6-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download