7af5393bdb5026d268d06ee4e9c234cb79acc9b8302cc06b81f7dc3d78a8cd1b

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Size

6.8MB
MD5

781a75d03b0e220b34865acc7f1ab8f0
SHA1

e1ae0a81c9f6d7ae43e3595a1ced8bbcacf93649
SHA256

7af5393bdb5026d268d06ee4e9c234cb79acc9b8302cc06b81f7dc3d78a8cd1b
SHA512

6da77f28d50fddb582b32e6ed7c93376b998af7794d68f3c0647110733b81796da8ba5f69a1565e039bb94ddba91dbfafd6d0933760f8094dfbdf46af15c411d
SSDEEP

98304:nMIc6EUkYvUTuf0247Ku0LaU7dG1yfpVBlH:hzdvUTV247KuwaUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4868	alg.exe
4944	DiagnosticsHub.StandardCollector.Service.exe
1420	fxssvc.exe
2040	elevation_service.exe
1776	elevation_service.exe
2956	maintenanceservice.exe
1980	msdtc.exe
2948	OSE.EXE
2720	PerceptionSimulationService.exe
736	perfhost.exe
4284	locator.exe
2260	SensorDataService.exe
2348	snmptrap.exe
4108	spectrum.exe
4912	ssh-agent.exe
3404	TieringEngineService.exe
2992	AgentService.exe
1860	vds.exe
1548	vssvc.exe
548	wbengine.exe
3376	WmiApSrv.exe
2100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\118f193cb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093f18f21b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048916e21b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d09ec22b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc964c1fb9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fadb0625b9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d1c941fb9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000000cae22b9acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051801d21b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000859d5720b9acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000182ae821b9acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe

pid	process
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1420	fxssvc.exe
Token: SeRestorePrivilege	3404	TieringEngineService.exe
Token: SeManageVolumePrivilege	3404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2992	AgentService.exe
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeBackupPrivilege	548	wbengine.exe
Token: SeRestorePrivilege	548	wbengine.exe
Token: SeSecurityPrivilege	548	wbengine.exe
Token: 33	2100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeDebugPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2100 wrote to memory of 3196	2100	SearchIndexer.exe	SearchProtocolHost.exe
PID 2100 wrote to memory of 3196	2100	SearchIndexer.exe	SearchProtocolHost.exe
PID 2100 wrote to memory of 5068	2100	SearchIndexer.exe	SearchFilterHost.exe
PID 2100 wrote to memory of 5068	2100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\781a75d03b0e220b34865acc7f1ab8f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4108

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3196

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:5888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
53b796df4fa0d57e6058dd6b86dc6007

SHA1
a480a751365127e19d1a12b056936903d74b0fe7

SHA256
70011c88727735a8d9c7a0afc638f33bd511a351b78fad7fefc60633ecd46752

SHA512
38bcf4bc704c5c823d6f377c52f3f4b881b62b207095b4f51ea31c71939ddf199bb51c8409fefe0a44bb1d1e017265d2f67d64275caabb98e3487e97f897ca28

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
6d95bd9df45fac8facc7d20fa3020c72

SHA1
9f8dbb7590e917d40ccd6b02b366d9123d92b030

SHA256
b49d6833f390051f7ee92f0c12c9a7d25c28bbb16c34f5492835d58b643cdca5

SHA512
06e993eee6a1dc9f9bb43c384cb141a2545efb894377756232f6ef3d31a2c358545baa6de6f798e19fc15d0b6cefbd28307794d4943cbdcf3e2f788d5dba5848

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
159b8a791976089fcbfb25211fa091bf

SHA1
6e566d8ce00ff471e5713151144aa01b9fc08800

SHA256
fe62269114551c8ec19ec86e24e8d8fb519593c912f0f73fc81942accb601a6c

SHA512
ea8c2b98bc83fd84994ea8d74f487825b210b87302f136a3d753eeb156a81a68fb726eb15ff878c8f67114ebd6aaeb66c0446618a477219dda40ac63cbe2fab2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
df309a8a13cdde71ad988b5e0dba580b

SHA1
a4a07ad226b3dc966166ab8f0c5f02357af7ff23

SHA256
0a981be95695f613abc1c6cae8cab286b049868c3dcbf51b5e9eec25a5db362a

SHA512
6e067ba78046e2af6be4f1b498878bfe19e6ec40cd9cd50f17692127c9262f106efa325c2af59051e132864371ca9aae9e7dd980d13f14b65c968a2c5ac4f27e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
0480cd42dea56f8103621e6397794930

SHA1
02486bd3c8c6f13c33820c862d2eaff4d9e95897

SHA256
b5a67657b71c92d370c93ee2b643f373d160b25b6047be7ed4bfd27c82db9a0b

SHA512
5e1e5b4ec0a145a160fe79ecef610eb10e633a0de696ff3f3afa57db657417d6dbd11b36e7cbe8968f1a5ac00fc8ced9597928b4b21e54c8849cc0b5c7982881

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6554d9bca5e0995fb897f203e2aec39c

SHA1
086973bb870ae16ca8706ba3d3980989dc45ba46

SHA256
9d78a9de10562e48536a6d769ac238c75af525123608aa71ade9871f5f234222

SHA512
dda9695245c70eabe43e50f0f70654f0c0bb9b0134ed0dd0fe333a744ed392af8feea789afcc94508ca71306ddc7cc5a078b3e3c80ab7b8b133ebe45ff60d2fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
4ac340f042822562823bf88294b09bac

SHA1
cbd77519c8220ff11c3c90936ee3043289cacba1

SHA256
c19de64cf49f2f71a4e4f1ef66f394d5a1dc4b09af695ddac706bb26185d85f6

SHA512
440aebd9b4a549bcebc7b058ae8db1fb51dfe52e58c448d09adb1edc2d8f04ba30a8d8e8a1c33e4c60dc1a789679cd12bfa7df7f69a927532be401063ce2b1fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9199c582ba45ad801ce6ebaf98c49ae8

SHA1
4015bd7c7a190e5e9244476387b2f56cfc0efe24

SHA256
6e7755e388cb27cdf28b8d50fb43ba54287d46d906fcef28c9bb8afd39806d57

SHA512
f5e4abc7c326c9eade6da04f44b1b9cc86dbb33387cbfc7e0ecda69ed80bf4faa925ffdaced765c7493e629134d1b1b44cd4e446bffecb317604596fd65ae197

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
7597fb893ea6a79223a4db988d3d154e

SHA1
2aa3c60aa5921290c06f82558e0a88c870cb27a5

SHA256
588cdafafcc83a4dc707cb12c1534e82bff1698fff0f2957c55121644a743bca

SHA512
584cedbe414d3057e9ef32b22e32744fcc2306e781541822ae04d47a18ab5a756ebab07cf9b737a2f53d5eac5bf4c7bc71da1f785f73d058b1e50487eba4bf7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f1923b7d5a221c48e7fb5058a3cb283d

SHA1
19203336dc1550778a615ba57a779363f6c9c620

SHA256
ca17bd4b4d92dd851dbd68276dc0fdd83b1539fba40bad3ee5cd2b1811279d58

SHA512
53b38a2a0d978d8678024fa8370164892a1e4b0269c490f147a5ce54f3b77b68df003e59424ad23c1ae6eed532bf64892eda0d79395d6d79d6d249c05462165d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e8472f985751a8535e7c66d6528fadd4

SHA1
8a508cf82395f737ef1d6a17ad26c2723d0e29a8

SHA256
8b918cbf7f05762c9b005a5d34a3ab3baed84b24102b6e48da2eccc1d4ecc9a9

SHA512
f1605b908d39e92c92006a32885b581e52f82cfbc52f2e71d5666c2a82e356ff7f0785c8718bed65fea964207012e34750552b2286f780a0ddbe4aa26be95eb3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f534b3615ff514a8ef959d5d12f07d75

SHA1
bfc2ee2d3fc7d1a9123f40eaffb5986f625d323a

SHA256
93d5980fceeade72897c003e64ae19d2ba1f7bed9d3ceadc56b725a03bb979ab

SHA512
10d5e561de4d1464efb4416093c0c04eb8fea4810323af67046e5d3acce43c2917c1ae9027181600d5e78b71bdbff243a760088cea07a8ddd6c4b126ceec28a7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
da5009abe5a0aec2c711366954053a0e

SHA1
43d051c5ec4381685fd4d370d74831daaca72a9f

SHA256
b67e48e8a8715b74dd108386ce20ae9086da742e3757d7f890b1dee507de1163

SHA512
4388882014e4363ff09b0c4d764da547daba8fa871466790f0208028f77202bb5bd99a30954043f27f64535b1d8c02affa078fe2c21fac97a3ed67ec38073354

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
fe8ae8fd3e3eae9461fb7e5956b3ddf7

SHA1
e369ec4110a30dabdb432f5982e36cf105dd2de6

SHA256
a0a7f1345a869ee5e48daee0a77e0e37ee08835d3ceaf4e4f9b32664ae7add0a

SHA512
9d1c79bd6759f47cd071e13a0c591a5692cbdf9f84be1395010a1d4fbdf276dc98baf795a8815f0ce6469c38342828f3ac83c97d2e8aa7afb32ea5b9ce735119

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
092a960c371b28d9511961cc834fa305

SHA1
113cf61c90ca80b86f8be1f768d8d0a6e29c89fd

SHA256
ce028a0c0c0a9424c6c35ac2de88a507ecc241bd416334a78e163dbf54c04b91

SHA512
585ae00a365f135d8b30cff694c58c91afe789ab89e6307b3bf8c5ceb0fac019fefeb685e405e5b2d889e58e76f5e837de30cc1e0204ba14f8cf26687719776e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
06c3cf637345e881e546e58b4cd6117a

SHA1
d7e7e607df9976c2559d3c300f2aaf75999c2775

SHA256
cd7baaadba19e3048858b9ee6b02d1033da1115508037c6c06cb912160fc483e

SHA512
81daaa1bae6c2758e7c7f0a6562ba7974b52fa779bf7575f75cfc80b223ccbafa2b4e83e0b09726c547f9630261e09855a20def8baed370192e1e8729d95f060

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
4f6e99fee94b150213d996a83ee2b21e

SHA1
199fe10c2f4596c7170f0c65caf669d9e760c981

SHA256
830cc82c8eb6b253688fabdd31a9e33ea905fc699553ba6affb0ba5996043419

SHA512
294eb9d80fde0eb9cc9e56b9fce155f5a8b5c81853c312ffb3a6385eb2622db31e90066e310cf8a0fb46e7a09697cd6e6fb9ceac720d3bff8bf673c5a76360c5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
f76b56732f2ac275570ea940a2bf4a46

SHA1
23b7ea75c8f879788eb039f4382dbc61479b8819

SHA256
f271022550f611e22eb17b73edd438f182e5061c04568078923e9fb9435f7b25

SHA512
44c53ec0926366ed34e1de8346eacb6b42131c454764e1e109d7c9b2bd49819a3e1548e20dece6fc0307bc767d077bb700cd26c85477d4c276adbba6c61f85d1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
6e2aaa20e408ddd81ec23d42948f0090

SHA1
d0529cbd2148b641d313bc70a24f088fafd36afc

SHA256
6fadd89fdffb03135b542dcd41821882813abc340c904b3cb7017f986775cfb1

SHA512
d1a34b051aaed5bfdec382ba515591e769a5c30c24e7f756729c1c8831d855778ce6ba665b28362be2142c1a23c8296aba277cf5840151fdd9e00a5b6341d81c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
978f3201764e0ad0d64fdcf11dd82f3c

SHA1
3961b6daa67862dcf6e86ac3fa72468d3b649916

SHA256
736ca286242909cc82a9c6520e9703a7c4e000f0854ec5dfe776044ff25a9e62

SHA512
7bc0a4875041b046854f281f5dc2b2f75cd57a91f5cea5b00d23c8d9cb747bfd6de76f01f8c0e3cb56671f8a489faff3edcf6e47d40fd40f981bc8686ab433ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
7b807821eb6bf3a1b067b9532094c927

SHA1
99881452178c8e7667d0683c6f695e2c6642dc44

SHA256
a0cf98d83cae2eb0ba27d548ea4989e950268e17cb986b9d39cc1e304b5e13f7

SHA512
abf33b24f85428407caad56d134bfd596c5c1123f0ba0ff9415d206a2798feefe499a297a37fee0acbf95919b7867b3fd7835386491bc33582531988b809e474

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
a8f98c63b251eeedeaa0bfec6643a6cc

SHA1
22f1293deb2d70ef9b855d5403fe7d74191658dd

SHA256
b036e248767a5dc0ac919ec7be202f7253f3ab59f8dd91ac268d571e361f954c

SHA512
b7d08970fb56b958671e7f31c2b58db7d81af96577a7efc5b4d3d2102624fadcaa0a2fd262ceaccb7753ecfc5da3230d173ec1ce2090bd866d0afe7192bd2d8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
231d245229bc30e294ac1f698729d24a

SHA1
d558d7a92d9625fe282c931afa1a818345d22fea

SHA256
c113ad51d350a48b323ff4bbb8b015ad59838e93f1466542b097bdceaf0b2760

SHA512
ffadabf567307174dc32b6e3b3e0b22e56e9ea44affa1dc45a4009b49f2c2022fe3dfbdd88589b28b1e5db2d4955e2ef68b89a1a7582f153c9219843bc159de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a4eb801d95fce3408bdb8f914dc3ee95

SHA1
7ed967aa00c838645e35e3177d08dec84fe344e5

SHA256
03a1d1ef3bb2827c16516ad698425be22e0dd7a3450d817bb5c4ae32e134adca

SHA512
0aa81596ff51ea5329c2ac3db228dde7b86f0aab9d145bd92c659c3d73fab806adfcd2c7d1078d0a26d5089c222f722c0f5281f2ef7d9181f182fd0bdfaeb682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
6c72ee34358995a0603634d5ec2365af

SHA1
4a43874067c94b1991b33cc00e8abca6871c6d58

SHA256
ba7203679ae86254a3cddf8f7347baefb92c6e1863ec260474d6b7eaf12d46d0

SHA512
07af92c70931c9ce989ec1a924e92ecb2ac661b19694f50c55fb142a52c7cf83be5f51aea408030108ab5ecaaabea21ac7e2f4e22e20b27ba805cb0d5754af54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
8367fae267dcb4d3802390cfc4d12ee8

SHA1
11b8151c7d8b33f6e810cc826055712f83330c56

SHA256
6b52b20e9eed20568389bc45b155b29c958aa89f1307c456bc630fedbdd6121d

SHA512
6cf35bbe33b17b8d288f46c99080ca2342e6f534b60f29dbf10dbf66952d8dbeab022a996ee2b2fc028aca042962194e502fa8fe847e6ba53cef88c1ec27270d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
68f2bc2ca2b85c799f6120be2aac373e

SHA1
d871bc4c44593e04addeab1d29cfc4a8da1ad01a

SHA256
acd13e9f71f33227b51493cc3fb5e38015975c14e36f7d4948a427ed26ab0da4

SHA512
9448e0cccd6bf84177aee854c12814749f7d32e9301728639a25e3098f29eea1b9fcd48a69c9f00ec04eb15a12917a527e462c889cd450a8bf9b31e8ee596128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
87ce5dadf717df6939a25ef674f71ce6

SHA1
083b750906315a362c168210122cfe164d8d48c2

SHA256
f43710e73478ef6b2a8faea632bd8c26a552b3bdb4a20d24f662c1aed5fc5d81

SHA512
170a09c65e1f4df3018d6c185c390860b67c3dba681bfe122534af9256c57d27e0eb798fbfc8be63ab0272d51df2872ff8a2563f45965c2e4d2952cc9127b9c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
e55723b280acb235e54583b88501ecae

SHA1
39ea8387b368dd6b16812a0247624260b5f284f3

SHA256
86d11cee501c8fe39fef12dae32153b85d0d72d6da9798150927e9dec654ee8a

SHA512
7b36cd67f943ccfcebd9a9ba5ff8669d649cd31ab8ddff4568b074f68aa565ed2347d05cd3903ddcb2823a70fe2739545f98e08ff8312536284acd9d6ca25a43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
596e70f4ba83da31e810e9f74903d8eb

SHA1
cdebc4f27c081def83eae1a3b48d4e2115493821

SHA256
ad31bb1fc9a2e144dadb2d38def822d2d5bb59133de32c3ad37d03007fee202a

SHA512
4b955b21dc338135b0435d1b77e128eb5686479b52d4cdb3a91d40aedf121d5040f6489418df0136a7916c001e5f509ea59d5f556b5b13eaf0a6a1a77e866fdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
9939657fa6342bd0444ee1e340c8ffcb

SHA1
ad0ca18df98b5ec7908d9e0b5c5b9ebf53fac7d3

SHA256
6dc66e72b732443cef690090218a966396737ea10fc8cf2279bbe4fa5146cb99

SHA512
5101d25353762f7930b936592d54950af78f5b12bc070e2b00e70b47bf3c4422a6b8e6848341891f79d629482ae7635a54251a0dd5c99baae2d33adf14e7250f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8c1663acef00dfecfeac6227b8f1fc6f

SHA1
4f1c9a1b5ecbd2386398ac5f7df11300209a744a

SHA256
1bafcecda379021ae5980ca7d6eef674c4c9345c5962cd9502e21850477dc132

SHA512
69a8e1948e5e6422387d43a4540a037a884eb07184b9eef576497766486960c465eebb0280072baca75c5411dbed4bc5fc41946fc93d54636217fa6d61e0e6ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
1fc05c730631d1a18cb06ec605b81bec

SHA1
7178a03146ed53f3e832b9d80894a1594984409e

SHA256
cc4e27dc2a49450e5166343c393fa9d73347882a301b52b84542dfc4c87e9e25

SHA512
0d6cb676a8442a9a24eb470497ee5abe5a7ce43ce800f9da07db2832381bcbdc798b5a0f5d16bcb8d479f20a862775c97b2e24f965983dcb5f0e8213e1eacb5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
82c71c9baee0597c1e16cbc9a190948d

SHA1
302c22f185bd593d3525706f33df47f04ef6c9a0

SHA256
ba0d94c2877be9d2308bbf476c5b24b56e76456975e2b9df041b81bd132d5fe0

SHA512
133032167e594a0344c374b1e7ebab5e8708746a04e640a8c2d322edb9488ae76a30609a5763ba7e2460f1ea3bc1a68e3dfc55f73a8a7ed8efbb500e9f90d7d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
9a33535fde6253822cbe3b633fbf9081

SHA1
b59c5fba5a2c6a52350f608b17a76d418e6233c8

SHA256
450d8764def3d45ec550550dcb4a888d308576bb030bfe09ddcc82ff8720fee0

SHA512
f42c34fe72fb0d90703dccfa60bc0ad860c36b18b8585e2bc3fe275dc69c41669dbd1462a5f7978555c853cda2f3004cc40d5188740ee428b48573f5c8aed40b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
fa7718c932beb1555cc767a5d685e8ba

SHA1
a5dd8fd363c4ec83b795729d37d0dc4fad17a83a

SHA256
8d710c7768fee8b9a72afc62c61d120602ae5e131d54c2853779bfd42e3b61c6

SHA512
183a0589eaa2fb96fa0dcc94303e12c9cdec461e1486e390cfd524e26d2b5e2f4bb2aa7d223f78c6bd1f8bf66a137dbe34b7bdc7acbbc58b434f2564724caf12

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
9c842a770c3dd53edeef8a5635b20ec2

SHA1
b2b572ddf36e51d9ee713be84ffd5a100f1863f9

SHA256
d9c4d39af5cca3591ec90ac544f2aed258657b61316c93c03163fe3d4897680f

SHA512
2e2fc3aef3da491785603c48d7079055524584284dfc541d55e5c48397dd2773d67baf18237ad7d185301b5b9beae4288bb984b9d84bf15d47be81ec3e4a054e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e163588eb601352979a914721df74d20

SHA1
8de035ccc8cef7f98e357b56d0bff2f3d81b173d

SHA256
e4f5bb337c68183ab440d0f6d20bc424a90c4cd8f25746eee03e2e64f6e806d8

SHA512
f01c0f74dff78e26ab22051c3b5c7b5f5b83e692de7b1e70783bfce50f6df3ccee320488aa7bf4fedf20412eec0f04979a9e45da906b76776b88eb23d9fc5fa5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9c91c072bdb33a5fa412bbfb858f0fe0

SHA1
4423cdd3d8df6bd071a512dc73c340c08cacab78

SHA256
0798b323f9691f811ef6de8ca26fc59a1374d5456ca427c10b04181ffe1c4e97

SHA512
b2a87744de44edfd4478a161ae1ad60e017420c52ab2bf3a29f4f6c28da0ccc05425c13c87eca1b429f5161f6110d8b593d613f6dd80ffdd7655be9e6e27b585

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
3a628fa1dfa46c84f8408a96860fe5aa

SHA1
ff88ba40b86c2f44ba1d8ca965b83cb9489f91e2

SHA256
a8c9f7e8a5f2e7220bbc5a87879f50b9acc7d91be77acf17ee280a80e830b910

SHA512
07d0bfe7496e4ead31f5e4ecf4f9cf8e672c2b8da6bc92e72a4b13d55399a06673b749801334111fa5f3d9fbef1d29a1071eee473eb28ac405938ccf9f57e6cf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1b399c743276b9141d9e7f180188fb9d

SHA1
d1348d1d6532bbd23fd149a6a4683074e3e3d62c

SHA256
4fd0362fa6893ed252ef012b2b23b14ba1339bba201c338c821a33eb656f5189

SHA512
4ba864103f9e77f81490a1453f4d3462fbd8a334ae106f1676a9fb633d7a96d781ea228770acab718a5f16cc3cb5b0acc3f26ee574425150b80a8446263b4f4c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d0f0f0cc4f43ec68ebec5a839e07f434

SHA1
b3db837b5725be4fba6258d3173aa1596dd23cba

SHA256
fbf20e3ed16a17014059eb21ff6beb4b5f77a8b690b7efdc734e5666bf7fd7eb

SHA512
fb21719915f77b493dfdc3e13c1e849a8235a93ee25a4fdd9dd0296d4ec5d091e163f838d51a1b4f38c16b3bed1660efc265e4603ec6bb739c2fb0af336c2455

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
ce76ed298acb48e67aaa498042574ab2

SHA1
4e3b6d5416932dff16eb138d6d9591c0945622d8

SHA256
1d020cf1e2e69c6604641db75d9875dd8a019bdca66c5bdddb5422fc13a898c5

SHA512
ef7da3255a40f44d1f59c2a3a01940851021333635c1b7a28fb606a926c595797b8119f615d7397b4a714f8d588d4486bbc8fa0bc2b8686aba492dffcf4e657f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
dd43b73c666accff39b86f10d5203a28

SHA1
79362fd605c824859b377ea104ed363a3b163477

SHA256
f9ab6556c6b91f7ec9e15dca0ee1ec16b97ec85223ca1599e25b031bd55070f6

SHA512
a99bb59fa61d152539a6b2af3dfa47654393e1ded4380e70f10140362dc468e15a7a255b9f25347eec476b269a320533b933487ab26096e027fe131c3301f253

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
277b67915ef0bf59131e8edb563dfafd

SHA1
cd7a581c5c15e24459956b379bd5264ebb20b51d

SHA256
42c0727a5e4bbcd907a13a34962580fea1eaeae83becd5cd6a2bd21ab07564ee

SHA512
07d90a6dd4d3e789141ea8b6fa0ade699e367553398d10e88880db7ab1342553091b55f39950f9619dd91fb1cf4c2c4c80041eed2dd5207a5dc0d6aaf52c51cb

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c1afd269e8dcd49e7cb03eb6b9471400

SHA1
56ce92649b993b93233ac017777ad51e1c4e8c44

SHA256
535f4ae6e71a5d0eb5280a12004779a107ac4b9dbf140a1321b004dc218577c2

SHA512
fb341855c84ff46cf4ff4c7db42236ce961fde01f7f39f5074e7aaccbe442c10248849a7f0c1295b36fd6799dc7f120b228f618e66822b8be5f4a3030e16ab2f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5f0e14b1699bffb9425518721dbe1224

SHA1
9b64618540960f129d6fff79c440f43d890ffba0

SHA256
661d1cee45cdb5a6491dff1232e01e8b5290e3ebd70cc49881489945704e332e

SHA512
bdd0e083a08dadca98b92940056bda98dd190ebfe73d1152c46f2dd6a68889f35709a2a55c92d510e0ce96d1e2a68a15dcb36eca330ce38a8ecff1a758baee15

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
7966b72ed5da2bfbe4ebb683133b3e67

SHA1
52e6a028ebecdb91494ef76f14d217ce8953e497

SHA256
4fd418507b775ab882216aef347f02a5f8c1f876cdcfe1ef62e4566995eb7f3f

SHA512
6f022a11326902a38ee5fa2a3dee6cd09698e1e9123bab499737a5bd0a0cf867bde975671a8f9a9a78478841ea2f0349e5188d4db73773c5a968b25d7f6fe3bb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
844d31dd1769645018982c123ed5936f

SHA1
69b5f6efba40b67e4fb5076c80605e05e1e625c5

SHA256
7ddf0e192e39c91b188a540e4ec6fa432e6fed3ca6992792518cbe9624a0e372

SHA512
67e3a8f9243007ca348335bdae62d678ded735181459d0bf4656b4b8af0a89472c92c6f6a7f5c6b1e9bb4f9ba8dcd76ad51624e5a76b0d13e10fab5836ed5f09

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
73ba8f5f93c393f331fe711723773ba5

SHA1
0d41281a24d04f55b59e8f6a3be57a3aef6b2633

SHA256
7a63cd6abc5539424b9f4b3cb684caebf430ae69d2bdb8b38b2d478a21701869

SHA512
1935f63f42dba6f4bf6e03393b6e355a499b7adfeb36180572a48055fe2e7981986479b4c53298ce08d0bc810748d0782e77a571b488fa624e338329ada14abd

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
61332db96530f5bc3f7083c8365b6a81

SHA1
f5217f2230907b78cd225bc19ac70b8daca1ba1b

SHA256
237c9544414574ca73360a4ec1735399f726b8473ee3a8843a62c93e40d555ea

SHA512
f8e256ea40caaff271057b090db9c23836a66444e19d57387f2d263f2d55c5065af269967dcac12fc235897867d40e13372428db0bf26a2553aacc523eb5c404

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
02294ebf140736cbe80ae1e9c4c4d802

SHA1
6f432fdc3f7a742c08083c0a19dac89c1945a519

SHA256
1f58403102b4c512dc2b769b230978f59e51a0fd78b240e18c6799620dcb1a5f

SHA512
160c3827705e546338398d6862a2267a410101595f6a6c99f9bdbc73e72b9f172242c04c6e93fb019e1fc1e3cd22d9070b881f9ffbeb6635109f39ccd10cede7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c1a121fff0b045427b6f1d39efda9f02

SHA1
b65c3ac8ebe7905c973fc9dbf9a92f39df885858

SHA256
436cf171d3a32e86a1b479870faf6a6691c7ac04d8ffd058848eb110cd9c4894

SHA512
c3391530608c5426a67a551ff58278fd087d27573d05a169d51ddbc12aba3972faf22123fd6378de2e0d6154116937db41cd439589921f5a91d88b0a67b6f4c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
39147ac3e1253d014aa02923f7d5746a

SHA1
5324fce2f070a409446b94f83ff2950091a03271

SHA256
7e7d338a4fc2d5cfb3dca79ee3f9ef862a90d21e6b71f81d6d785d44bada90d5

SHA512
056de8844ef2c3c35e4d91a69db4698783286d67f57cb660ae46d139c704e8e245cf05372a6c64cb8bebcb2831f0f296b9da2665d9585a753f4d69557e9f371b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4de83ead1e2f390ab5f3f50037e60902

SHA1
a820c726c4ddad5e487268928bd31cc883cc3dd7

SHA256
4aa6ee3b74a876fa9cfc53e7e20e319b155137e7478e2297593499882ff4aa02

SHA512
1879f36a1c0a9a74436185c0bdffc6941ed4138420d2644d3eadb52e8cb533b69c9d1a51e9ca4f5827cf89b418337509bd28887c9c3bba29fd0b296b9e671364

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
16733a2950b655577b02c176bb0c1c16

SHA1
41a619788634c23050ceaede5d0c22f2b9a0fe99

SHA256
fb7208489587f5a1d97183e7f4abc072476ceb2bf76adc447190341162d66ee0

SHA512
5e98ee8a2b9abf851e09961c178adfb3df2a4ff23eaf957ca44b6efb52bee5e563d37b805179acb078a70c5c302fdd66acdd10586e8a27a7c2921a6b1262d4f1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7dd5ca1c3def5c3e00c27ce250c7a249

SHA1
659cdf18b30f29ea73bf1a392b43a7e0df8f1f72

SHA256
7676d9b9247022b01a434f3bb6906519cc2bfad8753272c0aeb65f22b141df2e

SHA512
014a3382eb873bf97ba370ff52e7dd60c582fa72e769e1377242f7746001068c035e6b418eebb05aba63f4120fe5cd478d77dbe1c54e16a87c3f450f2d0d9b31

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
d7f212a39ceb8e692260c5c09a5a85b7

SHA1
264dc24358f6e12ff9593cf933e4561e878f6686

SHA256
566abed06c7484b8da4039ba2874b2c5bf5389cb3adeac360f44f0e33150ac92

SHA512
80d39a121119ead5c4beb51b29f5896ae6803a2ff960251515e53e32fcfe0201a0f09c6b894e33cfe299efc2d66bc384271a0e1e5e49770cb06c3d43d6d17bb5

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
2fc9e810efd679a41bc07c849de6c1ad

SHA1
84c626220fc02681badcf521f2ec61b05dca1403

SHA256
69f9707592f2f9fdfb888afd228d76420376202fb9e509bf5bde8e5582eeb4f7

SHA512
b92598dbc3ed7eb000e68e3d8ea0475c94e7343e30c6c961d31d9a0f6eb2e61623c1f6ddc4625def24e6bac30a3545f3dd52da3a013846f91f71fe44bf8e984b

Download Submit
memory/548-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/548-464-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/736-131-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/736-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1420-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1420-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1420-51-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1420-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1420-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1548-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1548-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1776-74-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1776-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1776-188-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1776-65-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1860-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-461-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1980-92-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1980-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2040-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2040-175-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2040-62-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2040-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2100-484-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2100-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2260-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2260-407-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-350-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2348-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2548-73-0x0000000000400000-0x0000000000ADA000-memory.dmp

Filesize
6.9MB

Download
memory/2548-0-0x0000000000400000-0x0000000000ADA000-memory.dmp

Filesize
6.9MB

Download
memory/2548-7-0x0000000004BB0000-0x0000000004C17000-memory.dmp

Filesize
412KB

Download
memory/2548-6-0x0000000004BB0000-0x0000000004C17000-memory.dmp

Filesize
412KB

Download
memory/2548-1-0x0000000004BB0000-0x0000000004C17000-memory.dmp

Filesize
412KB

Download
memory/2720-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2720-119-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2948-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2948-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2956-85-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2956-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2956-90-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2956-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2956-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2992-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2992-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3376-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3376-467-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3404-444-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3404-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4108-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4108-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4284-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4868-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4868-104-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4868-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4868-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4912-197-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4912-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4944-130-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4944-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4944-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4944-35-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4944-33-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download