29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
Size

1.2MB
MD5

8de7490fdfe4856a445d33076b20afb0
SHA1

8c0f2a825911699779200e37725e1b80f6b5e2ee
SHA256

29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac
SHA512

3a3c22cec96dee5de5ffedccfe2bf6d104dd22650546d9250eba65159507544ea41884b61419c293894729c948303ccafb1a48863df54a37b6ae3b61e608f628
SSDEEP

12288:02pYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:B4c+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1784	alg.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
3916	fxssvc.exe
864	elevation_service.exe
4240	elevation_service.exe
1980	maintenanceservice.exe
388	msdtc.exe
3844	OSE.EXE
4732	PerceptionSimulationService.exe
1532	perfhost.exe
3568	locator.exe
4344	SensorDataService.exe
5064	snmptrap.exe
4548	spectrum.exe
4384	ssh-agent.exe
1856	TieringEngineService.exe
4656	AgentService.exe
3532	vds.exe
984	vssvc.exe
4432	wbengine.exe
4292	WmiApSrv.exe
4348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e5c541b85dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030f2df17b9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecc1ec16b9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ec00b17b9c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c170618b9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4dd716b9c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb8c1b18b9c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f7be917b9c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3232	29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
Token: SeAuditPrivilege	3916	fxssvc.exe
Token: SeRestorePrivilege	1856	TieringEngineService.exe
Token: SeManageVolumePrivilege	1856	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4656	AgentService.exe
Token: SeBackupPrivilege	984	vssvc.exe
Token: SeRestorePrivilege	984	vssvc.exe
Token: SeAuditPrivilege	984	vssvc.exe
Token: SeBackupPrivilege	4432	wbengine.exe
Token: SeRestorePrivilege	4432	wbengine.exe
Token: SeSecurityPrivilege	4432	wbengine.exe
Token: 33	4348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4348	SearchIndexer.exe
Token: SeDebugPrivilege	1784	alg.exe
Token: SeDebugPrivilege	1784	alg.exe
Token: SeDebugPrivilege	1784	alg.exe
Token: SeDebugPrivilege	4812	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 5328	4348	SearchIndexer.exe	118
PID 4348 wrote to memory of 5328	4348	SearchIndexer.exe	118
PID 4348 wrote to memory of 5352	4348	SearchIndexer.exe	119
PID 4348 wrote to memory of 5352	4348	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29220c28d6b646e8c287e3ea423ad2a5b93168bb55a3042133dc146aafdb50ac_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2236

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1256

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:8
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
28b221e51bacb8197f12eecdd771e0ee

SHA1
4bf41f4c455ec62830ea5236371db0ac71406287

SHA256
a0a9d03b47ead742847e1e496aaef020edce48622685f0b40701d3562a2125af

SHA512
77a05f844c0b154ff135fda78daed6bb9d13e540c56de2e4e8a52c8fb9e46feb5201b9ac349b82a5ef86907f25916c2d7a9e8bfbbf0ec544e132f7f5b4a0f29e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
51840753cfc1b5c068c45525183ecba8

SHA1
7128107bd030221ef601a9c5acc170e859228116

SHA256
b997bd9cea6358383506eb40411863d9a5f3c2d5175abf3cb628a4d3f9d8a672

SHA512
1863c4b163266d8b249f9615761d85970d07054e0cd9c2168f92d18e8a67042d591404ae67c8fc262671f5880dcd1fe0759cf8377e53ddf473b3c78e7bc1d339

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
300ac9fb29e5a9a54750593bed07c354

SHA1
836f849bfb0d89fe9c99bc313960e4aec71b4bd3

SHA256
de436f4b42712775e134be0b5ef38044c6b18779f76501f39d3726dbc283b7cf

SHA512
4ebc6b0705d2604b0921cecb5446735f68a426c794137aed59d9bbec5101af6619784fde61e35bacda95cac0fa937db4332f0be0c91703d71ed9122be0b7d3cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0fba5b38149b8a9b6521202eb8491ac5

SHA1
e065bff6dc8f7b6b5f97d526cf490475ce0070da

SHA256
b7921544a74264e70e212049ed409bca902078530ccdd9734f392924865f4d3f

SHA512
17d0d0425fc61d208f00c6bcbfcb9d94809d6f799329db5139e29da5a06ecbfca7624ce914ea5c53dc36a7246263fefe3d47c9e11bfe7356f2acdc4e598fb4b2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
73509487e0d519452efe52f66a4e68bc

SHA1
0c4e28d04a6b80e26c146d67fa81224efbd09557

SHA256
5a5261715d99a588a67aa9cc2675f735a7befbf967f6bbff86fb7bed440a90ea

SHA512
6f0920d93f0afca453a06b6808b1996324f8463f06dd383022f85cb0a8af743d710167cd31993daac2c646ba381fd98a550029a4fcfe37febd2ce8ca50066752

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7b39a68a04278b52be7c712ae417404b

SHA1
fcc239a998c1aa960b566cfb9be0e64cc2a85aff

SHA256
2d56c94b030ea8f95fc7d4ab55d41dedae12550e2cc06cead39a4ba8d47f8d34

SHA512
067042fdce8d0e0c9f30c4aa3ed3fff588cbd8257b75df410c7c04eab34d3d7a5532a271f7410c911d7fe6b99ebb4ab63941f6a729efcc9439e69f1727df2ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ea5416a5d00493f8cbdc05cf191e04e6

SHA1
6e3c800a599530d66c894f9e21d70061a607ea0c

SHA256
5594e9956eba93d33832c63b8cf925eefdc492467df6be62eeeef0b26dc9628e

SHA512
82222c883c7db4e48fe3b4e5d79cf06e0d721d402e1911d6d25b0d76c98b79d401dcfcb1066e25940bd1de6df15c6ea2024a0f0bd5e2c1b94ac1b8b7db40f74f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
80de81a2d9a245aa87c44f03b969bad5

SHA1
c1d5ae4fcdc9eff01b25d9e418c7bd5c339f81f8

SHA256
e57c6d4ce938a5229259a348c671a0444bceeafaa65fb29f50e05e830fe558b6

SHA512
0447ecbed0a8433d86d6e11848d709d395dfa72aa15f4f9b699891f279f4f1505d771c40394fdf88f99b07a63018e0ae44e0028552e43c88d982290a3434ecb3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
025557adc1bb56df465eb254f46dc615

SHA1
c58f5e04f9054d2a511766b806ee58729cd6d713

SHA256
8226ef576d3114a44adc8a3598468a7ac2f6b0ee96745a1b180cd959b506e767

SHA512
c027ae9653e3e9673f6b736c3eabfe18418ac10569333da16b46c800e03889c37c6bfa129f910222d4e4a96e7a4b6cb46b8a8eed30b739ecd7718784494d88cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1a8f155e8ba88cdab6dc26ed48bc36f

SHA1
04b25753ad20f83f130a752bfa34ed3802797008

SHA256
3b379fc42cc0723db44de677e3112371c17538926e2400299b046adb887e3fa1

SHA512
9bf33342ab2e10eb8a22bd9ecaaf3f9e2e5e388014d44ec138d2b0194da4edb11c861a5da287d516f0ccf6d2dfcce14da64b7cf963f5c026b93218c0a97443e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3c4a298c2aa20ebfaa1cc6023b1edd01

SHA1
5c962dde457754fcd1373edb43a90a85619a3d6b

SHA256
c6fe1b79c7a32271b4bb1587dc50bc983e1c82cf7e5e8674a8ed757cf1bfa443

SHA512
c59476125d80d3da7240cc17fc2e5b673b59a51e6e0be92d87604acfac9a8d2bd7353b97af32e4186356b136aa8e9ef7cf96c62b718e6e708c480659db5842d5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cc7e85f2781f4ed97ed0734057c23f7d

SHA1
4230e6946f05d35f8e39fc16d4e279b863252aeb

SHA256
130bebec56e3533b0d35e82f0024a99b8297b7f1f4e4cdb6e7851c33020fbc4a

SHA512
856147cf512b4286b896ce97fa9e863286bb7039b666825f5c5624f2e4f6fd2b31317496562c2be5c3a064ca9010b67b57cb2ff12ef23876a7dec9922ed18cca

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dddf13dfa348c376daf4d892aeb97da0

SHA1
1a4d3cfb27a6d98387ec04ef94166b0d0ffeb64b

SHA256
02834a64a6fe762a3965ec46497b453336a4bc00a09dbdf49261e8e61aee73f5

SHA512
b06bf5f054cd4b4c42b8781a4cd78abe00b06b04a4b240e809f7f92b73404853843a46a965d5f26c0bd8dc9e353c4e710f206474561de55fcc9a9e81f5ac8965

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
37991eb74f22100ef9b59bceb08ced42

SHA1
4f67252cf8c8fc71129340053ecea7145aa2057e

SHA256
eb637ae543840bc4be3882c9c1d5ebfb5f09819181f2749c2146cb2a29b5bc8b

SHA512
a23d83f23934d61425f3aa041f2a28573d2e94acb0257247ecfded15b66fef189b279e9696c774e566ab4f728edfc24f7f98982e3cd514f51ca3aca5ce64e03b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
edeb644ad64441f59ad0b8001321112f

SHA1
67c320103184f57799dfe20e745242a8bcf3b849

SHA256
08830295618c6094d92e8907ef9117b7de7eedfddb653f0738e18a66a275252c

SHA512
16a094188bafa5972f0fb311815483ebfe3c37a2c4acef47f0cf3e7386197ba7d7b09d77a33c15aee4745da9174e992dffaf112509a73697636387f387155236

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4461947b2adc389cceac604f2efd22b9

SHA1
f6d47583faa9f7d5d9d407fa17b216448cf4d833

SHA256
70d7e133164c0bd2ef7aff341f343219e9c336b10f1e12cb15fa87cd06513d81

SHA512
1eb4bebd8c361b21acbd851ae60f715289a9ccbaa4f46fda793373c1e79344ae3dc7a92f89f1fd597bedc84033670db27e3adc65efebdb412b6d5c037e63df86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e95dcac0a36bd7dee6de37fe4a6599aa

SHA1
721109147ddf4160f180d7d39f33fd801bff9df3

SHA256
f3c8953356344718aedb33961dd444cf8c05deef1bd72c34e3d84e9c93a0b4a3

SHA512
c60843678cbd3ea10303ffffe7a4cac57e1098398d1380def0b8a5f00b5c98485ddb0a2511bf88b1d879e528782fc5d3a2ca43241634decb7fc1cbf5a679dfac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e9725c6cf518d99ad5e427d63517ee64

SHA1
1f8b3deaf48ca58d6d0a0eac8b9f0e0290e1ab8a

SHA256
d0cbeddc655e88831446a5cb9dc623c617d4cd6610a9475ea6891416f256ac90

SHA512
b9c8b07e1d838b73fb750b39ba957abdda277b2cfd50550ec072cfa70e448357855def6e6f94a3cade15a0b438760164b9bc8c71b0aae40714376be06826c2d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6d48f0d17a6273c92f3d2d2b676344f9

SHA1
98a6c94d7468a62d3d8ac7080adf200de14d89ac

SHA256
76c56ced6514f88afbb9a58fbd1cd82b38cc1ea6817355dd0f5808f8d1d702e1

SHA512
8beb556eb907b90723b580ad8c87f30c28f5a271cdfc4d15792c2e1b14701a0430056196abb431131e00886dddc132771f7733e272a6113640964f579b13707a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a93fc6381172024d3cb2b11263ed688a

SHA1
329ca44c8107bf04e8d5b113a665c07b6831cf39

SHA256
df3333d02ba3e891b35e7cd85d9474f2ce85260a0c0e9a4c0a2d1b7712fb9ad0

SHA512
1425307b9bf9e76b9d094cfcfa3c89ddd39538552b4b0e1e65223d2392c0c6d5ac4c623350baa18d7e2f346831abe9417e56f6d563b2eb00a7fc92b4c485d3c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4efd7de3933bf434884136357d6fa380

SHA1
f30f1551545af67ac5d12056c5a61c4679af583c

SHA256
5fc5b98dddb125205c9f4748a3da2a96ac26c3f13a186e249d570513c87d95ec

SHA512
61faad624c3aaca0d8286a8bfc0ce21fe0b950c15f247d2136bd492cb7848b0e3d2ed88e963b3a8ed854240c962d9c0d2d8718fcb6a4687491b8ccfbd935ac80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
50b6630d81810b6f2b5994d72001358c

SHA1
639889ebaf4c1e0205d9d0bdcbf6409ee0945c40

SHA256
c10a366f65fe9b6c2d8e0292a17b52ff3ea74cd70123e4adfbf3f464db78e766

SHA512
6358ecca4ee58548fc63bf5302ef5fe55a3eaf27b5cd381d8ab838efe2267f58b535ce5a7f29f720aa9b85d4d92367134fd82703b605eeac52aac59d619cb00e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1a2fbf3a62dd21ff639782d2c0f42929

SHA1
1792c39f776eceacdb8b117e891c173acabbbf68

SHA256
701323b6ad1d0173adb1f80982fdcb030460f9be9cdaf16a964744384dba074b

SHA512
f47465ec8597d482a5cd3a323e85ba2c7f5a02ca5ac74036b1f44708c15354b83c53202d2fa2f65d890789137bd98b14f65fa0384b5dd4fdb88e2c5fa5a29ca5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
431bae010c69d697a0f5ca32e9f35885

SHA1
0b16a6bb17859aba92b6357fa8404c912a50939f

SHA256
2f7937ac90ea932c66dbc828dad896bc7fb108b616bd20ca049c3e7d320b656f

SHA512
5299a6af41d294770a37338bdd85ed45f30f7695da3d022545430e23fbc6255c126c7d633ad2b669f6a3478249cb2e3f6fd79c37034b8ec8131da0427420a30e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c5f0fb9b3b08b3990cc11113f9c135fb

SHA1
11cd19572374863b7e3ebef8eee6676ea8bf59de

SHA256
ecc8117c27efe6e824dd22a2e7c96440cb818f8cfb558cc1162b5561b949f7eb

SHA512
9776c44323e4e31faf57ec1c780d5ae6597c6c4afaf4f5944599c7196e620559c15ee997a7d47c0e062dafaba622d0abdca151ce2321d8699a589687aef7bbfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9123ca959c4b5b42c10b9b7215d17802

SHA1
cc4446d669015d62d89d48c3ed649a3bc8d75ddb

SHA256
ab891cb99107b212bbfddc4c574bb824df4d487412ec99ba689c83e98301dfb4

SHA512
3f57f698404fc3717fe0fbc9f2d1b0489f20e78bbb29b51c5bf929c1542c4693f5fcb394db770b309f481d5dc403a32c0b58e331aefac7b90d5ad983dd0cbb69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
fb5e031ff19ff3ca53e585f9898b6589

SHA1
590e027c27d28bd09506a891ed8d253c1254545d

SHA256
d23fde580088a0e9d04ce346a497d040001cf813c5ee0c0bd0332cef32e39a6b

SHA512
f8327b9c831b5b74d7ec6d30711ee32e0b0d75f9ad8a25f05c6269baebbd4de6ffbd4a9430bcbd27b3f432fab7fb51c5bf424009999ad645b6e5657cd9d5ec20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
671ea32a3dd310e364b0ea24b7cb10ca

SHA1
7ae5eb26f3fda293c88d93bfaaf658d42966998f

SHA256
1a437d1ae2cb4c59dc221430bb31cfe1c7bccf60cae247824395f035be7adf66

SHA512
f675ed3a859b5cd3877fdddf360d05df2eefad822e3987a32a6b327309bcee7ee7576f70d6442e115e2952688f852abac5e3b8e4058d858d7e41a6689b33965c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a2a69be7ccc4647518490154b38c4d90

SHA1
31728ce1d6a94f5b3258d25e4d1bf95994d13497

SHA256
47b2d90e498b57c317f970af233ef2febc2ca7d8d98bb5cea97b9d002aa60219

SHA512
ce06e6e74b2415765a3c954d6740ad4091c5f717e6aa14286c16a1469a25a0545813dc709c08b603cce9a6c56d1b1eefd266542226f0c76a28d877716f6e812d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6688dee0d6485b86bf21326fad824a59

SHA1
9c05d0eba0ed035f3bd22dad863933333c6ee28f

SHA256
3c3e5f6e091f4860519736b2a22f69bcd240ec4aefdd3d176808cf0494f903ec

SHA512
c16c410dec2810ae84c97f35e79555dc7c149bdedc86aa9c30039b32f8a4f39a04a378f2fbf10764cc07f8f42e97ac9b67deeea56e3df5eca4c91a1f950dde0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d891d256c96afdd49112c91d194d6f61

SHA1
2c8d089d771c7860da93f3a4b0de74123099920d

SHA256
854327182fbf980843b609ef2efaecdb84f256fae22ed4e47675117a8af791af

SHA512
b5c0dce3f95f3ddd7befd7127f02bf40330962cefaf20dfa8b2771c1c92134f274fb517d30fb7e551ae8f020ce41387ec806e8db2a6a51f464075ae8bb2e4b14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e1e0879c19ec0b3d37722a2d020be755

SHA1
01b87c59f7006f4f43aa7ba1305518ef97a231b4

SHA256
196d29e3f71a585466c0c15a8df4a09c1c0477a38d822043d703ffae563a8ff0

SHA512
6694b36ceb5cda0145936f9c4954bd269df8159f289858ada447ba5a3fd047dbc8d5179832d203aee409a8a313118a08d435443c011dfa6b98b1c6c7c14ef857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8c6ef4de849301a5a2b047c2d1c090d2

SHA1
dca269338b5bfc449ca2ec8616bd6ccb27824ba7

SHA256
b9a6603ab36b3c3c12b744cfd3cc49d7df51c241bd98440f233caba8adb2ca99

SHA512
5da9a52be8caa848f0ee67dd5107df9747fbe65661af61ee62e49a52a559b1b4710f14dd0c92cc8996be6246ada11e075ed833d1a09e583504dabcdb052e4563

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
80d8ee84ca30c68b27efe9a472456e4d

SHA1
6610390f9e55c00856d9081b6d996b6892741226

SHA256
36e274d54cbc69a4345bfc4e2f956c7db4048f06a1498368ca47e3e6137bb047

SHA512
51bef4ac6106d68cac81615110cd2fe31d62e245fa2039a949645cc06746917e6c7744887893e13a2df772093f03d199e809e15ac39384c8dd5ecb271f7a48f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
60329451ec1a7b7c74a70d61eba42137

SHA1
15c64a7047210becb70ff1baba066694b22feee6

SHA256
af646f09b10ec6bd3161fc9f023d90b6a8885afd3c10d53f36e497622bc92f97

SHA512
bb6b0df7e0c5dd8f7c1518773e5352270a9c83c7e6cf8572395ea33ef0b2dcbf9c5e0968f5881f49ab794bfe2e2be9aee1d5ab63ab229049bc67c1cc02436d23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2a73fee6c39363e1ae82fce41955bf9b

SHA1
1f588234517d7c3b13c8c60a11d5c873bb8b43bc

SHA256
1621f6fad8cdaf32065b6d5dddf643b4f0b6d2d483faa61e31663e051cf59c71

SHA512
e3c1d516e54e74aa7889d39ed62940d6bb0d6c5a41f3237f39424faaac94ccc2a01d6813f356944a917745e4f85baa57fe94aa9e52347fbb24ab77480a1d105e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
4fe6eae8872915da2b7278473bfe2ebe

SHA1
44baf86f812304301da634b8eee9cdaa308c9c78

SHA256
23195e4e1626972ea84787efe11f566adc8de584584853cc47cf6d302a033664

SHA512
35374398f81c65ece232e24262d155b18c16173d601fbf490c5a5d991ddbb598107dcc61a9790c22e08640fdee16bd68872837c153bdafb002ecedda5b12511a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
928aecde4b8da9098e5c3557baf6f1b1

SHA1
7eb7664883551a39267e910049e4b68746904c5e

SHA256
3cb4609ec63ee0b80d7ceac772f17e7ce13814a683023ae56b0d053f0096b94e

SHA512
b8c23ceec9346560c57a1deb63a77d2a146eaa99dfb5ab85e2ff73db1f3425a310034b862c0dce63a24c13f6ac86413d729036cc775d474b27a540b638a978d1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
973a32a79b1204bfadf639a735ecb311

SHA1
93050b91daa142fe704e128651a52760d98eaf3b

SHA256
b80159b4117ec820088073002ff9529a5d8ae9e119e257c7aa08a94e5118aee9

SHA512
73ac3e7de0933a541727fb5a9c6e8c8c2f2f40eb8afb64b7fddf1cceb776e6461c3b4fcf1970773b33cd25fa08fc55a94551b99dc4fada92431acb0a957d24e6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
79571b1c86882b6efcf94bd38ea67857

SHA1
0bd51f7b08817af65da15185310dd8ba047d5dd2

SHA256
41500e061c67e167880264b357ef35e1236ba5cdde1334cf7d2c4978d2f437c2

SHA512
8fb743a753f12410b0394a9b97bdc5a4448a0068b6267fad408e6cbe224bca91dcac5c1cc2f1a5d9f7a9fd87610062f392a61ecf06d1bfb2eef2bfd8ba705f19

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5eceee95540df5879e3b40e4efe6576e

SHA1
caf473ddce49ccd223bbec2b4902776e2af6aa50

SHA256
b13169883ce7706c15a40b4158daafd887dd05ee1443bde2b9e907f5c12bc9e5

SHA512
c4fd45be17f8fa667475fe9738cf925db0da6cfe20511bcc640decea19169b678dfda8872e11c0003de893bd226a403b6899915cc0d1325aa6490cf820774f19

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f4d569a94f2276e13b59e521b415b8be

SHA1
7d2cff20083fd84527636ce323e5eff1119a3519

SHA256
64e70a06f15bbc7a8c814ab99f7566872d17e2ecfe16eb72e495a11789c92a17

SHA512
b662288b250b2a990aea755ec3ced37341821bd56c64de1e0b5319b34ca3cf45aa4b197c75364c39d988ff1474f355b3fdd6489cb1529c6185c58fa20684cee7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
707aad9d5de7bfd0ae0af9901fb18daa

SHA1
6b90088cdb70d85bdbd25139f1964021ec82df51

SHA256
b6930fa32d9f5107ca8d72a59c5afb831f94b3722f9d301cd4d6e76426e3d525

SHA512
455396c8dabb9ecf7b5fc654d4531fb3d571ea47535284910e12183748b79d068c71173dc9fc10519ee277c345b4f0915e6994dd43b98e9b84d2b81ce47e74a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7a003b749f8b26a5c33a353467fd2772

SHA1
b8dbeee095f590c5882acf915f8e69f04e5354b0

SHA256
086910cafad1eb30b2d5642fc1fd4b0536c4ec4dc03eb309d64c74aa0d08467d

SHA512
6c26c69e412ce9d7ca324b42698b7cb110af29f7d9600723dcdbf5aba45b703a6deed57677047f41e52e1e3baed03862027f84d7d158375b4d40a429601bff8d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cd993886214201de1374f93c1ea01385

SHA1
c5078f268144f902c5dca5930c07cf4492e0f139

SHA256
f8fc6cbd5668e0bebf7ffbcf0297b0d80742c2ff129fae4d260c0f7fa751db76

SHA512
7e5809ded0621033390a4b352ac2e454517e8ff1788bb18dd721c36f7eff65631cb7e8691e2954b5b130bc5c620d203e795be010bfdac2eb32f567b6aaa81ceb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
831003540e191b7bd0231a5428847cc6

SHA1
31b3bfb9d7fe1310acb2a10ee4e60963b1aa573e

SHA256
05002aa60e46312afe933136012da1cfe4f54488b44a8c612ba1a32d772b376a

SHA512
752831e3ee8788540ffd21e36d120e46e060fad55a46e97347976a1d8b17dee68409cad54e9b42995b9db7960e9e98ace7adffa834a67dc95709fcb036cac06b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28ea774341af7051ee6bebf5573f0ed2

SHA1
69773076e2fce6c4601f53bed06fe7f04126697a

SHA256
d48a6da78000c407639f742fc255598126807e8a2f245fc5943e6a07e3cb6af6

SHA512
d1781c072d4d13703c3aad77c415092881b0cea14b8b8572f9482e72a332fc02af41fea4fa6b57e513657f4555c7d3067bb5f3812c7bccb42f8b5cd7b22aa729

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4b8c389b2a18f469f6666ba62245405f

SHA1
19336bbd384feef1fb18c97c3fe99902eba3575a

SHA256
2d46f0bd4d0e776b39eb038525811e90b3566620af68e9735ad71e5ae0af3f1e

SHA512
cd5b2146729899b6f2843ab43ed56808ec57dd560c4744f8c5fe167c062bb75a76622ba750e23bbf1b17b84a9b9bd2be2b36ae41859348ad15ebbf489f1f30ad

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fc6c9ac3f68b59cae10341a5ed4f211c

SHA1
af2a9745938e409f43f10222077d8f9af2e4e7cb

SHA256
7484999bfbab8e606aa080e45795a97d32989cdf823cbf6458331579ab3e8cf2

SHA512
8f7af3e41b1af08ad8a9456d0741baee9decf36bf8c5330662b98f2e2ca7ed88741d7d5bdc93d47402e894d3735b7a80d3789dd986f90da8f5c70ed955b208dc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d6846b89b39b9f67a26b2c12a1fc44c1

SHA1
b87fb5d0d2c3cbcf07e591be59ddfcf011794831

SHA256
b3542d188ae6f8e6bf16649622acaae31c0e6249e4947aa9b91717e673dfb7e9

SHA512
188fc3704162ec9766e6d88510567d33ac49d6a3b3b6d1b39da9a26b71da66b028b663d954281da8fd96add58f71f278ecbc73ff44fad9b2dbc871902d2994f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
383cdf1766c4f9fa7b21ffc4584ac02a

SHA1
695b6121b085dfb24ab4947eda104e66671e6eb7

SHA256
dc6446b5c7705795a7bd4165c05895ee0154d134a9ff48789f825d22ba35b95b

SHA512
74554d15d12da8469c8a04b39726ca7d8e9a56c93efb708581376865d52d4f3c60dd7a5b1907078e4820cfdae14a17381c18f96a8adb07db4449d2545f7defe7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f820b671d98b9f165ee0bc83ee35e819

SHA1
73b0d4b628912386f2f37487deba257588729565

SHA256
80e55d13d23b27b68d93ea783460352fb5a3725227ca7b85271fee203d9f911a

SHA512
4b76f474e3732d3e7cd65d52604256e64430deb65151aa8fc115e3b15f333a8b240503a814425d36c24ece528e5d09c2bc9eebe73a494ad482ede2f122993a11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
afa2701911c274a12ee0879a4a515ee8

SHA1
2c540f8fe1a991f99e8deacbc7c5f1a4951ff4e1

SHA256
3b04b7eb13d2cb7ffb08dbfadc384ed5c1a912c4d689cee09b933c770b1ca0aa

SHA512
a9c9f160d8369010516eb286d7ec4a1168b4413945f124f9215e489775d714f03f32283420ab60790eb80536a10f730516bef46b273a49f4786134b208d494af

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c23073f0de2b1b443d9e5145db4f337a

SHA1
c917dc135b4da236a3af013ea529012ff6722f44

SHA256
7ace6efb98d8c21a963aaef82ba2a6ceabfc44fe62d598ad8fb9616d59d395e5

SHA512
1a57bcab09c4b59df0d75fd43be6573ef15b1cb2bf891c01329ea0a4095d887fcf1c3eab46294cfc0309e10660d0f2f00f77705f6cff5948c2ae27eb5ade879a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4578a4f413f4c744bbbd45f5e4e3deef

SHA1
881f6a8c0e4fe77cd27011da381402841c6dfe84

SHA256
71bdf66cbe058f7f24d3942a4646891f7b9e0aeacd16c54ec10da138086b8ad2

SHA512
a09941ca0c2089459b1ed0b521197d24ad7dd69ccc3cecd6e7f6bbcc19fef5fc43322bf9362b87621fb1699e290798133189f3932589d8c8be768abec56b704c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e67ec31de2715e3052f6b58397565101

SHA1
7bc5ad6b438494d392c11ed6fdcde1b6aa8e1b7b

SHA256
8013bcc155be8c06921a1475443d4decce16e2d2eff32d57a9ab12ca3ed48720

SHA512
ab99f628bb80e8dae6b249067432f86dac9f0a108e29b99bd36de52f341b52470664f2745d713f6affd751d0c019a6dd67f5b54df2656885e0eff027938c56ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
21302d11550d70d18d4af54749a31cad

SHA1
1cecb576d8cc0e0d1cd7a8042403a2ac1ecda913

SHA256
7c1f90271bc3532730b25a028153b27d719d8498efc28987d1bff8339d0404d5

SHA512
808ceb89ce7fc4b1601140ac6622e5e59ec4dd54bfb89741cc82a8c5e6ff5c1d70663df88144505057679044837024add50589961d8845f46bc49e8641ade34f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e513cfefa6afae7c951a96330a380096

SHA1
375dcd7cd97a1424f691c451bebb94664ceb81a1

SHA256
e6979fc1a69027bdce5ff106a92a3b1e34fb4e114f7466b5fd60849aab0b528b

SHA512
a6328de102c9565ff40e845ecbb12a748c8e63f556cdf89dab628dd2c25f0bbd9f2ce09b21bf712e48b321b58546848add37ac32a77af5b1931044a3506b0eb2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a2038e5a8bdd0674fbc417626ae63850

SHA1
bed87a3985b1ba411027c482cfdbd3e5a2815ca2

SHA256
a41e106bf60b60be78288fdfda287293a8f2c2ad63b61a26213bf167b5a47e78

SHA512
9745e87df8a614c668c0b098f98dc637da3aed05e8a18aeab789eca7abe3fc3a3ac413767a9c87c16496ffa48e1221efad07b78ccdf7189ea024f7a1b35c7190

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
58cffa8d6fdc3bafa4af2b627b6d603a

SHA1
5ee5ab58605731c8cd1847b789fa1947cb9c3c96

SHA256
e9446d349f6c5e04311f6e34a83f1ad78f20686f82c01eb7095b1b0bf6eaf49c

SHA512
4a1a8d551b741b16350d6f357bb7d12444c26482624faa1cc212c564615d04bae277ba10a677bc7e7b6b41e9d791cc4e6aae20ef48d04006e956adf334719ee4

Download Submit
memory/388-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/388-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/864-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/864-52-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/864-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/864-57-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/984-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/984-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1532-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1784-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1784-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1784-98-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1784-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1856-514-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1856-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1980-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1980-73-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/1980-79-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/1980-85-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/1980-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3232-378-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3232-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3232-6-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3232-1-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3232-81-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3532-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3532-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3568-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3844-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3916-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3916-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3916-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3916-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3916-44-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4240-178-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4240-63-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4240-62-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4240-69-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4292-619-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4292-258-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4344-257-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4344-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4344-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4348-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4384-187-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4384-513-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4432-618-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4432-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-512-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4548-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4656-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4656-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4732-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4732-226-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4812-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4812-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4812-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4812-122-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5064-505-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5064-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download