ab96d07c14df363bc4dcd980f1cea87d5d2c9085df7f436c553d3aa88d0dd2d3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Size

1.8MB
MD5

507cf054944628299cc53124ce753640
SHA1

25c88d946c1a4c88a744d393d10a6d29af0af1f7
SHA256

ab96d07c14df363bc4dcd980f1cea87d5d2c9085df7f436c553d3aa88d0dd2d3
SHA512

d720a8dffccbec5396fa95a4bb5a6720515ac297029bd913aa961bfa4a1175f06bc1b815138213950526f14cece2a4bb1c3b256e562e62ce35291ec13a04b939
SSDEEP

49152:fEtnrICSooGSTs5xbX022fjBxrj3RDmg27RnWGj:qrICSbGSsH8BD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3096	alg.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
1400	fxssvc.exe
4436	elevation_service.exe
3676	elevation_service.exe
3908	maintenanceservice.exe
3932	msdtc.exe
4188	OSE.EXE
772	PerceptionSimulationService.exe
3036	perfhost.exe
2000	locator.exe
4928	SensorDataService.exe
3276	snmptrap.exe
976	spectrum.exe
4396	ssh-agent.exe
1836	TieringEngineService.exe
888	AgentService.exe
4276	vds.exe
2148	vssvc.exe
3296	wbengine.exe
3624	WmiApSrv.exe
4432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

507cf054944628299cc53124ce753640_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\vds.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b8e1bbc92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

507cf054944628299cc53124ce753640_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

507cf054944628299cc53124ce753640_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008c585b710aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075d47cb910aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec04cab810aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd7985ba10aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a9d7eb710aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000300c2fb810aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c3417b810aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e2423b810aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b4b19bb10aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

507cf054944628299cc53124ce753640_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe
4892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

507cf054944628299cc53124ce753640_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeAuditPrivilege	1400	fxssvc.exe
Token: SeRestorePrivilege	1836	TieringEngineService.exe
Token: SeManageVolumePrivilege	1836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	888	AgentService.exe
Token: SeBackupPrivilege	2148	vssvc.exe
Token: SeRestorePrivilege	2148	vssvc.exe
Token: SeAuditPrivilege	2148	vssvc.exe
Token: SeBackupPrivilege	3296	wbengine.exe
Token: SeRestorePrivilege	3296	wbengine.exe
Token: SeSecurityPrivilege	3296	wbengine.exe
Token: 33	4432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4432	SearchIndexer.exe
Token: SeDebugPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeDebugPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeDebugPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeDebugPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeDebugPrivilege	3076	507cf054944628299cc53124ce753640_NeikiAnalytics.exe
Token: SeDebugPrivilege	4892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4432 wrote to memory of 3240	4432	SearchIndexer.exe	SearchProtocolHost.exe
PID 4432 wrote to memory of 3240	4432	SearchIndexer.exe	SearchProtocolHost.exe
PID 4432 wrote to memory of 4212	4432	SearchIndexer.exe	SearchFilterHost.exe
PID 4432 wrote to memory of 4212	4432	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\507cf054944628299cc53124ce753640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\507cf054944628299cc53124ce753640_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1724

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3240

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
edd8ea71f86fa3ef34a1cd0fbc59f290

SHA1
d3b16267026eddbe666961bb3c68d478d8b88d71

SHA256
030372b0a745f85840d8f7944fa007c7d9cb4b955e120212461d60e3e529389b

SHA512
7db54906da5e95410db86f9f8fb125e287140b02c730bac17db53db881f6b569ef4a183d8ea013c0b369e432641681f4c49fa8873618d57efb1da1389deb739a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
7f2a7169fa4f11f5f766be8cbc233fdf

SHA1
70e14b5fd3e751fb6e857affcdbd5dbb09d755b5

SHA256
2073119bd9d7a99ef8769eaac2c018d15a0b92b6af06cfee1f63cf69cace5633

SHA512
1eef0735b0f64a7bf1def2dd9916620fcae7788fbaeef1a48912937e5a6aea1a428015a3e0a243d2829abbe49f14af84f594d48db86a61fc61c46290c2bca134

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
429f4f806bf80d7bf86738d23791cc80

SHA1
94aa3d49531c124ce2647ca1dd39d156016b9754

SHA256
0817ba8875e66f42f6116ea855cc5805226da2ec63d251492672ffc1ddeac4a2

SHA512
1db88f29a3d2b9f9b3ad843a0aa0c66471fe4e7ba5872789f00897862c45eae52e7d45c4d52b19e538ae7e2a10208d1dc8368f13c73d8fb507bea0554f1aa506

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e84f9197a8ce8d332c26ae70519b5eb1

SHA1
651fb9d956b421603ea11d5d0fb7d7d75b69b3f4

SHA256
f1c86503b2742a0f392555f45a953bef1a405f9895e44a15c4dbd3c89c36a4c6

SHA512
7722171b6c4db02462a2831503b2406584b46550836e7a8806185da256fd097bd7390240a2698f1b0a6d395308780296b54fdeeaa9b738a55be584511dd8c4cb

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
29538e09ca8a8c83ae8abaa67db06687

SHA1
dccd8fac8e774086e3c1a47b1c2820228a469465

SHA256
d5b6b5293af7dafafcd7df8eeceee05bdafdadbb34b36923bd50dba831b3343c

SHA512
bb1c99ce7003bced8bb6a1365f713059f05c25c069a7bd6b149204af892014f5717dbd3f055d4d77b37b301ad85842b0cd63fe2688f77d247d6dae0748fcd528

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
76176f50be0e75fd2d78691bc6d0fa70

SHA1
e258b49b3d11719480baee8ab093d71e36f23f54

SHA256
dce768ddfb091a5d85b0de6563cc3e3790537216727f311b068b41c4ae9cbdb0

SHA512
870678f1e644b76b6e08b4bafcdd79cb8247927260c4a1b4dc6a08f6a89d1dc7ad7e4e46afa2a440356dc3cd16b10fcff10d2071327a1c0d14dc26ca8c4d3432

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
92d69ba6cf055efef7c0cb9ef18fe0e7

SHA1
8d6238cc1b74f288467268e315df7bf4e32d49d2

SHA256
082e10c92b9c6d4d75b19c46c548b62a89fd2a91ca38161f1e1ecd6e081817aa

SHA512
b6fe931c4f4ac66b319765c8e26100b5bca0b306da213efd1ac56e08d054cb112ccf89d31f7137105de8d8a0bc240d6343fd39cffa2822d9993c72dcccfcdb06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a4cdce4c312493fb58d0010d03fae108

SHA1
f49b93636eae21fd8c6899fad9a83cc07a52ff7d

SHA256
41b319c7c9591909c0e8e81e220d7db524a213c6fd2b78ecf39fe7c60ab6b5df

SHA512
63ceeddd826237f47428908db071761fcaf259d8cae6f73a6d6376fa8ef2e13e4e2621c28841585338192f7d912eea33f7cea738a9cc5c9c49e69045a0f5e3e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
e98ffba047a4515b0a79e32fdb35faf2

SHA1
b6174508ba6eb4ad527de2b4a267eae8cd56b963

SHA256
42d0e68dfc35d6411ed4ef835bba9d579837c67f5ba79a770552daabf9a71ed4

SHA512
ea0a955298104b998ffe36e2a778ea981420580b268125a2d02fcff5dabe048c472e647eba49b2c40d25fc08aabb3ca560aeda1ccd94f9d629a72f820347f0af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ecca8b2062211e61a0d520f691798921

SHA1
aa35dee64465dc0abac19aec4744bd06770f51f6

SHA256
5a9197c104e16e822cc7bfd357dd6b4e5c93e8b0bd53d1d3cc49c3a8842536a1

SHA512
3738c25a0503ee813774c566f091e51d95e85eab453b1e32bd1bc84f96f641fb838fae5f7ad28c2511223368158e4519120911c1b94c429d9cddc49060bcacfb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
1c46f5f1be93f8a5f1643f32e7feedd2

SHA1
c3a401c31fe313ca71555ebeeb1a2215e3a07033

SHA256
875213c3035b2ea55ee2cc89da4fca2d6fcd9cbf39c1da6831cfce274ee63575

SHA512
739a60e39d26ac238c113d8a0e26d2e4878c5a0d1690bcf03e2c7b605cc8aeed040ef32713255eda9edca988709e9032735aa434f93e2d512157f547cb68e96e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
0deb4a2df8989dd3a121dd93621a4fe6

SHA1
5f4283ab8af2556906963038a3fc445ec2a29f59

SHA256
bea1b2d8a83957379bd3ceaded528f2bdba9dbb41dfc0dea670dcb6d60f4efc8

SHA512
221758673949fbcc5249b43b2880bca15ffd9d5cd24160d33cccc4318445fc0d6b0d19c6cdc8582a5ad700fc9455cf1ad3859c5242b17fa2f62a6a6d22356776

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
d1548b36506151f7e621f478cc2c4125

SHA1
49c189bbc278079a488f65553d7ef0d4c6a5f296

SHA256
27b0e3d680a36bb85f808ea3169c7b6f5b29e55cae6657b31234c911dc89f523

SHA512
3005c3aeae960aaea07b902f7caa24e81ba03dc7750b4a76f47e2c27effc8c5fcd35406d1d16b335974a856f62f11403f89b6274c3a1f9c81d3369a13a8cc519

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
20d776aa0cb6cd23f19fce9bd477d98e

SHA1
5280253c2b2db15f9d0d856a8a7ebf4f2e23e968

SHA256
8589a6ea598617f46b04575d786edc6a383f0a10f498acb4917644cb512dcb0c

SHA512
b24c7b3d0e013923ccfd24816a2df4eb85a891925261037bc7180b41a9f26880907e7d4e6b516a66dc448bd111163d2f37d34de346d94e4a1ef38ccee098b95f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
1c4abab98681bbb05bb98571ed0053ae

SHA1
447cadfb100a40a92ee84b60494fb0d9492658b6

SHA256
15a58922d55a1d79d0b3a5c1d3f95244cf65ab0f830162a6d44b9639176c5274

SHA512
10b4fceb24b10af6262604be6e0e55a3ad4fa054743c7ce806d514b8cb9e096b546a3e6084a363b99178586e1f568458fd9307efc1d8ae1098b211bbd332be42

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
8ec85e536e2aa29672c1e5258f0b9d5a

SHA1
5b0e4196d8205481af5047926b4050bd6f6c6b96

SHA256
d833d01624100a3dec17534157a36a1ab3c037636066c7c521d4d83612132ccc

SHA512
c3865c1755118d00a590107de11101a7a92a8ab9d1c98f6bc28c0eb467ebb14da0ad0f6eb6fde1e4c2edd65f0596e4f1dd7fca456e6f3a83494c37b0a8ee158c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d51a04521b91d00378b22b90aec7f10a

SHA1
a7e6511072df6650a5bab14133490f2ec398a95b

SHA256
9ef25616e3ed3c18c50b72637436e6dd7737782b5a351287015352183f105087

SHA512
3f06b381844149b24e0a8823f66b70eb752a045c7676ab0a5812cfb92656b9635bc20db880c4cf67b50cc0aa44ccb28c13c5b1afe076c58a60b1cff500e0af2d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
da27669b88eee76fbf2cd138bc540443

SHA1
0b183bbd7600c80edea3f225d99e7727cbe1b179

SHA256
6065a43cb1f15b4ff8c04e610089dd3d549343b218f9b37d0c3388ee92483f7c

SHA512
9515bd868cd65aeadcaaaa0d03d5f61a7c801d247d176a73bf9381dbeecf1617884e8215016c535c1f9f19ce62f351338a930c4fdf4dae482d68692c38f6a46a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
83638f068d0b7d7c4d3cdc11725703e8

SHA1
7378933ce0cb0b5475f2708143d41887d50b1e48

SHA256
70b8c984ef23243eedb1415f4f676a9e081c3a1302ec92667f8e70c50e85ae68

SHA512
2539e28d22461e277aefde570d5914d4fe01b775346efb04d01303bb8dd7ef24116c81382296b73acf032e2ecc387958626e1f61796b78bab5fd217a2b83f480

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
1318b148dbd5518a1c103d4b86188bf0

SHA1
3b9c91d88f5b32911fad2f9e0d35cf9abf7e6db1

SHA256
7af050cf79216db4b14f871fab311baa94ee7dcb6a0ce815373cf16df0a61bce

SHA512
8ec68ac56f18e39b9161d52ba357cfff8fcc6be6a67aa3d1e8383e2e77747056050fe757b39d340896d843102967c67ed4049b1761fb94fb7439bfea4abbc337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
df455804435603e532e297f07fb6c74c

SHA1
7d56bbceef2942198ad38229ba775586ad63f344

SHA256
c13a193cf8b202e4094673eb8497aacb7b7dded927893345a05caa1b4916c510

SHA512
48379d67735a26c1d4e22c0ac6f90e504ae62f16ea2b05b9c59e14d3aa4380b66498f2c2a12afa65e4371db5130b5b6f7730dee6ea28b75a5f79bc0dc2464984

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
0e29d0c72a92b822020c6e918198041f

SHA1
7d6bc8c0aafdfbfd26c0718281cba2b84e4ca247

SHA256
91f465f15bf89b6e5a41740a42f2924ee778786dfcf666631534e9af39fa75bc

SHA512
c21181360239c7e1c7409abe75efbb8a9fbb247bd610ab386ac791049188910cd9d97fa3eb430067d291eedf278df9e967058057bbaabf36c66eac553d136b9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
c42bc781dc228d82ee076232f59072a8

SHA1
0432fe5306b665f48b0dd5ff89e05e41442e3e14

SHA256
6a8bdfb224c1e76c1b3f2eccd9b6d502a51e2ddc831c99bdaa0d1c49d58e7d48

SHA512
f60fb21d4c64edb5798ee3762ee8a281e30b58f429a37d59663ba4d5b8bd3cd39613d58fc73b49d9601f2e280bbea16130fc686e7efaa6bf6500a61991725005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
ee38bbba5dbda6fe48ad9779a69cc27f

SHA1
89c899db4a48493e4f202fa0851208077a9a1448

SHA256
e0df8344038660590afe76465bdc8fe9a13d0e8d77275b9e1d980093a54540ae

SHA512
02b16d4377ef3fe8fd4ab5386ad93fcf90cf1ea179c8887888e2a415c712388b9f3a39470ad25d7e23fd933a0822b7d7eba0631e19bcc0a23d1ccff3a9ad9c75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
dab2532765932df0cdffbe3c3d3c7158

SHA1
2721467f968903276d760eeaf7749011b954f1b5

SHA256
72b8ca8cf4f5851a34d529dfc7e5d352df9aa0b37a42bb57970debb10f30a101

SHA512
cc9a4e2aad680040cbb3101de6958789a240f8bf3e1190ed192016f8fac08900b3075fc1aadfa1f5425aee9ecc413bce309256d641eb8ec32d2e35450e03df67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
bb8d44958adeaf2c17aef8f1bb64311b

SHA1
2c10f8531f19b6271c583b344803c7893a377180

SHA256
ee89a2224c872f22fa5d197a3fe5f6139b2e8ee0747e4664765df1cd9c7018d6

SHA512
118e692a4e66453cad563522cc91c16c288ae29ec0659f99c5c0430ccff35f3fa62d0cd54c8a615b7a36cd449745abefdbfe48c7b07c1364391c4332c368be75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
3014fe3cb312bdeea66dda1637991ced

SHA1
bc2c5c727fd8716319a1d9f1944f610efa5c9cdd

SHA256
08713ff4f4cacbac4d01f49ecca8f40be3aa160e2723c883b64d20ae7d6e68dd

SHA512
2f648441849279a40ab24cf31b477803c35cd9ec52024408503fa7343bee312c7840783b5b6efbca6122a3b2b0ed22591d0948717008fbc6ef9bbd6d20e36145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
9a3e1afdf109c9942fddbb15d2638d63

SHA1
ad36ea41f32a7347225c7781d19eed69abc01135

SHA256
6bb73af75ac9f642758c72c7693591550bbd2e9202219675346cd9cbef2e75b2

SHA512
2d863383b830e06ba271a57ada8a23277bd59f5a47f19fbf8f968207837f3d71c0393c304992f9619337eba3c488a1f36c486dfd107bf7c76903194458822d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
856ae91a0ff3c00e9f2b3f58fd814f2e

SHA1
75e35adf03fb57494a9d511ca5a53c8c80e54580

SHA256
36abc0102edde2a4cfb38dc8441a1160d3b175f9ad88afedd31c0a6a6a3aab67

SHA512
11249accdef8a67f09e3513122bf922d1b41ee6914dc402e4fd0cd5cccc89f332bb9ff6bb2c252bbebaa158c68aeb7d268a64d0c64776e0009537491e15c2669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
01e83609a3982ecb68d722f6695c69b2

SHA1
54837bb2abdd00171b37be7a1b2b17494a8a1730

SHA256
4726a5e4b385c0306da5c8cd230365b1f0e72ca14582eacfa82b4f2469598284

SHA512
6bc45b273df9a17e664dcadff8878f31c914abb2b15acb5556b18d56fa5ed83d5ce0ec6d1dd931b1ed3c4d82a70905fdcc4f841d84558651165ea35c6ed584e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
098400cb8c1907b4a38c8b58d415904c

SHA1
4bcde7a34eaf84805f5e6ff65c5a4eb1f5124cad

SHA256
6b635dbd2cf5830002904c9164ee3c440e94b9f28911cf0efad5ae5e9cd9648d

SHA512
cb2909528bfb1a1e0e8f4ad79b14a36019b8be6d0d75e18b2d67f6477609557a23888b93ec354a40a41c83c1b4e86ed4318bdcf525368a06df8b70532d367004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
37b96504713e0343d3b712f44eddc5f0

SHA1
754048013f82ed81dacf4836dd393a8c691eb925

SHA256
15888164eb64b7869e1a0928e02b19ce698823561aa8c3ed46b644dc722b97e1

SHA512
6c79aa64803dd224ed84d6b0f63c0967eb0b74921f385082044c001a05d7bbb33be4a4aae7623f7c54bcdbf7ba1f09acea3995fc64ffa6a8986b80228a1476fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
ba9c116e71317243fa27ad21d6a66895

SHA1
fd988d3310009752dd2e2c1d9c9977f750d045ee

SHA256
bb59186d0384c15ebd73759840544a0a32c16f62b8f788f732ba9c19c76f8b6a

SHA512
758d35873130cf410426c6c2115a40961817215056f007d0448c4e157ebb27a99c15a56e260e2655aa50c6b546e06ac3452b835c24b00bd2d69d0eb8ad03b54f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
72fcd96db8a9c61c09b34a77ff306747

SHA1
0b34c82bffdf50fcbb55b573d630a47456e0d13a

SHA256
c1338ddd05965c8a15e754cbd9da6e5217e16f31035516af382286918080bdc9

SHA512
9452edc053c023ad6c51454fb07e73362dd555164fd15c5069e4b0b69b330b62bfd40b9ba90ffb9c169a55284ee85344b2f52da605c61a83039b0b95c89a07d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
21672c765f3581f6265de9055e6bb24a

SHA1
19f1fa8ff9d2228d72e8ee974d4aa77918e7bbc9

SHA256
7d154b66d21fb54fdbdfddeb54f15fba16ffbbc84316a2dc3ba6e2e82526d2a9

SHA512
a85b7b7d800252d8396c3feedd83f14e18f6d8b2a385d8242230ada3a8f5a9679b81987d4b834f90aea6816872f42799fa274139c2b8de05d0b02ec881ad0e25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
a50896935d28fc12be128f23a1dc3a65

SHA1
e87596b8a51f6b50128874f9d546d869860f4f37

SHA256
587e2ae29ba872ac095bf066d7a51d5f43c49a7bf5a92281eb439d1958a69173

SHA512
bd873ab03b5e79a7ac402836fd67f4a7c6e99b522bc0d6b5e4ed45a3fb847f7569771b4c228ce1e760d2a8190343912e09d4c1efd20173663a4b5b84664d4cfb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
c5d16307180bd14c032940847137758e

SHA1
a08ba175639cf5e943e61d9c91e2cbadff917504

SHA256
3c2f87447df6d0bd132261f640b77b6c2a95121d1e7d8aa2ae15c77554966dcd

SHA512
d96af803eb7104f1f4bf311882f7000523c563e337204e33c3c2cfe7f70ddcbdf82184c9a276a11ef6b95f87db459815e9bfc0f80b4bb2b7cab5620f56de470c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
6f20e023ac0b9c6b09b30da457da8452

SHA1
bb959329eb33b3d849d5e3f5aa3da26b760d408f

SHA256
19924994115478776e5c0ca0d483946344f751c80ee8f69f3df9c88e766de9e0

SHA512
034bc2829b91c15f3d86be09186f511878e512e46b63f5ed95f5cd3b516bc74ec887e0fa5cb667ef583ece277e4bef4a365be67e75e7ab38693e73250fe1a8a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
ab699575949d308143b289177904a4ba

SHA1
acd765bf9fb249d89e1f96ce2baa2048911f9232

SHA256
df7aed2ba951955b6028005657350cc653ba2d2c8f536cb6964eef5158256cec

SHA512
8ac40dd042ac4cd47f464d6709516759c3c798bc25706dddd050d54a3c97681d6d7f9d1208f06d123f7d69d2c9521563153bd48df17a8286c14cbf9a3800353a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
209e8c701cedc028b89f611c12044f35

SHA1
9b9411ecd5cce22564f10558bd2ac2a0da6fe14d

SHA256
133206f12f7e0549e9cf8c87d199daff9502ad989acca0022277d0dd4031e17a

SHA512
9d92b89ebc997e8b836324493813f693bafff5ef12dbface69d412abf98342d94ab8e0cb990d9b60c1ea4277324eabb26a01c4d0fefefa790835a9232768cb96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
83fd1e04f73fecfc94e81ee18cabe57d

SHA1
acd708a1f9696a72b3f3c66bfaf28df1f6f2768b

SHA256
464dc7c698e789b9b5ec1bf7eb5ff3f0e354a2ee0655bc1f2883f062bab2bf75

SHA512
aac79610e4df678fc5f233678db71694dd9e8d9e09f19e84142eb6503f900a690935aeabdc7320bd44f02f5c4a60bbe6f9876bc5bc107887b9449cb26b8ac4b8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
997e8a025d89343afa9aa4a6f1a353cb

SHA1
e18790a2b2e6fe698df6e6bdda401982997db19b

SHA256
ececa00989c8559759003f51e99d91a59b04b76247159c3cebd00f900be81b84

SHA512
9960928e8c19bd1825bb31f39db9c6670ae60320cca92fdfcedb618934980ebfd4f276d1d86613c18a4e97301033ce6fb01c3dfcf454fc2a88e644446a5d4bbf

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
ca008d752dcb280824d8d3a2692d02c0

SHA1
180cf7a3b6df4838f728174821084c4d61a893ac

SHA256
c503e55702f3c8e7a3cbd234f29f4196b31fb9f7884b9e3507a2d1f81a7b018d

SHA512
e14f562bf808a59c5cb46b49f294362220e6eb1d6516f1435a2b09074a889cb1768246357045ae47f241056d7a31b7a513088c5f6a876718bdd6be00a76c3d38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
5cedf9e8bbfedabe627e42b0598e1bd6

SHA1
f46eac90f99ec645e96f16a6581464cb71c34d95

SHA256
5f67f24faecc506b01b6f8132cc702dba1a7cbd6d6932a537fc3ac344cc407f9

SHA512
ee6af77afae35dcf8d324b278bb2e9f46511f23413e3eb05621ae390cbd4d8bba6328a34b41f45484e9369f1a92b22c6d4b4478be25bd1ac13f610609e7f03f4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
2ff3a1b641d0c1bdd24a7b016443d0dd

SHA1
4c58ecaab1b98b40a9d286007a4fd1adbfe370c0

SHA256
e266d3bc0af4826fc7edefb36170f46a0cd9b068a99dce70d75ae2c558b98daf

SHA512
5962ff197333df70298c7db249eb30136878a22b31695c866b22de0f4bc8f7b6f4e20116e5315c8665bef8653ffd416867247ad9b32190868cb483653892ba94

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
38d6c2e91521213c7827223c2d87f29b

SHA1
f289917313245cebe94e1c52af782e007fde7285

SHA256
4f0497b3d07afd9839d1e3d33633fcdd0e2b384556d762b02e9668de0e807bac

SHA512
19172df233729ddfcd8dd73a9c7b1df594f81518367fed40ff54c3dd1043bb0373d09b564794c8fb7f60d7455854fb96bcb8c54f71ae9bdcb86e90710e7c2a8e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3fc0231c8ae1d4f902e54c764495f0fe

SHA1
f9bd63c6bfae4414d4287a479ec3bdee49d07078

SHA256
b809a829864a7f9722b0c4edd2f29b3f81213509342cc854b312d639d7beead9

SHA512
c9ba917bda064088dfb3af99a73c29220870caeec6f2e7b7f816aec616f6875c77b419abcf7c046e082b0058539193b6f8700348822d898e9edd6f935a17d8a4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
17dafe93eeeb2e40f3888e124e1d1830

SHA1
61974f34b1a2418d7a2ec911d1d6013df4b9ed82

SHA256
b59136ca20e86198e367730b89c54f1ebf4aa782ea8fd66df84ae16d9a953920

SHA512
8c0b65341254c2a54a2979ad75c2f8ac773f838185e1e4e96d18ceb9eaa1f7060a8786e05c7293a68a15da5472159f65823979d778e8d24f5476281ebaf0f152

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
22aa974224c72eac11e400423b7dffe4

SHA1
5fe91b96dea3487f83c2fc69518f745ff6d0298e

SHA256
77ebba4539b7d4eef3835ceb53a960c5083566d0e969effc50b62808cce7294f

SHA512
7878a8e712ec60739a4aa96400675e270d662533fa3edef0b5f7b4395582dc18543a5e4fa1ba88caa7da8cb9b801d881b92c45e93e570a01bbf9dba1fa6d1bc5

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a02ba93e2f8164637ed59905561839b5

SHA1
cbd07435aa9c90057dee084721d5c2c546c06f76

SHA256
883946bd2dd09a8067b3a980078e3ea66b64048d4e60a583bb8ba821341e2f6f

SHA512
e261408961ac78cf5e7199503e0bc2a5e8eb416062d31b11c97e5b161bdde9c4e12e571627820c597a86037c2b46eac08cde87e1c99b8b409de08e5e49a75ee0

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
8331dac2184b5773d88e7c583e0e36d4

SHA1
abee8dd3a69219e371b3e828f3632bb3ccf78067

SHA256
b10f2579c190809bd6877d32180226c88c167c13f16b8fc0f3674973af32c319

SHA512
5cb867bbab41b6dcb9a936e15d09115266be2e00af1579f8415b977e21bde79e84c66d3143df5a8d4d0225506e599273b1caf39ced599f9359da89a2237de9ee

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
2bbf71d9c0bb15fb7f9556ebba7fe17c

SHA1
2f33f6f2b308305176396746da335296d8cd848b

SHA256
99cc25f5e10520eb0415dfe417033028908e9fb45e8c988a3b21b85a8b12eed2

SHA512
8eb0c5ddb1fb52b692da7c48c96b62ec083364f95b99080a6030659c53b62ea49a0ab2e9fb400972a5397acf5228bd01b877fad705a4d075cbbad03bf860e739

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
880cbd92a6096c08b976bd0137026e99

SHA1
2a8ccf4f0e42911c8fa6c8f56f88790450a46fe1

SHA256
11b167399650bb06f4e5a7adc680d6707ed5c00ace6acc7f96dc613c58334310

SHA512
ab313b1a794adc4055e8d0209cafe6aaa7590b630b94401e1173463ff227ec4f92ef5fd8a5d99bdd3e64053f29a15b8e7d42ce1f5fb5288fde508bf9f21c90b7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d52d8444d5260820789d48377fe2f76a

SHA1
7e81a26cf935f84cb3a1396b876f9d3ea24464b2

SHA256
0c36a4cf312f23dc1905d05916f2834a1c651b1492ea4515b349cfc5aad18e70

SHA512
c40b05ae0e433b1e37441796ae63689a3bef6bb91b4f6e7a7b10c27338a08f992acdd189c10d33d5ee1a21f5855fdf2e7473e9b3fde72db5ba7cbdbc9409d7f7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
9dec21ccd1d17b87f341fec92a0b3ba3

SHA1
a547ad2003db6afd2cbfd3f9e3ca5d6ad38ab419

SHA256
c2f0ff432d8e24c89dade60de23e15ae54b98024637b7bd271ebf45397a7e230

SHA512
d69cbe02d017055952acd858ee0b89b0a026a33d508cf2bdb01c939548428a53cba7def1ff43955d1cb82f6e3eac526c9806dc2fcebc80e704abfd95242eee05

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d16824bd132fedb6a0740da550a2cb5a

SHA1
bf7951301135c1ff2e2cb5336aafc6172a033560

SHA256
e784744e3f9f39da4409a8f359159e9ac3255e49ec8367816eaac1e0cc953854

SHA512
344726584244f4740858682c5eb1ae161ad4362943cda37db1b665dbaca4a9ec55e055bde6ddec28a0bcbbfa26e38264e1e3a8ad1a249a0655aaffe5f22f5104

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
718aa9c3c678e0b41ece47eca5c348c0

SHA1
f2655f3d428de199bc7ca74639c37f94639000bb

SHA256
df48a24ac2db4f8706acd6a04c3c50c5a5260d5e1b96ffb24c4126cdb98be829

SHA512
154784e8a1eda06f25afcc8e4c2af0111f8916239fd14a30c5f38b3e220f386e48712142fbb6e6d99bce758f8ad519edce330cd4ef9418d10e9c2016d557e5ad

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
d8911caa94993a5133b4013c9ec9141e

SHA1
ea28a2d9cc39c5e8afbfb51c6f72614d52d9af53

SHA256
c2eb7b5587466ea635b4c4ff37dc08d5197ba5f6b107d54e9f7a7cebd8d94696

SHA512
54fe1526f33638886380246d9ce329489d62502310b2046760abed9a1047f9af4adaadda63cef503a0409e78811792018459fcf046d9ffcb12e4729704281f69

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
d103d8e64747b6645a2269f5869aa8db

SHA1
5d35e4a07bcb668aeb26bec49907ee14c1e1d61d

SHA256
4d96919f110e1821dad04c78f3bc3b0ea9a340ecf23e84ae231166735e47bc38

SHA512
6c9dcbd2c9bf0290449e9fd2a4b9d783f765ec93bc7a072ca1429f43d60dae1cbc07b9c9f6af493f392c1a673b39ef336e344cea3f623876d05e27d43c1feb8f

Download Submit
memory/772-134-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/772-90-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/772-84-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/888-145-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/976-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/976-138-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1400-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1836-159-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2000-135-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2148-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2148-417-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3036-98-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/3036-103-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/3036-140-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3076-2-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3076-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/3076-96-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3076-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3096-158-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3096-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3276-137-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3296-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3624-164-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3624-418-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3676-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3676-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3676-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3676-410-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3908-64-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3908-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3908-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3908-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3908-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3932-70-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4188-79-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4188-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4188-413-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4188-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4276-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4396-139-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4432-419-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4432-165-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4436-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4436-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4436-372-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4892-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4892-277-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4892-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4892-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4928-136-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-374-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download