16d1f1ef98f9bb3f3fb44865aecf0e7aac8957d5c9a39dbc4c3e152f72fead3e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Size

8.8MB
MD5

f85dfd54430ca9b20df03021ebec7470
SHA1

13298097d761cad2438cca69e830f55403ced1d3
SHA256

16d1f1ef98f9bb3f3fb44865aecf0e7aac8957d5c9a39dbc4c3e152f72fead3e
SHA512

478012c6a4ac17073f7b36827ca4b6a44f792f90e6be5c8c85bac8d458081e2191143d3aa0e6c985507bd9cc2ef0376648140080a254949f14acbc53092176aa
SSDEEP

98304:3uCSb+VHJ2cK2l8bYYlQwXm5dKMH9LFjnxy2U7dG1yfpVBlH:3OcK2lPTwW5dKMRy2UoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
380	alg.exe
3528	DiagnosticsHub.StandardCollector.Service.exe
2820	fxssvc.exe
1968	elevation_service.exe
2852	elevation_service.exe
3868	maintenanceservice.exe
4500	msdtc.exe
1888	OSE.EXE
4488	PerceptionSimulationService.exe
3004	perfhost.exe
2324	locator.exe
4264	SensorDataService.exe
2244	snmptrap.exe
1532	spectrum.exe
4728	ssh-agent.exe
1696	TieringEngineService.exe
3408	AgentService.exe
2248	vds.exe
2496	vssvc.exe
1604	wbengine.exe
3132	WmiApSrv.exe
3044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c8ca568beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exef85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exefxssvc.exeSearchProtocolHost.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005807b85b20aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022dfb05b20aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064780b5c20aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd0a5b5b20aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077e0915b20aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000239b6f5c20aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe

pid	process
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeAuditPrivilege	2820	fxssvc.exe
Token: SeRestorePrivilege	1696	TieringEngineService.exe
Token: SeManageVolumePrivilege	1696	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3408	AgentService.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeDebugPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeDebugPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeDebugPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeDebugPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeDebugPrivilege	4744	f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
Token: SeDebugPrivilege	380	alg.exe
Token: SeDebugPrivilege	380	alg.exe
Token: SeDebugPrivilege	380	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3044 wrote to memory of 4008	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 4008	3044	SearchIndexer.exe	SearchProtocolHost.exe
PID 3044 wrote to memory of 4604	3044	SearchIndexer.exe	SearchFilterHost.exe
PID 3044 wrote to memory of 4604	3044	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f85dfd54430ca9b20df03021ebec7470_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4500

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4264

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4008

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
90a206b9a63c1b9d1f2c587930cd826e

SHA1
22268059611b57fc16aa168e0457a542a387497b

SHA256
bf52316aecfad4f5039d5dcd7a5e5f66e60b0667b1ea84434f78de415edee759

SHA512
de919a88b66e734e1237dd6c7e12e634d502f70f7ad040758432b42ffde1dbc95c5722968edfbe8cf5845cb1084feba07345cf9d177717e23d3a5705665e656c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
fbb872f6bf6b14d4f1dd5e1fa7bb5506

SHA1
52dfc202f47014ccd5754c30e29e3cbec7136883

SHA256
a2a29ce1b23dcea14e9af1c3e21e29b684d612b66ce8dc5474e18b457e3764b0

SHA512
adf805a36a0921b33284a75d08de49f905f27a72fcd2aeeaacf5944f6ce94a401ae26124bf87313409381aabed3a5ae2c5c9ad6cb0e57032e8cfdc4e4e4057ef

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
b0cee9c353e62c4c6917e04378eb2449

SHA1
a0d4f5a4295ab1d1fb2bbc2d9988ae208fa4b9c8

SHA256
734448d754e2db1608bf365874eda09510ea94c4490f54aa3e6d7978e8212f8f

SHA512
89004a1c97c3db338fce428ffca85c45e9dfc843273471efc0ea970be4076d177cbf0e65751e51a8a5fe21873ad74bae73ae6d1cfe36dbc53e5ca2305a33fae9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
8ccaf41f91a5f64f293dfeb8fefa8729

SHA1
f178f0fb0c4bd32af36b9b19435dacaaa560452f

SHA256
c8700e371d3a62fad9c65159ade41e862aaa7a400979d0d3c0813c8cc9586ea3

SHA512
c2fb7ffd053a2fbe55371799492fc18117cf790e9e58479de6ff5cd313eebd3ecb589acfa2db7153b59671ded76ba37482fa87384e1197dd9e8ddab343b1a540

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
51d195ded803a62079935c35304c1579

SHA1
96913eba8a34d838c4ff8eb42b493e4eb464b711

SHA256
2527d4fa65a41d8626e505c2e217c00b359ec7e0d1b777b4c8f3108ab7ff20ae

SHA512
e01fb26277d0e5263635c091491735c4869df2a7d042987582e47ce45094baa5ed427558e6516d5a9b89f44d77dd72c66e69fd625c236f0ce9e41369aa978e8a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
c63d040b2ba3087b9b1ace279aad9a4d

SHA1
d79d14e4f21027103592bc69e5ae4586c2f3d8ed

SHA256
46c790764924cb164b1460f74f896ea0a026b52499770e000dea9a928b8c06f8

SHA512
f59e82bda91c2bd5d5100435fdd106a2963bdf7cd09734e1b46b4ecf4a4568cae3c951ba076cba6434bcad2ef331ab352e59bce8b0b0b251f780081202c1b2a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
1ffddcc34c7605badc04db23c5120561

SHA1
c516d54aaab34ba1780e16a6b7a8046739993810

SHA256
30af4b865b7c9143d7e14d2f12111e713ec27c1fd3c12709219113ac6d1a4899

SHA512
53f364e3f7ddb87517a4d80495e30da874b0baa9eea84e3ccf98ab4747564f0b497d07640a75617dd3f738d1a3361ca1acc2d9c5d915ccb8571ed3897ae47bd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b9a7fc4e1e6c51e9857cbc454826a13d

SHA1
54f4b19e5e4e0237c06c8db6d4938b8782d53e9a

SHA256
50cdcdbdd7dbf97864332a888bb164b3653062186b5443e85dba1edd4669d092

SHA512
387c84e77b9bddf88b69444433d53e6b1f26e2f1ce31a3182a3dbf4772371464d8f139d496a93c4f89973750e4e2f6e50db641cf0290bb7e81a8a3b7c98ee6d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
8397d6a7f76b6e2ca3cca576789bfc6c

SHA1
252ab618fcb88d8347ec5826d739b968e32f7f34

SHA256
9f13fc98fa3900a682151ba69a745da8b1eac53892bc0af3d519069dc5c1a50a

SHA512
8b3fc7d35c4172d6fdfa0de40dfd528acea37e67ca5f333cc0983f326654f28a652359a12e262fdfdcaa30d9661b0dc757e840fd7f35c9b46287f89745dccd82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
cb4d0877c35ee9b88bcc833d23f4f37e

SHA1
cc2d7f85f3ef618f0c4289a9e3b6290bead3a330

SHA256
5ae5ab5e1f2ad07567f2873e46c0c424b8f58af866705743e21e043e8741bcc3

SHA512
a92324b84a6bb6a6ba105e2071d2d5b4beb27fb7ac75d6906cbbbdc1d3333710d4dc6f8861b9471edc7a2a8649f13148eabec2437265b444d1e1aff27838792d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
af3896b9fb63222fa467ffa327800cd9

SHA1
6a5a56b25076d580aa7894ffed6caa990f0b2359

SHA256
a5e123ebee96850078015ae2f1f10157c48dab0f7454351a7a52bdfd5aefb781

SHA512
79ff3801d76600d6e7f5a294fc6ad5bfd7070d1631b169419fc546c4a8018387ce5a87f10b9a9a038b4532bff8111cae3950a13bd8ee63c72ec514ae44214c65

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7872b94789105875abf230eef52a9ffa

SHA1
d82dc07d278603eb493b6d07315b873155e928d4

SHA256
852f38e862b8ea2d3aaf5103df2b19ef806aee06b8727e8861ca80a082c489cb

SHA512
79f088b00b279a8a8c1c44067c298ad6bfd6f533afc147ebc43065702f400c033a8f5c24ce93f4a01a6962eb3d4d31b67ea4468f3e376069a3c9590548c2a1dd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
996cc6902b5265f3f5c41395f4e91c88

SHA1
6eab953f3fbbebd4c0ece00e089612af3ffd303b

SHA256
f7d0beb22dc92bdb6296d9e79fa9d69e7daa881b5ed8ad8e050e950af3346130

SHA512
d18e9fca5b52a2c21ebeabcf2d4009f6e3de23a0192b6c674a33822011306ae39e4202363ee2d7560fa3b6ac54a125a952ef6f3801e0919c80973718bb24478a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
bc018be7ab53a8d24b73d5cff701a0c5

SHA1
8187d9ceca9600c8c3686daa30de5c38ba24303f

SHA256
97bfc5c97d0db6e54da2ccd15a6f65dafe6768518bb0a652f849b2db4afb5922

SHA512
dbd43d378d16ca5383e08e11002c2073c25811a0c92d77e0a2b62c1eb458881362b0c3e8a29473c69d824acf35e3f3374aaaa904d09aa90b0bafc1b4d82b915f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
62d778941123d60f86057552c54b4dd8

SHA1
77052e7591cabb4bf82ea63c856f898fcf0bacc9

SHA256
1d1bdc48d31dc71d21fd3a844bdec22e7bc2d302b42214d567f314ce9210d29b

SHA512
74095db9dbaea9afbebed5fbaa61dff4469e9db97f766b23b42cff3e594807cfe92f7a8dc971459dd409b7e86328b13c21d4f0c81e96f22dec867f07535e7c3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
9e50a41447efef3c9036e6195d3e07e7

SHA1
12102ac2ab8bafb075ec1360f185bbee69cda279

SHA256
8ceef409611365247839d3a6851250828b0a41196ce480f3adb33bcb79cd17e5

SHA512
7087807deec6286c0e8b07805027ca08d7b36b7b9920ea37321f605c004d025473232571ca38ba596eb40a91e5a350aa288143324bde27a89a9e69032c1ede46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
591bc43df56047359c8e9cc8986664f5

SHA1
4dd4fa95d435f0a653f0cb50c7d668868abf8382

SHA256
931e6f90a7468c99ca94807b1b5af99b57506f35fa3885462c9fbcdb47eb205f

SHA512
04c9c6365f805eeb4310a58d56ec001f0406f05faf41894f231131f637e027d96cf8db5b9edbc92ed407e88c9c899442bae68fb8de47b206a2631be5d7e5b677

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
91599aacd0583449c8357dd2da8416fb

SHA1
8ec955f68dc552753b5577344cb5ffb32f01e576

SHA256
a5c3036abc6009666ceea4c9f32704703bf43aa16777f672ea0d198a4695b37e

SHA512
209c06f8d2b997d0c82bbfffd24e9c5c59a97071fe05235b15e0423b19a204e68941725ee54f975c0bfff144cfadaf46c2a5d18026cff3d79362507dbee011c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6215a7502ed099b97b5c17f0f3d2b9dd

SHA1
8c8f50a71a02b0e6dd1bd67819f8d4acce2d7c5a

SHA256
f37ddad5ac1ccc60d1acd0bd4e2fb435770e954bbf7fbef7233a6f6decc5c536

SHA512
9f817d2cf99a167fa8de89fb670485844e65461d25c10ae6e7e8820fc5f76a9075a4910734c4ac3a42cf585281935cb243ddc599d1c5aca2873d4e107eb4ac31

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
07a23e4dc1b7185e5c2e8b6e23e14974

SHA1
b655844ca6d8bf4bd25619ff3514d6d5a370d476

SHA256
4ad4d6cee1b560227eb974a3ebf4b89c3710c1525662d0c08e0b43d8eb604035

SHA512
9cee781363173033214c028a84044c5f6af8a5d92bb5a5413a5e5befa44089e1c852406212e2afa3080b0ab5a4d268b5bfda470c0f9851178f1b26bd60d38c51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
d95667ea7084ccaa02e8f7d39e6dd5e4

SHA1
fcb92d2df08f6323f34aa554930e18af92229683

SHA256
d8fad963f82b2c7a4023808b7fae92e65a2ca40c3a807188bff60aff22eb6860

SHA512
2570439a211ab5057a1300f5cbf369e5834efbad1ddc20fba9dbb956672a037aa8e10809266e1e85da2444aa547313c13509bc51122ee8a78a90c01ddaca77b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
067084e5b4985e62913d03c137db9854

SHA1
427269e47a81abe12992557f79a25c67bd1497bf

SHA256
a417d7a18e4b8bf4b5ee4182390d58d149ec30760da4b7e9a13c6cd02671bdec

SHA512
cea8a0b0e6f903040a6d1ac6fad3ac7ae4c5bf6f6493cbdaa3b40266d2e1e6978bb0b4aeae3a261810a17562f8de7640c60a435769bf0c9836f7fb2f56f18868

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
2c53fbbd8e5838c8128b35c8b765d7c4

SHA1
75acb7e0398f7fde4166890f4cd7f2cc131d7200

SHA256
78da90f616085915b9b6c916438aa3f2cfb20cae9be63abced2d343c2ec3477a

SHA512
2479b7a417fe238b082d9479b113af9d77fced9a785bb2adcc4a9cd9579ee922b1113cb87dceff8015ef08cf3850b34fb5906760119661ff18d66df8285bb8b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
7ed018baeb1a46edcbfcacfb868e42b4

SHA1
f659e898ae8fca6862edbbb4fd0eef7d28fb993f

SHA256
d5c74e2c27acfc430ba9ec925c3372554d8bcccdba5b4d223004a22c8656a6f0

SHA512
c6296938a684019de84028dde8807093fba7a729b6f3a38f9720b4726b211cd0ba7e08b8bdf62d9472067a0734e72b32e0b6609783a2723d36b81dcd22de1f2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
9b30b207c9e125c94891d0b967ba4153

SHA1
8ffa4597e37e399cd05a133ed05cd15e63d88174

SHA256
b3d0465db2e6dfe9135c856057ab404a5cf9b006e1e9b5262ff58dbf2952d925

SHA512
8d3cf5a8b00692383843ac23131fdcb9e123977cf1cd6526617524e54138ff5aac31c9874776df6944694e0244d16f723a1bfb1918df4cb776d6d2007dd7e976

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
2f17b4fec22e8ff97810584042abc1c9

SHA1
6293bea1ed765a22ead71bd100fa3eb2a00b54a1

SHA256
b30876e7cef432c1bee9f02c4e10c704705cd14ede350f34630229abc85adbd5

SHA512
e0a277d2d19763403bae57ac3603395253edb5067538a676fb9c0c43ccb62db7aef984bfd272791e66d0770dbdffff6d7e8d81f926329603e73c2cfb131fc008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
efb87f352a66dbc51dc5bd6017c7d2be

SHA1
01f3c53d97d7c7f897902161d2e33eaad5ab48b9

SHA256
195b34dbf066c0c01e99e3f204db5696448057ced9776e45abe3e8aee264c62a

SHA512
1aa3a0f3e6dd34093884f93a45a60db3a9b4f8b0457245726cb428c32d2262bcc75ff86399dc54432cce3d069c481fce55018925377891560049cc84a9fc50e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
133401c14e8c0e947822e6c83425aefd

SHA1
76ef2c9b9502703f114503124db84d3a346a3a49

SHA256
523bd6c6a5d7c0e9ed555be218fd2ccab8b5db1931fe4df8c96a652822c5b77d

SHA512
d1b54ab9636fbf14d1d1f55d7375d4e142f1c0e0352ce059d4529ef5188c3317fda0e222d7f3aea192eab88482f0c2dde572b9776048344cfd4bd0e7cd5fb25e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
9c1d2f7447532df7c37961074fa3a3ca

SHA1
156dd28b7b3d4f2f032ae0406f553c353cae6c86

SHA256
52ba7bc6ccd09ebe1f0428bba09dd0ad5fbbeab619377c4a3c99bff9d8a646b6

SHA512
db670e63f840c4fef123391f1ca6843947cda722ffac40765e0d7944c453703b1f037b60fdba988b54ffe348e5282ba6a45cea6d052f3d07817bc814607098cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
72328b929a463e70f01c48f66a79e5e8

SHA1
3b7fdd0f2af75edd1757cb47edc84dcecd38e578

SHA256
18e80a54448e721ec0dd686441fa2ac077559a177b1f4b36073977936faddb4d

SHA512
e1ca2a545b5ec239ac4a0457f61a84fb1dfc1bdefd7c3d3a9841743450643fcc51e2813b9b72bd06b96c80d71eec66877062ef129c228d1c43132d531a6596c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
94720d8df280bdb78429e9fe4a5c3bcf

SHA1
5b9016d78ebf3fc3f95f4ca7ca0832fdcb74cdcb

SHA256
1305f189fb5ceaee2e76b2eaefe811ffe008a19c373c95b3c225fe19cf626476

SHA512
03ee85d2bc0f9b58cb07dfe610acd73c84b24e9eb21d4d77bb4f60839b91d6830ed47a0dc2e3c9e4a2ea61a36dee5977b9a45387555402659dd25e5cddada1f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
f58cc1f3cf94ed743c4a4ad1b33aed17

SHA1
11d632ebe888f4a29b015d1a25d6b6304fcaca21

SHA256
bd296cc1592cd28e30ad83113313763f0db225efd61ad0edc411248d313f992d

SHA512
56e17eef1bb2f174526a92f5c32c0f89da777e1a6310eb4d134431a57e0544c4b3858c28f997b27788a37b57f8c275b5ebfced327cafb44aeb72da2ee3f4acc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
8487dbd184866c340415a174ca00eb5d

SHA1
3dc5618c970a9e998d24f860780eb18f7f281be9

SHA256
959aa220964891246880b134980226842905a0d987c42cba5ddfb1f30458dbd8

SHA512
6fbbe4ece0bf6f2164dbf01ee9e9801a7ec75ec5acbc59b1bed93c81f35570de237f77abd83b37f546e45121b0b41301f575c2420ea6f5b311a2e10fdddcd8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
ebf4753ae992fea0d10522abe75ac6f5

SHA1
f01a864b9c0ccbd271cc7fd47a5dc6d670fe28cd

SHA256
02dbb831aacd23e64b647839f4659fb1adf3533025d2c80f7b54ce826a1bc6dd

SHA512
1a0bc12053363f7646ba6e38dd851b279804f1b287256136e52069ad7bd6cad0543408b9d20f2e9f4a27ef69eaea727aac7930d25a6072838a8c7a52290688f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
3836aefed7fee94a92f927b2cd08f608

SHA1
79cfd82a281b6cd8dfeedeb1f923626e2c95ab27

SHA256
6a0f497cb6646f56e18eec2fe3459e35b615c47797ed75cc0506d47620dfc964

SHA512
8bddd2d5a8041622e08795da3ffbd41b40f762f11a77b6e37a0967692363c619119e54d0a3ced195a29e200efde182afe95a162021f09c19bf393409146cd0bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
deb9c9989bdbda9b59422db78b48e663

SHA1
e0a93031533cc39e74aa39e4e7714d8b0ccaf181

SHA256
2b40ae4ebba3e0b2df2cdd18c3477fac34824d23e8d0ef33569d67c7f18b7c26

SHA512
fd569a3abacf81f38b36eb079ebc21f8cab7aa37cbff1ea625f09839b8ff9d5dd62ddd8822d2f4b48a0b0b0f227a35a044f428aa3d4ba43f05629ce592b7053b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
36fdb53c1689b2287cd224032dbedc60

SHA1
8c6cefc65b7f0f0a27db9169e3d073e7b0b3da2d

SHA256
0a53420cd7de6a1a973e4ee4108ebbf7a6569dc331b5d24d13a539c340c2fe52

SHA512
f4fa0f18beaa3a45ff5669bd0a26fe552e8c2b439f429224944ccb7b55e2cc3e4cb3854ad62e41c6a974d4c9a7d0dcc09003bfb3f8718afb035fba90a7959e45

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
a836d77f870a59f153b497ec961ff315

SHA1
9d3ccfdff1ca174a92c84234a8271519dec878c8

SHA256
366f8bd71ddbca6603439d1dfa1042fc0381e6ef1262817e84669712737d16ea

SHA512
1e716b640f309d434d1d010b5ac6a3c21ce4ba74d46ed5246e856ecdb2273c5d8974614a9e9a0e189e413c9e18bb2d13383cae7d6fd11255b061d5140464a579

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
e06afdab1a67dcd522ca08feb85b4b4b

SHA1
00c722f1b041236107ea7d94ab9639502995b453

SHA256
021acfa117b9554865bcfa2677e850d29eaac258f9f965fb07e632810cf55368

SHA512
47fdc04ada33f35fd3f3c116ce1672f67757cf84e1e38e57c64b63cef3309fc11d3a8590b3e889179b34f8f6d24283ec290c4e924af5b0aa6131841790d640b7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cb8a03cf84af73342db965cddd64e03d

SHA1
658cbe926a31877c4a247c175feffa14d0375b51

SHA256
35be3cb34ede3cdc6bd02fcd6ba88e1c11611b3140ae0d06d5f6fdf14669cc1c

SHA512
8c54ae537a24d08405ca78cac6cffcc101cbebfb306be714dd9883f808948acdfeb6544cc8d819f33c0fb0263218150d3b2f4055e4ce263751a419975765f7ea

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
85cf63ed1e5839ede79e4adcb15e1255

SHA1
e820fc632cff8048aa04aed76e02ab4259559480

SHA256
ce8fe82f1de2bd070bb4b8959855513bbd71adfe2f2df260aed370e757f991de

SHA512
56fb6602bf4aea107415f0daae6daec0fc5568551fb41b2354fd3eec7f58382bd0dcafa02fbe1107cd1216de4daacfc590e3162dc90a3f2df1a6fde86b892d78

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d78a2b56ef4a97ccc93f19f81198c14c

SHA1
44b21b3a361ec4d2ec1b62a75600e57f2855b282

SHA256
9f6b1f040b20dab8a9d9a116a0959ef891973f64015c6f55f253506c8fe9b534

SHA512
d5b9f7230fe6170f5f47fa7c747129fd9a2a4c4004b89bdc54905eca60453a5a83423633b104049b68f83e0d4e8ff0d3d1399b2c7bbf7affa55cb28f9e4b1a88

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
151f6be631991d057f50ff2af3c67cc7

SHA1
af4b1561a89dc53ae591d1774eddd361de777518

SHA256
0bc893e541352c8078d49305eb590b660b39acf021c4b57c584ddeedf2fa4d70

SHA512
4426daf3c797611fc5775437d49a95c8fb89a8ae70db66d0a47e7cb319a545557be663a0c9219e784ce65197bfce7ce11c741666fd21024b1a41d6f4587cf783

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
5b23998513207560bf255a5fc78702d3

SHA1
3c0fcc7957a06f17564a9db2015fb052561be34e

SHA256
f3bef1973a7ec309e65d5fae289ec75f78c46f720a5a7fdd107ce2b4709c73d5

SHA512
be5e6849927a3dc7f6c7c5b94e3d822cda849361247400b6a203d80a372e92e71da5b3f2c9e110f84ded618492ce9b2d738973229a81db09783013f55f238edf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
4f67ff684b9c4b4b1421430f94af991f

SHA1
4cba73617796eb85b2b958ae7df6398dab8bb562

SHA256
8b68ac1704711964018be0385715d2cee5021dd604f2270cdeb4e8ddbfc7604f

SHA512
6097eec00079546b2839692cf1d9b006d3f198d1c43e43b915360b38ad0191c5d0581958ddfd16f0fc70412ff4aa05713e580ebf5d41707dbaa838eb9f4a347c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ba1650fabecfb90f17b80c6d03904ec5

SHA1
cf4bdaf06ee41a7b6ee3e7e86d8fa536963a258f

SHA256
e22f4a0c26f395e2ef731c6b1782c470099203ed34a3b2a544aae76077139914

SHA512
70bd707eb194821c9495fd22afcb31b5a3c66d24de423574c1adb7e455d7fd49df1df8eed59cfecd1f1417c483764d348047e1b89fe4c6a587425c250339cf9d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2af3c3a8b299d9a9fca479ef55d1032b

SHA1
f67758cf75e99633e6734143929acf79412507bd

SHA256
72d414c7f74adf43bc00f62123a2030c4be453a6bbab42bf337775d18c6f55ae

SHA512
7f863750279b93127114d4dea1bb1da25ca00f00cad62dbcf3f7bb7c65d56fcc19d9ae0c152c7de8cde970f691d4f96518e743af809c8e50efb2bc07e123524e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
614799a13f3c03b4984d1e967f8e789f

SHA1
18a2300aae2fa954fe040bcbb10107e5430ecf80

SHA256
a337004d9ba5739a5b7e74dd66820f911f1b948d522f9478e9169804c0644b9e

SHA512
880fe1e52aaeb6b3478cdca05864ef9461d71fd866e0b3fea91c25dddf05927a188fa4ee03e30792fcdad7a4af3a1033300e8ab606abae9f4604f00b7128b713

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
ce3ccf6b64748cef91fe6892059aa265

SHA1
3ad5abd98de789db858d37deca8db444319ca0f4

SHA256
c2499bd980d523ebc165ba5351180993e8166f9d5795b679c82c7d45031cdf4c

SHA512
9b245bb592209638187fe097de105a8726bf98fb69115efbd5940f0064ad41b31c90b1425ff3a952536ce29307f181c7254bc4383af720140f44251a86f765f9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3e77c06efa37d53df1c6d5c049287400

SHA1
c1be3ac28a27ddd6f46e186c3d847b2beb56bbc4

SHA256
424af517e7fc6d8c713f7fa9002467426b9f19153859afc0eb616ba58f47a445

SHA512
d61bb38ce112ce6bda31d399fff15d23b3c3c51495655fe96d642206a419395c93f9fe540f25ed7536ade212624d35c56376a0b6068be32f5c17e7ed1a559a5d

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
9e2138cc72d31b2990970adb353f2935

SHA1
de2c4387f78506576cdcf5de3bbf6ec8a60d136a

SHA256
bf1ce061d66e428423793ac1c70e2d51c8a083be31e9a6f38ded4a047232c267

SHA512
694aba4a0925988a58015770a29ccc9aa56b38c715934fb0e88f982c82e4898eb5b4d26fbf13677d2fbdac14b79f30ca8b94173435bf6f7879eaaf411689f0dc

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
8e049847538f9f21b1ce548c837f4048

SHA1
053bac9d5b622a36f4d118de65807996edaa05f5

SHA256
8ea11eb774f0d8c3a528212a0a6095603e0e1d2cc1ae420343e7739560fe3ea0

SHA512
8e9198dec795d196f8c7b6e929810bc78f6254821f185b7d4f756391546610bfb83536e0edc0599ac7e64f27404602bdcb168ad92f376d431245641e3f31b6e2

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
28d74b49b3107a189fcc02cce5719824

SHA1
5c666d823aa731476ea875783ff5646efa425d2c

SHA256
1ba35fd46bc4e3b407112eeb29ce024639d61b491ffa8cf3a3cc3804127916bf

SHA512
bd26db99ef0003ffbde025159e07a163c37e729f5bcf5104efbbc658a5f34e6c48bc40f1181eec46e49b3f7a4465a3401f0fc830bc3157b0ca0496d153af9622

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
cdd4c17dc9b9d899f9a1c30ddb4487f5

SHA1
7f36a5c3717fed8366787b51f62b1da31acdcc0f

SHA256
c8670530d57007451bfa3980104e13cf304ce7272ed70a6fc5d64acabee9b590

SHA512
ab912e3583b24a8fb15cd7a8f2b2e20c2454b3c9afe6c22c9b52afb6a85b2736042f1dedeb3f4738a83f02b2463ec2969a153d8b94fa48f2eeb37a9aeced2f82

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
771df140b006b2e899259c25770de913

SHA1
bcc94f42ba2b7428579004c94a40833452bfc99b

SHA256
424113cc23a4b172f29853e1a72281df95a8b6fd4f7774cff79489a753be3074

SHA512
90c073099916a0d4786f3ec2fbba219da88f163e03bd3f57b5c243f200ea419d31fadf3a09dbe707a2a5161743f3b8e432540f670bea7ec85dd109e3ab9d87af

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
47714a5eace3fce609da96e4091807bb

SHA1
3cac9f3fa94954fdbb90429081f34f83ad0f215c

SHA256
c4f33b092b13c7d5cbca1f9ab30a01dae9401ca0f05de9fce223b18ba53592f5

SHA512
6ef5180903397913d6bde76664e63770da814db91a2ee2cbed0ce39cb4b7030bb9c0e66d000f0c1ee21328fe716f06c82b7d8d01706c702e013271d6eb1a966b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ad318f44c01b6bb082164c31ee6f8e3c

SHA1
82a2657022b3756b4f5e76d262ac795698f995cc

SHA256
ece781fa053cb661327f92e9f21127e350c39d3fb111e66466feb5ee081bc350

SHA512
c874b3d652a73f6ea4c661f96cafc4eeb7565a7bb109ca2d7772f8623ab48f88ac679f76d0d8dd0728fa1c4ab5ec793edf620de7326356857b1a58b7b0a1b913

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
f546fdfa9dc36a4f3d5f4db136375a95

SHA1
1831c89e186a7a6247b6d540e9088bc062fe368d

SHA256
b4adb1d719f2996259fc3988c4a361101a480c731b6b0848433214baee76d884

SHA512
c000b36e601c71bbcbfd0392a3ea61be196833f36d7375cbfd065fdbc9d740e8bd9b40dd13de81e417298253d51e6e91c686a7c870a87453904f232df0f18efd

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
a27047839393924adbd28788996ff38c

SHA1
0e35d1fc44cf187f3d2e7f9e07052184500b3260

SHA256
dd6c585a265ccb57720fd390f773b579551b2153f69dea5f070c22045f037f93

SHA512
a59e52d81e61fa827681fe4ce9ae8a386bb1b86451d966310a5dc3bc1f4f404c3464eaf04418e9e3d2556866b8f2e58b3ce783022db651aee2afd82abc9a4751

Download Submit
memory/380-21-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/380-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/380-593-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/380-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1532-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1604-305-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1696-270-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1888-106-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1968-47-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1968-105-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1968-601-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1968-53-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2244-239-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2248-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2324-237-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2496-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2820-37-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-56-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-43-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2820-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2852-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2852-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2852-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3004-236-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3044-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3132-308-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3132-604-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3408-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3528-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3528-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3528-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3528-598-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3868-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3868-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3868-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3868-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4264-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4264-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4488-235-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4500-104-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4500-84-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4728-269-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4744-0-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/4744-307-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/4744-8-0x0000000140000000-0x00000001408E5000-memory.dmp

Filesize
8.9MB

Download
memory/4744-6-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download