dfe601d693bdd150c4bdac0718e095b29ab9a9292a2a3460cf62e9c05d0591c6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
Size

1.5MB
MD5

8f92f9b29e3b6b362e570620eadd8590
SHA1

236fd697a4206de112d3aa4d6fa9961ae650cd5e
SHA256

dfe601d693bdd150c4bdac0718e095b29ab9a9292a2a3460cf62e9c05d0591c6
SHA512

417d74b4621ed5ac29c85036761b73ec78acac01eb02fb22c9fcf83a9f06127ff81040520c5ada9d3693211e0873cafb559cef4504ae3c605c473ffa8b2cf719
SSDEEP

12288:S1fAGRjPvPVUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:N6jL8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
680	alg.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
2344	fxssvc.exe
1296	elevation_service.exe
2580	elevation_service.exe
1200	maintenanceservice.exe
5016	msdtc.exe
620	OSE.EXE
2904	PerceptionSimulationService.exe
4476	perfhost.exe
4308	locator.exe
4828	SensorDataService.exe
4940	snmptrap.exe
4516	spectrum.exe
2368	ssh-agent.exe
1968	TieringEngineService.exe
4552	AgentService.exe
1516	vds.exe
2252	vssvc.exe
1780	wbengine.exe
4080	WmiApSrv.exe
3836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2dab495bc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af5c94cdffacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000109970cdffacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097db76ceffacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca6742ceffacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dc077cdffacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebbf96cdffacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004096aecdffacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2cfc8cdffacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe
4592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2908	8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
Token: SeAuditPrivilege	2344	fxssvc.exe
Token: SeRestorePrivilege	1968	TieringEngineService.exe
Token: SeManageVolumePrivilege	1968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4552	AgentService.exe
Token: SeBackupPrivilege	2252	vssvc.exe
Token: SeRestorePrivilege	2252	vssvc.exe
Token: SeAuditPrivilege	2252	vssvc.exe
Token: SeBackupPrivilege	1780	wbengine.exe
Token: SeRestorePrivilege	1780	wbengine.exe
Token: SeSecurityPrivilege	1780	wbengine.exe
Token: 33	3836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3836	SearchIndexer.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeDebugPrivilege	680	alg.exe
Token: SeDebugPrivilege	4592	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3836 wrote to memory of 5692	3836	SearchIndexer.exe	SearchProtocolHost.exe
PID 3836 wrote to memory of 5692	3836	SearchIndexer.exe	SearchProtocolHost.exe
PID 3836 wrote to memory of 5800	3836	SearchIndexer.exe	SearchFilterHost.exe
PID 3836 wrote to memory of 5800	3836	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f92f9b29e3b6b362e570620eadd8590_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2296

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2580

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5692

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:5604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
b5b9d0d2e6a9c341add8baf2f0c456ed

SHA1
91bf35170461e1f0fce5e05f47820c2373323056

SHA256
9bb322de57b96b0b281f326311eb40a464edf0606c6d9ac204164efd0589b7c5

SHA512
29be677a4c33c17a5860fac6a583fcc30633b04aa7a665755382d8a19a576faff67133ac565531af17e44b0066871082f46ffc347f3b7fcf133e357c2d647f6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
7de7a396764abc98e1be9c3e0bfc5f3b

SHA1
670b268a06f8b12929e9290c01302edb8cbf394a

SHA256
796525b9f347a1b8997a88402c0ff30844b130e152ba887c88cfcdef015969ce

SHA512
7322913ce3f69e690d62d6feb02ee8342762cb3e956e288bfab3498f735c04c830cf4f63df4bb48c47bf4d347d9428da5fdd785e3a8b431be6f91c3616002b41

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
0ef6d7a6034aef39f103bee42e62c874

SHA1
e3de7a69fdfbad15a6cf810aa45c10108dd1a859

SHA256
b42533d52a90d2a1893dffa1b97d30429b4ea02fa57e1b70d5732360ed0f75d9

SHA512
0cd1cc2681a9a21be2fbb0737ec4440d949410aa10f1cac9093ca540d35d5a76b014209876ba897b5414431a6e730ac7700ead4a33bf36421c1f9d8ca31543b9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6ed6e5454ead4129d25a8c6dd544f4cd

SHA1
821116f027a94c8401a80d3ba4b1ab9e39793444

SHA256
6e20ed056da39d584335c4225dad68ce27c632d6c9ec8755542190413f60cb43

SHA512
984997ef20344011ffd370979923f4b0e6b85073ad8996abe00f7eff6e9ede61ed003590bd4f2276f41a18df3f8a1cc5c7a9bd94f3ae88d389c12251943d696a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2933cee769d9984c0977514933e3c3e7

SHA1
cf771c2fa1f8e838eb0aec0ad8188a3e881acb6d

SHA256
6d12c1ac2091557af5b8d99dfccdda3e8cbca62e5834da71505e2964c942dfd3

SHA512
660c398869ab93078acfa384bd0d1a6700dde973c892389f2da2618902acd461e87ead75cd37678ea8ad674dc7ea694e5ae21849d61544bf2f632d8cec425238

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
f62982ac10b87f6e994fca1d0f9718f2

SHA1
1a7e13690f40806901ea6c7116789fca2433a073

SHA256
c104e81fe76945947fcfa2469d3a1a6288d2387a36a89543eda0598ed0d7f23c

SHA512
9fa22df5c71bc62cae6b819a9feb88e683665fe9938d8c8c158e55be2aa07bc762bdb0cd20dc23f7bf77a9ec85d1e667ab4fa3be130320a24e6457b4a8db9190

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
33c6791d3cb708ad07c1d64bd14b5b9b

SHA1
03287fa50a5a8c17bdfe7ecb818ee81378e0b1d2

SHA256
0539b9a4190af28386df80bcadadf10c55ff5d97b0254f44b6676f6f090755c2

SHA512
b63108dc0d26c1bdd2badc10d9672298d88519714b51110c92327611274ac4b8c85efdcfef019d97b56aec373adf668b99f9076cbc972d2fc64299c5d866a8dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c7af1ffdc9b1ecd9618aee620fc7a731

SHA1
5adbd0ca43d3877a196754bef974779c654f4711

SHA256
97e290d78ea8e512b7a9b7328597bf30585063aba2774f294a0c09eda706a215

SHA512
2b97ef585f0e50c13f2cb4663f95ead5db9fa6d6dbcdc0d14fafb6cbd414e4d0547382381b3d66c5504185b83b9978e185c78b6ccd4cf434e698be3c901c7b0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
1ee06f67f7148ae3509ae6999b05bd46

SHA1
2bb20072d134edb6ffb4a4913aa21a50f46cc0f2

SHA256
d1bc4a7cd89f5b2c87518925e797e3a231d7fb9f8469a0a3baf6e5ac9c7fd740

SHA512
dde813a09f2cfdcda753f142c5ca05ccc61e8badfc29c856ad38e3cd7b1f561b697dabb31eb0d1cdfc86538db4770c4fc845a9e44905dd69f393c74eef365de1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
31e02011d05d842296fcdd4b6acff2ea

SHA1
1dc07bb6c1470f9c60392d5212f0ff6b814b1f99

SHA256
0d1c94c49efe709dcfd33f7476468f952a801a83797dd179ad564ec2d3b83d94

SHA512
90765b5c0138422e11959504fa4eb445f49f4904031fd1446e2aaba1b387b6a58bf1cbc85a524d1b0fc52bfe15779f17fad433c5f9f2965e43aaf6f3a7aefbdc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f3585ec5fa8175dcf0a4fbe248f1bfb5

SHA1
40bbb823988ae50737623c00d8815153a53bccd3

SHA256
6874d76ab405970788248cdf82d57338898b15aa55afbadab6aac4592da21206

SHA512
179d7c4cb26a8ddf0091eb557edcf0f99fa53315574c60343bfaa121fca3615a4429c8270459f50d93efe81e99b67c5c10720f2787d9620e87d7de42074b1ac1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1023af58011da5905cad0066de2c3377

SHA1
f0cde9d3d967f3ea8d5e9dca3b8be6d3a6e1d2d9

SHA256
03ebe55becf0e0a400144b0351b5d51d6c11672c5038e3d4e4b5d2bafba503b0

SHA512
ca69f4dc8fcc7f22b797beb2a4b07869215d0ed9ef744a08889084763dcc230d5fda36105995ce65ffbfac41b050cfe439434fe838a8268bf2dbafa9dad3e958

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
5bd49e6681c8640a2f4e3e41d951d2d0

SHA1
4f1a72573c0c537eb1fe9f6a8af15c0d539ddfe5

SHA256
d95df040185da0224f34e64a33a20c16e6eea2e81ee51967a0cebd558c7ca6fb

SHA512
577b6377aa8bfb492f6b5f67d45af9b817e510a8f0ac14c8952c97ae740a25e97e6ab1618bf9ba5f27f90ac44992d7089979e3d5228fc2795bfc9ed127f80e6c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
8f3475a90caffcbfc5e7a2d93afee4bc

SHA1
9eb133c747b01e8d0d26b8ad92577195a8993e7e

SHA256
24cf38c379ff76c1f5288b0049666fc4227c7dcd34086ca61346c5aa16fa2ca5

SHA512
5b6ec222d9b5c26b7ff98614c9a9ae942ff2b56a09bc827428ec5c1a17007e1f6ec42af6b5909de0c2dfe303476e10a742da1a93ba2b559159ca9fdb2471a7cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
90e4a4773f9b82bde545582def8ac987

SHA1
e99e4eb42d80b5629a3b77539602226c7783534a

SHA256
8c985f7676b03a74308a169437cf85c2915352d558847ce50e746d7e697d4240

SHA512
27de234c2d1236d488931b2211ddf8393d7ea9cba35416e671dd363a95fd44aa40caa7d544c53254d329ca20eb9fe026b84c6d8b28956628f6cf339bc8155f1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
3b887a60a18c458a32cce8e3fe44df5a

SHA1
6789e27a3c35d02288c3f7e9a61533b377084d7d

SHA256
1f88559ae9ab9d5a86c29026d49f769c0215c0599b59a36b29e91055637324e1

SHA512
6332e9ab22bc4ef54898a14a549a8998ad0fd2701c14c3fad9ca1ad599c74fa0e384b4168c4dbef4e516c0bcb64c33aa91cfa727cc1a1482f01120e2140665e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
27f03eaa651d5608252e10f932205281

SHA1
7ee635e4950632c03b13462964649e43c2214fca

SHA256
0eb946b574b95c9cf4358036865b1fc9b886029e4161074f99a90df86ffc55a1

SHA512
2e597ab0d1157d1e64eb77c1d4969926116aa0b1dc9c671764392c18261ee0f36ee1b540be8d7bc1bdeb5fc939a321551dfcf9c16a6abebcb49767c655a14d0e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
87a2245d14af01d68f7d5f5353c46d1c

SHA1
2e8295bb3f2a7c01fbe5d0e7acbe6f898c4b39af

SHA256
a7e2f8ed169a4bc5c194abeae6cd92b181dfb7cce5b0115b81a43472750ba719

SHA512
0de0171cce3f513d2287452665e36497730b8353fd7142813ee1fc84c7cb317fc8affa1a232ca1b9df243e2b07b9bab5ae2a02ec84188614211616db0be4ffab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
142cfef8d9fd53ab73f6b449537482a4

SHA1
d9cd14b2117ef2e11bf1cdf0feeb4edf17d07a69

SHA256
41b8623973ca7b7052eb0a4df6c8200c1f49fea71e8f47b178b84c4e46253969

SHA512
f21be8802132ea7492eda877e0f8f9fac30c2f845808b06f599c428a8254d6bc10603d4542d9897d6d959ca69385c1ed15d2714b2bc946c8fc01a36e1fc65158

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
2f3c2d6c4e3dd9e1c453cb24510797ac

SHA1
75c11641b01b66a24f7507cf1752197286c2d520

SHA256
64faaea6d28635c189eba7e1d15e7aafae38c65b4d8a8281925cf19a59efe439

SHA512
30eb5dc4ebde404ee199f4d961744a3224dd98cb3bbb8c374eee2a8de9aefbf19f2521c1fa7df92d3d610f782bf19a527a617b5d5fc8aafff2ef0178da372fda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
f7c1c37d8b5f34c6e7a9b0aeac7a03cb

SHA1
6565d483979072d23cb65392153807f0c9be3783

SHA256
08e113e787404f28dd0319d037229bee63ea24d9af0f579f307c4e91e9938184

SHA512
ac485a9b206c24b8357e3e26d95ffc22a3d8d1278f771178ce167a5739b0f9d9237d406dc0cb334fba2aabe03793aab9047dd56274fc50a61f7508cca8ab84a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
a0b1d195e90bceb2e6fbe9ca3f7c8cd6

SHA1
7003778482f9d8e793857a1a7e9f4edcaa684145

SHA256
7e1dfd62bbe84ac49deb0ee6e7681d41d2493627f1ad29b354f139e6649bd2b3

SHA512
ca90679e30b4c4ec5cc4f8551a67df94b2e41695fe7a77af635ed6ff54db38f16131fff01716c5ef7e23e5eb68bf6581a0f810273c33b718938455238ee5bcf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
6fbba236623c05ddc90e8443f7562177

SHA1
2f5d413b910cd2871010b4b537c831ff0784249a

SHA256
1d25987169a8974335cf6f470c98ba17261fe07a0dd339ec4547253c23aa73e4

SHA512
58633b338a58168b104654464029861ee54967923198bb232d4b5ffab432842fb13b5b7be2a93b638de33f2c50823078f2ab2839b2715821aee7a8023a9788bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
dbce73ae70af97f80395e98b95462e18

SHA1
ea98a2e32d1a0b13fed38e9141c17d87a56c1115

SHA256
a2adf1703a0755727b7ab1854e1e00e38fefe98ec1267651109d5dba9a4b7391

SHA512
6acf7a3c843e36bc277c1bfe9a9d160c1304d11c5e1d86f9b9ea2ba59305eefe00ac41e1ca6500c1fa82acee481a0e99cfe561b9c71d02b43f991e2e84a16bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
a3df293937ae669b5703106d70413999

SHA1
1ac019f1f361d34e86b6c63183e0218c0247fe9e

SHA256
67f056d3214181ccf068810b0b79d7c28c2133aa26963162f3e7e792e2bb3b16

SHA512
7a4ba86d33f2de9974a88944eacbb4ea6abe862286f217c5bd41b1f695233c9eb4a8dcdb055c2322217b403c35a20c9eb1ede78862fefdab42fd58d3713003c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
c0daa0f1442e674994b07a1f088ee749

SHA1
355239154c60d048bd4e87181b48f322eec36de2

SHA256
ec1ed35654f056721b2f3efe3feb5dc54410424cceb84c3e29cba68e835dd406

SHA512
f16d0a2363a0df491aab6ff124c26de296763d16af490cb09750325d62868b3bc688ac2ccf7a5b1d140334c3b3708b16cc77f4883e0d206be603409f34a2d8a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
fecfa043d31f40233fdb84e81a1b46ed

SHA1
61799a429d09f00bd70051e5c84247c960ed4ed7

SHA256
f8911404cea8a34949ff91317d374860e90809d62ad62fc833cdda1a3daaa606

SHA512
8bb308c16d097f4ff0c04575ecd29a3a8865facd95b1278be12160b8cf946ff77728c63664ba9f78ae42d02f139fac9132c8ce661acef62dc7279c3cc7553bbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
8a3286fbfbfaf64729010d4e8ad8cae4

SHA1
7dd573282660547b19892627b5c76efb6565d816

SHA256
cc9bb28bb0733cf976e03f2517e8f4b55b694e836516427a3f1c92009b61d638

SHA512
a49b3c2c21a6046149d482bb9fa15df26ba694fccec109df658e25a8e199f27b1c35cd3a05afd47ce4ff9a387efa878ddfd45a16aa568c0ddcb0eb2916c27082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
7278f9ba5e2243810ca4c6bd2f2bc4a7

SHA1
b724fd425b9e9c3f6b65a298b3f86b2219e8e80b

SHA256
2df613e68be4a652ef8bb4cc831a206cd9de7db9dc13d8aa3b549f5741db6cfc

SHA512
ec02685a2dc4654b9613684bb3017bab7fb5d3b64ca815baa56bbe45b575b1cc3dc3e0f379f11f4ac11310c724f7a66a51bb65dc0cd55e0ce0f7e7da4c784434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
2fa48021158299243369281db6d8f161

SHA1
7dad6965a40224bd10774e8f3b82a5fc02253057

SHA256
1877125ee6c04077f6c58d1edfefeca728d804b18c67b71196739ae7f77a62d9

SHA512
b23c2b55e34d5e06467749fdd1f7a790cdb762e9efb5eb9e45134e476e7b5d364b9100ea5bd299aeab0ba964de4ef2fa994aa1e1b22dd17c9b1dd378dbe5e524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
3de0e5b9f8feda1b1367e766d82d8c0a

SHA1
e1a3ba3061843b4a4b8b2417311040af079cb67b

SHA256
c081f2f1f00daf50b3b82f2e7de2e4ee33d445698bfc1085020aef76e56ec29f

SHA512
514db6398239c27a1e5b75b148e6fb2be01e932e7c1b19b0fe17f195caa8256ec1748848d1e2e13f3e26e3fb8fac80afeaf71be7c90fe769b0f1385cbf8b2a3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
bc4652b182342d5d633c50ac3dc2c9ab

SHA1
d09fe8e16967d4124250733ec3fc8b4333c24105

SHA256
307db0bd19b3cc442883471b5827de6b0a1a2983eb1a0c53f5d070aa01b1d5be

SHA512
8a1abfa2565ba4694d2644813d1cf22dc5579f39f2ebe3094291c21158613a9888c1a96afa45ba704d349f8b9cc61ed6e4e71f7b511f07891b4d468bd20d061e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
c0499ee53dd0485ec24deb190b99cdfa

SHA1
57aab495b1cba7beb2bdfa3d670d71374b78a962

SHA256
c54bd749e61d9249655efe55a695a2c4fe47b44e72f8cc336a2bb96d8190c86f

SHA512
8b223a8fb12d214cb6b45e565a3f4576cf4ba07cb62a0be50bdc1112c294e49414262e91cc2616da158d512c43c13f2599ccccdd3465d36d28be56fe7e1f1fb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
cef26d0141f024dd62d5b59baa3740ce

SHA1
c9867c9655d6eae630f6ab1c4470f7a234f9298a

SHA256
8db246af859619dcba0346c59927cded842baff8fb8401943158a60c5611dcd1

SHA512
f582e3a131a7c7f5c03f0a64b34fc64cabd47f299dfda8529fc634ab38e26e0c2534d2d35aee2d5fae73f1489ed24acc69a04812a395b5c9705d1c203075fd6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
69ab93e7091b8d5e29b78070bdefdc70

SHA1
f4f89def81e131a991cbd79c9d75cc22619ee0ea

SHA256
a6064d97bf543aabf267129437a038f2f19af8b40bdc2eea0031967824502366

SHA512
b4e3db4d4e70cacb9785ae0b59a08049ae5759389dfa27cf38e1cec70ed8464c03483e0dc093e06cab36379d23eddb8076fdd0803482b4f4d814d17eeae3378a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
e11a66857f2b7e2881605a55cc8d3aa4

SHA1
bd09eec7a48ed0cd32a9cb97fdacf5e9c2c98d39

SHA256
cdfafe4e1de58cc0f5b72b8532e17ae7d2704668c52a99f99ff976e1be5222b7

SHA512
7b2245009e42cb537d66c7b5333922cc246c0fc4455faf41c63a740d44fd682ba7cfbbd0959104d82f2eb7951743c6f95337a4a04662295f88d9a778cfe72a93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
d95f3541c47c9a7cc54607e34eb9586c

SHA1
c9ec9a2718aec1ff06445666c13ae4f3f9dfb1c0

SHA256
6b06eb22abd8348c7ccfe0750730f5c931abcd66c31ca9b05faea52012586411

SHA512
017923fe7e9c7c3b4e9e14a67887a99c5ab821bd77f7858acf8e9a5634930e55f6e3ed3c5a3f1da8fc32a9ad06685799a485ce4d193862221053c3b4c9ba262a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c1487bcbc190841024779ded7ff3b667

SHA1
8dc005a9313cf96bc33d356fdd190fd3045b7a0e

SHA256
a3e61a20228f8be75f9a5e5a2b1474efc83da36419c6cfe1d7701eff815cb22b

SHA512
a0ebfa7733de444000e72783994a893705edb3dd2db54c8e182ed08c5c6a85d55cbd5b491644b4edd3f712f232b4e532440390cd944c527d86f2e4f7ed37c695

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
761434b8510dae072165e3b669b6f583

SHA1
7609564820cad3d3d924c3817946211d67bcfa0c

SHA256
5501d506f742c55ac49d190de2c0b69c9f2c312fd676b67755baedad46e1a60c

SHA512
42a66032e8af7385774bd88aa791bdfbe663e7adf56b7266257b556aa6a8c97a952076666e686d9a934a1d4f731ec394cbb73c22a70ab0df74b758e4196491a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
4fe8140b473872c5ce616b4b197b6405

SHA1
9cbc2a93e8be3619a8273f6f93617d0f12fdd47a

SHA256
61f816e08e2dcc08612275c678920b17733639e186141f70c853bd1b45a50415

SHA512
fb4bc62021e6097954f69ebcaebc37927e93832ae3535229ae18dc40f9a6f553c91ec0c5801e85301705149fd03f7ef99939efa13ec2eed72d4b374a334643ad

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d14ac279c17cfee7234837123810429e

SHA1
3351deaca664cb4aaa34f5509c738677ffefa9f2

SHA256
0585eb5b08be00968f769cf943d6fb3aedc7d7d209212f0869c321e6c3b3e06b

SHA512
12472743866586df53c74ccb69db6f002186e16b28c0f4ebe821afac95ea7c89f14252a5660a8d74411cd9f536fb849b855916f3528bc2ef759e9497f01f1216

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
848835bd2c685e143570bb79d2e59d8f

SHA1
9a04356c9645387fe25bd5fb32e2adfdfcfa4b18

SHA256
0838448a7c71def1082c220a09e0ea71c20ea8ea5bba69016eb22311746eb25f

SHA512
40d79621478228d793fe52e59127389455f636ba8e9a5b6c44917c92c18d032503d69339ae6520f8a88cd9e2a033a50e36b877b586e1f4ee09779ce8306f28fe

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cb7df44206025321c28533c37b6e2d77

SHA1
368451e25628e972985540c5efd491b5e25bb609

SHA256
25aba4cd96aadedff9ff3dbdad0bdadf29c71e939a18857ed0fdabc97dcca6c2

SHA512
85170419bc553e79cc3a7982cd82012d193e1b997e073a60f7476c8358f9dd7c31b8f6fbe3f05eeb9e9b8c3828f48a9b06b0c6ddc2e27846f9b84612b6af10cf

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
9436e165b83fa636bfd2d8a04906d7f4

SHA1
63d4a79c22c86ad0e7e4d7feb9dbdd15c32d129a

SHA256
22b357cd153d2cb59305e8d90a349754b799d6e3229f44593120d193b63ebdbf

SHA512
5fa9cf182431d3e0d362458670ae3f58ac1edac499f2479cfd3b8291732fdb2b1e1b7f9132066f39907091774dee4539a1db2a3196de56ee3ff6ec240f55e1b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
7c7501b7db49c1708e5c51013f3bf37a

SHA1
2e3fffeab4be1f8d5d89bce6940b4b7919e907dc

SHA256
381f613b70c42b7839f13eb7100eddcd155f3ae4f03bb5b0157987e67084e21a

SHA512
6694510f376a6ad8a3acc089268c864b05624617333c2edf208ac99ab9ba7d9d110a9241dd93f764a8dc35c6814e4735e865202dcb1bf6dc94fc7f174659ed3e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
fce090794ba8836ec6f9cc743c427987

SHA1
b0088977f5a77ddee0e8f0f9a98463c19974aed7

SHA256
473c5ed377c642aa0baee7e0f782c0760ae6fca48ccbb8e3bf2d6db5be0bb85d

SHA512
38f288b294b18562ab9f6d0a6b86358cdb6185a8cd59f8a027827bc8dd5a861e60bc1f57ee35506fe906c554b92483e18c2a6db0211bab54ad048a3f71a05a03

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
66c5deb711481ce9fab961e671cfc223

SHA1
b4fa66d6032da1a3218af15ca3ded84b682bc346

SHA256
ed0350cbf9c1e78660d296aca1b31b3b6114c2c2a53be73e6901695d7e3f8f4e

SHA512
113d824870f04ca330dd23c9e2eba52478d64401a5379b22b232fada53f78555598bb4d85fb837ec30f5817be4d8dc235276616c4efe56b0dfd777be14f62f2f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f7d3a657f8f606d5c2e6ab0aec35728f

SHA1
c7c249fad7fc61ca650d034bcf0230417d530856

SHA256
7012fe028b244f20d12b15ab37bbc8599b3bbbd0391b7a0cfe2560f9ba00a2b0

SHA512
c8de6ec5a2b1a0a4bb8e4e0c3026932bece8b1033b166d682ba18ee96d31202d0871dd50291d4337b6abdf6c623cce66b0142fdf0a6472047877e5bb1a92755e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d75da43e2e17ce3dcaac2f6789e0ef7c

SHA1
0687dad8e20f0051b2487b065853858c2d820f18

SHA256
1a5d56c4bce2159e70a8cbd6c7c44ed5955cafe89c1308515d41b2b0d5c89ceb

SHA512
e5d106a01ea4265cc7aa397758e00572662f783d0d9d43a293b5bbbbf3c908c255501ff2e200b1fa7ed8f415947f0ebbb134b507f8ccf50fb03defc7139c388b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
d2fb3debaab4bc0dfe8074ae0f729fb4

SHA1
992815517ccc7c17b12c35dad2bd8db1be1bff17

SHA256
5a30121e90b0feba9798729b45ab70b220f80bf23f8aac64e77dee692973321e

SHA512
e7c7b7c596666243c7d927cd1d0776494e7088ca5615f631502f2201ac3cc45e7dd1685b3589a9033a4ddf3cca05b40e393b63dfc5fde4fa3457e504522b6ac2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b52ff9409c05e9f4101c4ce463ac09de

SHA1
164632b5d5df91e032c83f4d0d7e31e3bdb34d3d

SHA256
381627a2f0cdf639aa5320dc502a47a69e6fae4dbc0755b8482bb832098355a2

SHA512
9686bd6f25dc178c29f8d05ce691d218981c584860d20c20721b2f896adb508fde7cf1828df09c0df8b20f0c7a76e2ecc771c4aa96bed8eca3e983d17321de94

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
c38c53c88d1cb2018e06d591fc2f3c60

SHA1
ff491890aefc04650c9be50e222a557577db70ce

SHA256
3143b52975930e82ec18b34647b703f9ed8c50574b29166985ee5ad05febc849

SHA512
55c3085649551f6d681e70320adc3c8ba2c2da8df927f7ed0ea2a0053b4f45ce2b576ba941f5950fc553da2f8bf50b8df831c2a5cd7afe04b1bdc0496f02112d

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
72901964f4fae75094a7714713698ec0

SHA1
b3e8f1d0a7419ddba457fe15fd9c9d06ea933a70

SHA256
42a089a74ac9e89697bc1000800bd8a7a13000a2b0e2e90c6e4109e2d0f65f4b

SHA512
16d566aa59be4cd331e22d344b3aadd087a8751da30c8992bbb9f60f0b715eac74885ae82fbf970a64dd14f85608852de3acbc8cae18d98f758defef9fb7edaa

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
40d605c06ac2c0e5e279a39f47a28d13

SHA1
17cbc341406512061fe04cef795d943a9d4e2b2c

SHA256
2047d3bebfd44d990a940ad9de81cfe9ea3a88d3ce62606aee56534d11f98c18

SHA512
cce4788dbd3d2f6b2b58ec53827267ca94e6f1e07352b855b055d7af0480e96b85e275101682c6cd9af9c99333fd9040a3b327fce57aee540de7b6995c16a421

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
1fa4c6528f2cdc5812e8a27551d14d51

SHA1
4f8cbd23834e71a5e29c7b467e0d83e59f54e33f

SHA256
f5cfc8de6260c0802127ba75845e042f377907935a5b6dd7e129f11ac5559707

SHA512
6db582fe954d64f68c147ffaed7f7c4f6c12b90bf17b655ebc9a007bf6df2ca45fac6e4c894293698c5e9dd72d0d88ea68ff2e01fb8065addab4509f872e1eee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
03471680f0dd0e8032b06581fbbb4d19

SHA1
659f6b89ac4ac641d7e5af926ef627c84fa82859

SHA256
a614d1a693e53cf36f3658787c12b30013b017febe9f3190a34f730fbe55db49

SHA512
b418c86c8d6996524abec8950c6a7ffa9a85783c6a5c3f18e4243f88191622fc9b50e20f5af7994050685d2fae77aeae2e8f4eeca5384f4c223598d88ba74e98

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8967675d51d88edb41138dcf2602cdb8

SHA1
83fe6da059f550251739f56d8c95b364df81c0d0

SHA256
0e9a6a5ddf484c0a46c08dd2eea30b48586c1f073ffa200d04209c14fb77da6d

SHA512
eaa5cb894255ea44bc1d097e61481b82d236277c06a5a10b7bcdb867778757eb685a53789ff99af07449a3e1518be7b2f164afc5abba14cbd91c8e1eacedfbd7

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
378eed58d6ab038251732ecaf0bf9fae

SHA1
645aab3a570c6b8f81f4fafb84aa1cbda7bb8775

SHA256
2ae7fc99ced08bd6d0ae1aef5abe0631c523850d5df97453e73e35cff3f966ea

SHA512
2bb9a495dcfada27b3c2c5498b51dd05d7e12ff838ff4306a8991c2e407783afaeb39b2bed87086517cffb8ba55dd23a52dafeafdb952eb1d32aaf8fc3cb0e07

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
3b3cba74c4369dcd980867fd3c47bcfb

SHA1
e107da91ac8b10905d11eb195a64fa5257294cbc

SHA256
8d877365ca5218f0e96b9e0246607889c70c4005796a7fb67804088f07923f5c

SHA512
6d93db06b702a88f476395383383504c0c24d3446b678d82017f11efb8962c20058cff3d97bc19d28d6cffb22c161892853c73f69d86e87227fac3ce53559e0b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
7d8849e5507e26ac87cc7545a2a4c1a5

SHA1
49178761653b3336b6cd61a356d378baeecd699b

SHA256
e22ff7acfde0fe7511b087eb1efed8c0dd824567c5fb70fadcf987a662d227f4

SHA512
63740e12c9d794942ed9af89062f5795acc6da13cd3455917a959a53d2721076df75c6efec63364bddd47ecd65425c0110deb6de8c6f1b05abfbbcf2d50c60ac

Download Submit
memory/620-537-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/620-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/680-156-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/680-18-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/680-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/680-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1200-80-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1200-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1200-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1200-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1200-89-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1296-532-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1296-58-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1296-53-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1296-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1516-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1780-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1968-271-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2252-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2252-538-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2344-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2344-46-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2368-270-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2580-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2580-69-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2580-533-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2580-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2904-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-7-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/2908-1-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/2908-110-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-0-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-468-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/2908-467-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3836-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3836-540-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-275-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4080-539-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4308-158-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4476-157-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4516-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4592-267-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4592-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4592-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4592-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4828-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4828-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4940-268-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5016-90-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/5016-86-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5016-534-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download