2f58d91d01c4a6b85900cbdc72f834b16f5d1102a332a7bc8baf57f1d8b87db0

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Size

859KB
MD5

144741e8a8b41d34812273d3798fd630
SHA1

c1f8eb5c338c07011760ee7a11e92e59ba10ee1c
SHA256

2f58d91d01c4a6b85900cbdc72f834b16f5d1102a332a7bc8baf57f1d8b87db0
SHA512

8c9f5b0265a151631f142528c82a5e4bcc77a4f61ef816a09a06fc33de1fb5550d74754b751b1fbe27dbbf8e49949269ea124984518a1467ff3addd2e12c59a7
SSDEEP

24576:dCWh22PeGsiUTWuKk0fob0gEEVFQmic8WU:v22PesUyuFlIAFQmd8WU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2548	alg.exe
4168	DiagnosticsHub.StandardCollector.Service.exe
2804	fxssvc.exe
4360	elevation_service.exe
2284	elevation_service.exe
3612	maintenanceservice.exe
3160	msdtc.exe
908	OSE.EXE
4596	PerceptionSimulationService.exe
2368	perfhost.exe
940	locator.exe
3640	SensorDataService.exe
1324	snmptrap.exe
3696	spectrum.exe
3164	ssh-agent.exe
4076	TieringEngineService.exe
5012	AgentService.exe
1420	vds.exe
984	vssvc.exe
1840	wbengine.exe
3752	WmiApSrv.exe
2872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9c14b845b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Accessibility\Blind Access\On = "1"	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000728a5b49eeabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1959e46eeabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039c6fc42eeabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000490bb446eeabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000735c6848eeabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006590df48eeabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

pid	process
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeAuditPrivilege	2804	fxssvc.exe
Token: SeRestorePrivilege	4076	TieringEngineService.exe
Token: SeManageVolumePrivilege	4076	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5012	AgentService.exe
Token: SeBackupPrivilege	984	vssvc.exe
Token: SeRestorePrivilege	984	vssvc.exe
Token: SeAuditPrivilege	984	vssvc.exe
Token: SeBackupPrivilege	1840	wbengine.exe
Token: SeRestorePrivilege	1840	wbengine.exe
Token: SeSecurityPrivilege	1840	wbengine.exe
Token: 33	2872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeDebugPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeDebugPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeDebugPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeDebugPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeDebugPrivilege	1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe
Token: SeDebugPrivilege	2548	alg.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

pid	process
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
1348	144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2872 wrote to memory of 4092	2872	SearchIndexer.exe	SearchProtocolHost.exe
PID 2872 wrote to memory of 4092	2872	SearchIndexer.exe	SearchProtocolHost.exe
PID 2872 wrote to memory of 3744	2872	SearchIndexer.exe	SearchFilterHost.exe
PID 2872 wrote to memory of 3744	2872	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\144741e8a8b41d34812273d3798fd630_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4696

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4092

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
b658d88e19f0b82ae32e16c06766ae0a

SHA1
983f93d92b8da9c44f7bb8d6f6d57879a9f3a1c7

SHA256
22ba559db050a57c560afb4769382c7c073687d2bbf4a823f853d76ea21ce049

SHA512
dc8c47321e8555978a25c93c801b6c56792333c02c8a557661b8cb8cc70bbfbd5d63a6ce37a56e1f987578435a5e00029bc1c7279cfc4c9ecb0632ce8893da44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
b33c6a5c44403fd3799ecdc738bb65dc

SHA1
4b72a489280d4e8ef5cc96e6f9919e5001616a70

SHA256
9e31c14daead6b75c581d0cc5b569ab06ef757acf7ff174bf05b5b783fe40378

SHA512
5bc789f912365955a6a8ffff946df7dd2aa561d3ae9a56909550b8abb6c5f49889aee72f8a62694f8abc6bcbc976493d39c5a8ea9c47f8099cd9d54b947ee153

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
db05e15852a632bf03c4ef113474ef34

SHA1
8e46d6ba960d1cc48079c842fd344b2dfa593113

SHA256
68f25b333216aa1a712ce81c0d456ecb61c32729339965bb702cf7248ae0b152

SHA512
72dd5a4d03e0804cdb5bfd6d708c7ca539631c11d02c8499d87b282a9736ad588f0bd4395cb7a68ac02167a76607f36c1c1c13babbe377f0a1cb917a7ed249d5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a2c879cd007ec6e38fb6f188b96f32f4

SHA1
130a61d8b918cef60e3846f0c9675206dc3a9c6a

SHA256
edffbf7deb059096ea5c7734449122e2d1afd94a7036694c22feee18c885f27d

SHA512
89e7ceb9bd2fdf2491dcfc1db8ef23b5853f158be9240a87d5544fbb708fb8f00d069f4bcc880a20d8b9df5cbea5689b83881c4d02dcce745c1d3880743fe981

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
282fe87e8e2e9cbd2db1c69d586967e9

SHA1
8bffb1f9037bb4b84da74d95c589ec3c248c1cc2

SHA256
d6cb7ce725852c8b437df72bbdd14eb6ed9586fa6128014ef9674807a4db38bb

SHA512
ea5923381e16adba952cf6a1cb250232fcdafe20d3090d39b873e11f5d246433654bd9e0fe8efcf1583e2bbff8f79a68b2586f790bd5c7177790d88bcce37d74

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
214bac1e5f915fb66f3f7bb020e44c1d

SHA1
349a4752e1ee6d4692388c119b13c487c3881a8e

SHA256
d1041196d2aacf8d1426f08f653481cb6bb31f5c5277207745538df46b087670

SHA512
bcb6a6de39f186132a5cb391911e15ec6c1b771901141365ec17d843a8611a5f46b9b40475d252401a3a6e6c5a499f7b26904e6d117697913fa0b5ba7156ccc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
a1e30f92e50b80eb14a9ba1a57d7d562

SHA1
3fa7cd781abc471d0b41f4761f0d8553dd9c4f28

SHA256
2d13e2f29fc5ea932c460c122aee02e99ac4220cb5b769c5eabca3e5b596a2b7

SHA512
cfa6f349b6b9f8fce1f040de5813d84494129935fedcec7c4ce8d00827fe4247552d490bc978ec4c095d13499ff5672f9f89278181d6f93d1ce199a2121352b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
168d136f3e965f217b994ca404b23e48

SHA1
df025964908cb92c13b205c2793717ac1dbdcf9c

SHA256
cec2b54278c4c12af518ccb638b0df0597c956122d3244698da6efb04e7e2b3b

SHA512
60fa063f1cb40bb405e03c452d5cfb0eaef56ae182ea4653862e9b73d66abf0b22c8e81c1d8a6151e5e6a9be488adc5671c8175bbe80f0b38fc546e7c68cc9ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
4fd2839f342a52599830321490aa19e7

SHA1
26ca863823f470d5765675558cb9aae3424c58e0

SHA256
9384950383527d7c8738adb999bc4607e95ebc81283fa08921c1126607bf864b

SHA512
088669584cbeae75835e0ce78536981e4235e9584714883dff52d0c4433cfe581b3debd8e2b7737564eefe83a1a1087c8e15c8713a392849d43d9a7580356aef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b8d46f377cf7430e31396c268e9c5b12

SHA1
83df6984d9ad3d7995746cb99e5fee267f6e3113

SHA256
267d5f0262d6dc8644bba6b921f493738ef64e6f709d52332363e9d6a5dd495b

SHA512
93b1fae1df50f87f4e0552cb4fb2533e016b17563dfd0613bb1c5dcba32c0685d47a86e2140a9a9743439ba662b13a36d07d4b7f78445b6f51f42a1768c228f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5b5da917fe13770eea5633f959b40e88

SHA1
6d4608b68bab161e7e643d4820de153d64b0903e

SHA256
9d30d3374c973865cfb4cf0918b408acf55c17eb63a6c697b7cb1a9df1c3f3f9

SHA512
f5309be6868f5e2b068501318897f67b85d8ff944f0924aa9d69e4ea0724a83246e6d9aa2651023833741354611457739928cf4d356b58fc31956aeabfc7672d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c629b3a9641dce9ea8a78c7b37434334

SHA1
6db4a123eb7b79e6efd5d84d685cdd0c4648e159

SHA256
199332c4bd06510f0d5e7133e0104149655e23b4b15bd2873b0a8752f764536b

SHA512
4c5cb66d78194c1660603f72db79f4e7e7f86fe566ad536d84dec8db458731eb142776695285352ca746814ea719b2563fe4140e6eacccf94d4e097691e77d53

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
ea1b90a2035869e421f4ab34244ac32b

SHA1
d50b5a19bf93788d8d626ff885bc455b851a1502

SHA256
3d86303253a56e6cbd3bf6e269fd4b6b758bcf71ad64c5d5ab7696856525e6c8

SHA512
71e0f2a686d32ad91154e2eb04671d0a227dc3c63f81dd43b9da4b7d56c26d0963c27cf9cb28ac09ecf2ef356d01776957b7c55da949fc8c67a2d61e3c355642

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
c7197967619ee9cbcd8cc246dcd3d8d0

SHA1
001e0798cb6a4d4895c3372de2193c5a956b9508

SHA256
6e60d255777ebbe469160fe85feab6f57a47656c1f22ac3cebd2cf85e64a88a5

SHA512
a6700f15cc60af75e5d4271bcc2b6cb435ef5c1aebdcf41eb6ee937213b7b8f25f84f9e018c0f6f606a995107006d1811f8870429b2f1f8e8c7acfb35ef06ea3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
d8bdb14eecd65baaf9b7c4f90ec5d5de

SHA1
cbfbd8fe1857a8098ab4a43ebfc06ef465e5aadf

SHA256
843dbdd2f94ee95ef83927320f340848983d910dcd1513003bc3356e06669742

SHA512
4ca0768a2064d2f9abd83c3aa322c21369961f81730424aa0f4fe0395c49803856701dd0716a05eebcddc34c5a5926cefb935cda52c0fe6a503b54c768ae2c1e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
b05efbecd57ccfe275e5b30f00a76b85

SHA1
76b08da4564b057ed717618ec6917a95e175c411

SHA256
99a91d6c6d4ac0ebe5e626f0ad74d9be38c022c1cc11d6b21ba55c11f28453f4

SHA512
4be81aa028b099e15d792c404ef368ebccb5a5e2ec7d0b5a2495ef621c0d0e83478cae5d6288946bd77652bcb5f08afe37ded7b0e76043e155039e52d68f93d2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
bc7cc369fe3886095e69bf6ac81705c0

SHA1
c890adfb62ae2b29bc2fd54aa1020f8e0db560a1

SHA256
92fffab32d375f05495ed3b445ddcb039f18331ef7d4ccfb878754a51b759aa9

SHA512
132ad5433d9e0b7395db98a85899e3e9b9d1164d642ac27ab7e2570bb02c915883ea0ee7a6b1b88ec5270335493d0191b35505c7d0d4ef30c5fd1d41213d559d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
d8749897a952252aaf8ac578bf406056

SHA1
bc3ed7f443bd158824b8cdf4716cb524888ee9ba

SHA256
a113ff83f9595b5f42ea0e9f3163591046557d10c86670cb221c611d2fd421a8

SHA512
ab545777b9aa7841e2f38c2ef252c8bec0397fdd94dcef1407efb951da3130f01418b9b4d8dc521062f7bd752d9d778a199afaa12b31701a3d6fbaecf8470197

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
a6ad5ab8cf0cbb7d36371f80480cf23d

SHA1
dd4fac13dab735ec3242fbe3ee41e97c7683d86e

SHA256
76c1d796dee037d5d6faf367bd7dc9018b09cbfbed0bffaa8183884ae5856a94

SHA512
23d3f3f622675517d34841c47c02b3240b639c76b523c9bfb0fe9bd3c5e33583f6da99772ca3d8edf6ae7654503fb7f982967700ab649d69bf5143513cf47bab

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
badb12b06edd70d3165bfebe3c53e0fa

SHA1
2cfd924eb63b1df648a40454b03dd0fd641f92b0

SHA256
19f7f829f23f4159f28c2a0da83f52ffdf0df9b0237281ae118c9b865f68cc18

SHA512
06b6c50764ad439efd1c6b39e39b59e218afd2410216e141387e437ae3fc0ea46ae431479de821a23f6eafa7c3d60c4a5cd588f712f066aac927980ad44b74f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
a3f9aea60c11c49825f8adffe05c2449

SHA1
25de3449e6eed192223c808d4c0b00fd4cef905d

SHA256
9720ae3fe677de5a5bb3a1d480e05d8d747bae89d1a48bfc94fb9890d5ba66f5

SHA512
42fa55500e13bfba6dc7437c79439d1cc689a2954d17e4f8f22a3fb335c67cd1289d22b56bf80a31f3c9a7177c9b789a32b80509a3be526585d0c54848190ecf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
487ebc9ed55ee3c01e84829319460ac0

SHA1
51078d9886f8821f0448f9d58689ac00f2b71189

SHA256
15a9e5bf7c161d5a96aa424411edb56084ba3d5c957b77eaa1d78e6fedfd4bd3

SHA512
aaa102301daf81727ef67ddd474c1435010117836422793ee5374e4c0c404eda3368be7884fdc51383d333f3ae22d9998b1dce2d28f8565a4ff082044557444e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a358897ecb3e71e82d41d8c98a8bfc40

SHA1
b1336172481cf9c1b0fa4f0fb956ef307c9dabcb

SHA256
142748ce389bcbab76d4f7d75a77650ab90b710c557cae9f5e6a836ed6471587

SHA512
b3395e8199146ede2b810d80ab5148ae29f930a1bb69160a805594313aa136d5dac7f025a0bd12bdc1c4b549376cb278aeaad3ddb48a7fe8e2ebcfc2591ec94b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
91c817fbed317443081ea48c3afff693

SHA1
69331ec414e9a09365e558609838bb251cc2b9c5

SHA256
07930f93357d61ceb70e7650a1bf5a5873258591dbfadabf3841b52493ab69f1

SHA512
85ef477f530634b1b468ec77832237a567eb8d481fc15dcea2a8d05a2cb110d834e9f603c367aea8fb2d31bd80680ca3453de3fd4ab128179ea7bbd0ec09c51f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
d77bcfd4566903d6fa9136cba3e166d8

SHA1
7bab6890cc48093a6f72b02fb62394490b58b5d3

SHA256
53a8e439a33f1849c535b8ea57f4394a0017f9837359f446040ec27c3e202cca

SHA512
67e44cdd8f25d6e5e14c564b9ada90194219132532b8ef9df751599f366dab2c98d0d0928edf06f201fff619869c542ee1592a979b0c4957e2441e06e9678529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
0eb5225b99455a36cbb9a9a11e15f220

SHA1
66a0bf71ba643d4275f49a6c00887c2129e410a8

SHA256
4bf7cae088bb4eaed27b22e8d80ad061977e0b8a7558cab42f00df3537b0da51

SHA512
9aa323c3df2f7f163c9a819a1931ec2cd98b95c10f0414dc82a29bc1c8f6edeab43058833d7ac8dd086d0200bb277ed87ce60b0ab953e873d70d2313822b1a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
5ee2ffb6be3d4c3043c24cb89e35ad60

SHA1
27e324be1c78ea834cc25cd0d7f60ae67b5f0fae

SHA256
a047328f06b3ab73b17d676040868629bb83f7b3ab2fdf2422a2b1f4c4c7d5bc

SHA512
262480880e68ed88808485ab9fb32871f14c6338bd0c55fd07cb103ebb25e29b6b1c48b6c70183cad68e63a4fb86b32fcbf0cd0637116e89661e098946e47e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
02782d2dbe3c581d219be98e4a183034

SHA1
c030508e072462710804ea3fc296fd29146e02cb

SHA256
64e7a08644c55fd70ed04a2dfeebb676e0a0ae0347aa0cd59664589241a714e2

SHA512
da6d67bfe1cc309453ca19e6e3920f50c8ad99346def3a002bcbb3e7f385bef4daa213acb29bf1d580e82921d68cbb10901e2cf884356ba78c67602cda040290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
86a8c804c32951dac3da018464c87f50

SHA1
9f6ac53e2177b2fe763d3d689e16ef64549507c9

SHA256
b6f98813a1c0e2d3449b6c471102cd2429cc64a928037bedac87ec2f08b549e6

SHA512
040ad4c5c83c89ed4625590783506bbe300b7ee29e665a135a705dfbf2f427cec69139a39c7f2503b84ac35ca8dc762e5f7f6c1be05d1f4ed5387e304d719801

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
ae28d8d9d66cdc89845f5b8f5a8abbdf

SHA1
cc0cfad828d3bf72ff8ec607dc90d6207261e705

SHA256
71fecb23642edbfc8d75f65f4e241e03fa78520a71fbc7daa5c7487837d1ad82

SHA512
040b7603350dd81dd2eb69a184d851fbae00ce5dbce4f425bb95e0ad5c6d3b7e04565fd9ca7ddac9b7cb4c446b7e50655b85c02bebfefa9661f3fb035f8fdd22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
bfd086f3e340393bef09da4676827720

SHA1
db7bfabbd0d4e177a6fdec86a735d8a0da6affa7

SHA256
b057a7b29cae7a5504a658bdeb8188c50bf972034802ac2b21e1b667134638e8

SHA512
bdd16be886193bff25c1f7538f29bced1abb123de3346d4d0fae81f464dccbda3e50d837f730675be738bed70f1ab73e13a848c8dabc7fa55f2a9bf71539a770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
4ebaf4e524475cf684dacd899d807bea

SHA1
052c5ccd7cf10d71e3ea6a2f67686de847469927

SHA256
55f21eb336c42934c6d038feb00aa608c351a35aa5426a81420e777244fa010e

SHA512
bdea9c72f42e8e537b116c9fa6b769142939832dc717dcf9b61941f294bb4c9d72a8690aec4238aadaabe8cda70723fe3314b7e896d7ffc2f9143577fb0291ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
5e735128c7ae3a96a3fb0c565935cd5f

SHA1
e707cad1b7bab9d707271f42b1a79993d4c5c21b

SHA256
c22c73972590043cc6bf7b9ca2605b08af885b8a444d2823150e9d0e35f29443

SHA512
8194eb45d053791988041807c0e5f77e20ff5bcbf29d9d65f3e12527861d341921a118c1118041cf970f5bb1433cc9fd126d08e0772add4e7e6bc669935122b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
bfb895601d09a79e7998504048ce7595

SHA1
b44d5ad871da106e6968fa71effb53e8901b4823

SHA256
d7650b6e77bf9a518e4e7a805d397f3b725a19ad87da51f4759dad029750f0da

SHA512
47990fa384066920314a76f41c232a1d2b49cd1bd113c669b6197b5f1b5437bdfe6a737e84cfc35e45dd74e44f09f59e723a97e8f3ae5aeab2b78ff66b060135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
cc1b04600a30ba2fc737f7979d4fdb58

SHA1
b700b8ece5012a18aa4845657fbcfeaf825a2ac6

SHA256
ca20f2bf3a42ba3f7069587edeaa827aa43c2b8372a6c7082e5ee6cc54671100

SHA512
ea38fcc4183bfd53d3421cad89339f6f2cb1cfd708a0a81b66cee8f90576d426c607a9df067a088f229250d069d0733fc07a3ffa21a2c08d0f9ae1930dc81862

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ae0db11857a50b7339159909126ae05c

SHA1
1cc0768fa88edd2c45b4d92b497817ccb9a88999

SHA256
594694c154cfa185abf6a8fa4df8b29c2a16b52a2a2251dba9fa684d4abac479

SHA512
d34a7a0bf84785445400783d9c0cdfb41b754c977f430f031e5fcb1015ca10269225030ff66902992572cdc036da9b6731aed2c40d1e23e9e0a7ef7ca4d9fd2d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
53a9ad4e54e9fb8f19dd75c87f7a3520

SHA1
d9b8fa85df67939a6ee102aa2f67535820c053d0

SHA256
c73c097072b2e697a6eb1b9267890599e59973c45b1ab8f51ee7ea51fb84b754

SHA512
8c48fed1e9719b5b7b57c5c397294fbbd41022d0825464e86ad54ce94761e7f98ed9a7f1334e17d7ae863850f69150c3d3d6a78def76a55b1dd67b1a1fc87d3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
90083ac207f4aa22556be042d445f80c

SHA1
2bb72574781f05995dee1b3860a15aca2814f982

SHA256
4e0373eda6f2b8e20ea675c22aa4619699d4a229d10b13909f9c3fe6d260f7ed

SHA512
66ee5a300af567c1b8f8c9f470e3b08e073542198cfc37416dcaab2686e4174048a6df48a0400e2771d064d5717f66595e931d2cf44c46cc5d5181823d6ca3f8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b3e5dfca8089f1e99449bdae026f050b

SHA1
7603ff27320568058ea0dbfe184c5a9c6e64bb8d

SHA256
f5a65dd9e13eb5271b1c14d2ec9a2906a10212eec1362e879fd4679c3ff60b13

SHA512
c4bef8875f5dbb83b8695303fbe3c877f6077e7a2afe22d68f51c29c478155a640ca2f14ac46affdb20f63950b069d3d7f6df13b67197fc23e62190adc611bf6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
0f544d4b69c8050afbe4691437b6096b

SHA1
8b8f7d3e44150579c19c55ea0763842f5a471784

SHA256
837579cb4a2d0385b577c06339fe7ef07aebab2fc848ccfb460d0485e395263f

SHA512
8cd04ef114c9ca67f97c2575e287d9fc611cb3ebdf7cc2eddf447457d07fa0cd337b460cd3a83640e179ce812b01f0c2e1318fc56ec455d6142f3bb08fda699f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
763f4abedde34ab70c0265d60b806266

SHA1
4fa824b982253dd4c69b09491776703db189e21a

SHA256
4b8cbe48f6a8dbfc2fc2bab3e8954c21959bd93d4b47c8183bd66c237913979c

SHA512
87b9c9731e4617ea09af7e3bb9f79de8cb679a32f1d9f38ce3984870b4b2d91aceeed694f2d4af49d8475dd918e50f3f6d53e01f008cda924d25a60d1648f1a4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f3658c4e5ce17d9c0de6fe937400ae44

SHA1
bdee21a96ec5fb7667171e5ee03bbac0747f29e7

SHA256
26dcc03dbebae2f71743022f5e40a55315c105f74d0897fd83b7dfde5f311d7a

SHA512
e2d8242a47ac2d6dc76e4b435cc395556262c75e04895ad75ad7632bf35a85f0eae66c01c46abdbccd1fd2a34b9dc5c792c0cf9ffa81f52d3bf9a4aede50338e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
8f63aa205456c3d59bb5d103049ec414

SHA1
cb1ab282ef4c94c46497f07d07c47426e2b121b8

SHA256
024ae3862a023ccd804c0cc6ce2bb156e07edf2b55a7b1c1c1a193f1c827ab47

SHA512
28d4e3db52887c13e973241570e97a61ebcfb59be82227271b200b59a91ede276b41523f774f5b82b287c5192abdb46edd5e9f8795dc86331b494627c814ae67

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ba54870246ad7246bbaf3ca382c47087

SHA1
1cdf4682908bff3d060c9024a2d0e72f2a833a64

SHA256
50a1c8777caa03a95467e22f08e26e014f6bb90a7b60d605965d5d848526b9ef

SHA512
1ae3d92bd238741e0408caf3ca4858a90172cf93491eebe0ca6358e223b16515059f4af4e4b59576686998a789109e1eac325f43a09cd3e4a22030f6165c42b2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
6a9e8d40d24abc2eae893aec70ca278c

SHA1
5fa04ee67d26bf8c8e65c5a45dc91ecf5620146c

SHA256
4510b63b61d48d791a748b1e0478f774217947f9ba7706f570b1e37368233676

SHA512
38db160e5fb11e1095ce7b1dde0b25e4f6c3c71dd6ea558386c863c0003e002a6d00bd2e0e7afe7f1ecb682e435e06a391fe1ccf592c4b0f930037c1afa1c2fa

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
6d5d929ac745817e5aeec0e86f42f631

SHA1
31dfc870f8b45ae1014cd2ff0963f76885063bdd

SHA256
def34d2d6d1e93ba4d320ca69a07c8f6230b48ea639d25e88a819517914d3e66

SHA512
5904f20d45092e8687103a3dbbabde3cddabada5d459e83556aa2af69be68123f3d199244cbd54f202e9a7221b355d01fee3fc8bbcbb4ab3eb2dcf1140b16b46

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ded11f6da0a86d6a4ff7893946b03eba

SHA1
e97bc87942613c5d9632dce2b1c56151ba403388

SHA256
ee667786fb01189c4f1e2a3238b7fff0cc697a9a1d3f183a6c2fe444f534e7b0

SHA512
f40b8c6b42a1d99a0428820f6086bc83227e7461576c43bd46fd88b6b82909ff0cd115d1275cc44a3a4055bd8049f00b8f0deca65ba3b236287391b37e59444e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
acceec0bd0dfbee8db1c621d0017d07a

SHA1
a174e1ad35aa9bc09476c10b35815430bbdc991d

SHA256
719718870bdbfd62b6c9a3103232fa34c029d534edd5c755ab954335cdb18707

SHA512
dc8e332e2ccfcb6d6484e1a48bd8301b46a0df5d9d9b7591cef1fbd6c12544db1687fb6e62463a3dd0b49091cb0c1c02939e9d20a9fd55c9d1696973cbfd2fb2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
14b90d6a55774342cfb35dbe0c9b66c1

SHA1
d9611dea4497721e80b9c805ca2776a49fbfdc2c

SHA256
f9f4450ef00844b2b319120be8489be2dd060975fa3a4d5c9b00c825c4a2011c

SHA512
f780509b2dbbc49b4af49ae11817a4126fac908fd9ff1f175a59b48884d462082dc70beb80b9af2f10726785f59dfbcf89ca033b1bb227cf214ae8a331720d40

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
b41adf44c15b72a6746d2c0b11815680

SHA1
548ff4198a0a6c22d549046e74e4929fdd1255d9

SHA256
8183bb6d77d09be87feb610f83cb686618c9a99e0b758c851841e8a6c2625b59

SHA512
ffd77c11b54d1ee1572d5edc13746fded95a5171585ba5ce95109a9ad4b753404e1c5ba5f00863fbfa3a7c7533fdc1f928f0d5c81894e9839ad535f73c9a548f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
1980e105b55ddc26b450d62fd573d9e9

SHA1
9d9273bb5d7f0a89070cc7f56faf32b62a18c98d

SHA256
f80df2b64eef15275b5f7352c3017b06aa777ec968928b5a0a16d3aaeb07dcc7

SHA512
92e7549dc180fdb6703817809a100a8f4481cf1a7a5faf6c569ffd00a8d6da43dcb8eec871940c544417bbba3b6a393fb22643c0fc093f9791883d952e660929

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
4c20cc4f0a2872675c65814f163baa45

SHA1
a2e01d736eeec8242ffb5d664fae1a5727520960

SHA256
b6092f54d41e425c4fa0ffeec228aeba4297163a9f2ad095ce716b35c50735a2

SHA512
97dbf2c9034185c4834651c990fecc80678b4d045e88e1a961ca0d58571decf924a47644ee2898ebdd1dcf89e504cce2654ec3db377448d010182350c9d90183

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7c6c5de77458385ea3f547a069332868

SHA1
a78b67002eda73179ea6bcc2c7741616e2d5f45b

SHA256
c5eba316575f7d655e48144697e74e9b703f0f5dcd3454d68aaa584c704bf652

SHA512
f6430611108a1fc394864ea6d129ef31a8117a7cdbcd1cbec9d9ec0ca2cc8b8f77fa7468ea5deb1d5c1e161e7ec1acc78e23b05bfa6f62378948e76cd0608fce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
124c2ec7f7ce6743c2617fffa21d7b94

SHA1
4556a16c10483f7ac39fd356234793d3d29ed4eb

SHA256
58eef27e383343646042cd55f74cfddf5d4aed03460c1347e3de319147fb545f

SHA512
401ce919071389a5a38c75839fcba4e3e25491cf253119ebaaa84a93d3fa1e936ce6b6174e0da5094f569711420a3704ebab5fb4f0a7019504429680f9dc5cf5

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ebd19253a61c1bd5580ad1b9142b6857

SHA1
45e0b6b585f199d11931d8ce162d3102fbb1afab

SHA256
2c6adc2a58600b909b490b7532b33a2aaee1452b8f55a3e7e6acf864c7a98a4e

SHA512
80a32e07868bc57d44f3fdec19bd863ec98e4b11877fe271a7f04d0b1166ed55b26bdf62a60973de8cbfb5a12cf2e2d4991fe17d6a93ec7b6c57033d56ebde92

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bcc6d2c7417bc8585850a66624fbaf0e

SHA1
99a8abdb3ee1e5d18f2095bda5dd1c8cc8493bad

SHA256
0710eca0420a6dce9493e397f8b810b4781209c840116e2aa3571fdac1eba656

SHA512
67c84624971473b7e653680cc095daa4fa6c709c2fed508bcc0e717dc02d73f07689917350a6b6fd4cc05cca4704fb0754d0437dfbc1761b56a88aa22d214a6d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
4cee3ecafbe2686f89766dc0e102ebc9

SHA1
80a382e3d4109f8b6ac2940cb226e18e30e3d75a

SHA256
125e056da15c75a31dd80a70de8acaacca50de283772767fba7f9e7f77e842b6

SHA512
a3eac96946bd05ff7f2df240ff7bd989d78423aff336589d2835b76b563b77181757ab884dfbb2553dbdcde5ab69ff8be41a713f27bc766b2d0957fad184aa9e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e9201ef4ab04b75183821105b2074d4c

SHA1
52fc695713ce8986fc717d98e862a2853a7ea047

SHA256
0c4c9b2d22d97baa34099c9fcb2482a0b7004a04f84d40f94bded2c5494a347c

SHA512
34cd444c00c2d73c32a7878de91f94b6d6dcd4bb7cd4856d862c6bb9b6874291b1183b2801c2e57cc07bd894309305c259ff268e446441b5e3e70cc459706c20

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
66a3eaa422087e85e57c4739ff2845cc

SHA1
a36755092a75279e288b98eb23efb5fefeaac5e3

SHA256
1b5919cc794c83fb9ff0d23663e424315fef4820a0f7f8bf326cdee0a0e4e1ce

SHA512
e269e451b2fefb182f90a2e43b332e96a8bed3d8515e3a6f2b2735e70988192109db06c36bd9accad3ef99f1e0c284997ef761ef6e9419d531e3690ed65412a4

Download Submit
memory/908-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/908-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/940-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/940-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/984-481-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/984-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1324-357-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1324-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1348-1-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1348-8-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1348-0-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/1348-7-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1348-76-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/1420-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1420-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1840-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1840-484-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-199-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2284-66-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2284-65-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2284-72-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2368-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2368-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2548-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2548-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2548-20-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2548-14-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2548-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2804-52-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/2804-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-40-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/2804-48-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/2872-508-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2872-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3160-109-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3160-92-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3164-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3164-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3612-88-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3612-77-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3612-83-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3612-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3612-90-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3640-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3696-393-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3752-488-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4076-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4076-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4168-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4168-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4168-140-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4168-28-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4168-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4360-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4360-60-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4360-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4360-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4596-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4596-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5012-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5012-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download