ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
Size

625KB
MD5

bc755a976f6e87928e2954bf3299d6c0
SHA1

f5b0f6c373195e1412881016481ae77607df5785
SHA256

ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7
SHA512

c79460d0e665d439ddadfab54956c2a24b231e7e561246287ee8e1e1be3860769a9bf96b30c9b23ac536429e8dc7aa352373111b75642c6d45465066fc4180dc
SSDEEP

12288:r2o7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+U:6oCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1104	alg.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
4020	fxssvc.exe
3104	elevation_service.exe
1036	elevation_service.exe
1216	maintenanceservice.exe
3148	msdtc.exe
856	OSE.EXE
1064	PerceptionSimulationService.exe
904	perfhost.exe
216	locator.exe
1952	SensorDataService.exe
3980	snmptrap.exe
3312	spectrum.exe
3472	ssh-agent.exe
5064	TieringEngineService.exe
2656	AgentService.exe
4448	vds.exe
1176	vssvc.exe
2156	wbengine.exe
4248	WmiApSrv.exe
2836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\37c96524293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092d302101fcada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b80efe0f1fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e9726101fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ae615101fcada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f8232101fcada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b27bcd101fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000606d5d101fcada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000154af90f1fcada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe
2712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2540	ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
Token: SeAuditPrivilege	4020	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2656	AgentService.exe
Token: SeBackupPrivilege	1176	vssvc.exe
Token: SeRestorePrivilege	1176	vssvc.exe
Token: SeAuditPrivilege	1176	vssvc.exe
Token: SeBackupPrivilege	2156	wbengine.exe
Token: SeRestorePrivilege	2156	wbengine.exe
Token: SeSecurityPrivilege	2156	wbengine.exe
Token: 33	2836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2836	SearchIndexer.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	2712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2108	2836	SearchIndexer.exe	111
PID 2836 wrote to memory of 2108	2836	SearchIndexer.exe	111
PID 2836 wrote to memory of 4052	2836	SearchIndexer.exe	112
PID 2836 wrote to memory of 4052	2836	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab3e1c009a95a3c702f2fca8693e7dfaa75844e28381a81b62c05576f24e5cb7_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3148

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2848

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1f63969b4222c73ad7ec4c1a62c6ba89

SHA1
91833c96bb4cf712825b460c1f0047c8c85bb8b9

SHA256
2e06b6d08d08723a746d682ea79f94a849853e9852db971b33c731c9306c2c3f

SHA512
ea7a8e60d86acfc66ea9e5a5bef41741581dedd12feae503e264e5fd92cb76babe9903ab8ff5a2cb8f981f1670598d8f2b7ab7e865c0c101e79458aa2245bba0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
008709c7b1b6ef8009c21974f1b35348

SHA1
55b58976090a27b1887f4b92bc9ba5c08ac7531a

SHA256
9edbb6452a4a89007eb56d19906d0deafe083a41636d4db0a0b09af5ab8354c4

SHA512
4415c8939922dc520517929c3c98192d31547a190b67b07d88b432607fda498da1ecc2a146a586b166405f791f6d8024b7d2f656ed783e0875a34f6b470ed516

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e002657ef7ead557388a18e44ef76d98

SHA1
253cf5bd0a4448fea55a588930ad8bdc14288284

SHA256
e32adbe4e23155cc80cd3658ca61ee5b1d219a30ab6ab342d6ba850cf5a8460c

SHA512
a16120a115b6ee8d7a162973a1aeed20118e51f5e75040cd892dfd718be6fa035692f8ac832d4e71c9b68902e02f445a8783a832d2798bafe12a31d32d9b3b18

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
82c2a341fa37e7dfc276ac78d3b7f623

SHA1
dc9d26d8dc2170f2ecbe0a815d13aa9d47c5251f

SHA256
aa56a9cc2eca4068d662808b03c99250357f1a3f40586add8c35fcdaf7c90f48

SHA512
8fa3ba374b93673e0ce7a9b898ef7a95049a160bb68c9ce943608f178f94a202d11beb957e544a8c68b13ac438c8500e4f5d9e5a0cd674622af09b48b5c83ab4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f13d1fb474f27dcc5391b6dfcdfb6162

SHA1
f1252d7b1db31b6fcac0550b7743868f4207938e

SHA256
d90d7933f678b033c1b36ce858e6804187bede662bcd7cf22b01ed7f196ffb3f

SHA512
51b17ac96449baf20a7785725c2539ce3aa8b7d5ae36e5be400426755c5f3d7d2bfad0e461eeb0a8b944933679581ff8f23bb2d6b94f8f650e44086d16b6f67e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4f9a0e8474319cbd534a1e81e7f30b7b

SHA1
9095c01af3fabf681838ac23a7ace5cf8e2ee0fd

SHA256
b33dae1d29a4abd2674633dbcf9dc944aec48072380f871244cca84a0bf70824

SHA512
7853b98923909e9fcbfecf0a2980a38a2610828b53371af0968abd3c9616f8c14fbb6482f6a4fcee76b9dd6a09652fe725f6cf8f4bea36d85d4846323c6b1285

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
13225d2b3b28df8d339bf02118cc705d

SHA1
49fc2efbb1990b97b950b93c9cf8a1d5813013b9

SHA256
3563200639970fa7c61b85e668ffa5ccd8b0ba416af4a9da85b2bde4ca365ada

SHA512
e0d70b44e1918267797990bdec148cb1d7c7cbf0f24b6cf8d4a87f085aebb9a56d3adef5e920950e49b82c84f0e1034e1596a78d853e232daf268c29088c6a79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e2f705f5463cd47599ce6d5ff7ca9765

SHA1
18ec4b94eeb0fb68ec1c46b19ce7996bbbd72dbf

SHA256
85bfd7032ca04784f0eea5cb79b82dc43bf6e7bfa9bb6bd36b53380e60a9040c

SHA512
84ad6469aac2d264712f96bbd67ac5f985f91b80f1ad5477b0507633bec9cd903dc028bb65dd2f244149b329ca31fca68401b3cddf80f771392796192ad1eac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
09f9dc3dca2b86c1d9b3d58776dfaa43

SHA1
a85cfb89dd28d687f6c4c2352d3597cc751bd018

SHA256
85c88c7cc8191f52489fa21bb0d03729cce93b0ad1b1b737c0e637b64ea3166c

SHA512
63f7b99cb99d87a0af6224159d363328fafc6d40e2a50f1eeaa6124a7308748ea2bb187c9744b3601afa874d07e107462e65f93c1dd0ed9faa4c67e9b0e4fa77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
911af6edd0d52649e1ee0efe3a6e5836

SHA1
e1a6e3dbce909bdf4bf83c40f1a0e860bc613b01

SHA256
bfc4f0faf92f34f7f97616aafe739e0a9efcec48416f1e4ad1f1a0b039fcee74

SHA512
74f9b3b882bf6db44eae049fc3986fb210cc52e85421b004cdecea4c4afa4bec56ec1ac02b9c331a8c1c1ae8e554cf07da4b9c1ffffee462a3b4063da9720361

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b944219d9eeb909969c17959eb291ad4

SHA1
b457f1a131fae09ce91e595957499643a9b78220

SHA256
7e76ba27f36585e9f8541de2b7e0dfd0961b9e930c3ec05600e15e714a14a097

SHA512
f26d95fa81fd2fd8964ae32f977b12c66df55ebdd1368e5d6b18bb376c5409cac9b1f02e35adef37245941bb9f3d1bfbeac223d5176d59918a685b97f5ed8257

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ab5fa3d0672bfc34130320f69606afe0

SHA1
0e7e8eab047bdbe6b8588b4c32e6fead2ff06e19

SHA256
66d2a15db548659eb2811d3a10b9d02a37522c638941a44e14dc6c7730bd47fd

SHA512
26606515bdc725321ab983288824ff0e36b08388afbfcc7461a7301da7e9f6b519b0333fd58998ca5301059661f0568e2e8cdc2baeb1b00f4c3401b902d52807

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5926a7cc3f9eeaddd5b4803789beca84

SHA1
539dcd42c2ef29f207a2138fa8e2539c9cb65a92

SHA256
85e235aae27eb0674bd640083447ed4585bb04fb0dbec5a68d08ffd0627b57d7

SHA512
8bf4433b40107738fa9902361b76be3b988465d9a1dda3897b44f57c0fab1584996da595bd48c6db92efcc78d6bb0ccaab06ff2a83c9aa5170c7191fc45f9c05

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5f5918faa9e7cc81cb44b5ed1ef3f8db

SHA1
1d46550105bf79b0b0e453200d79ceaacae4da1c

SHA256
ded6968f530969600b493b039014f54607a7ea42ecbeddb3e2f5bc6187960ba5

SHA512
4f399571d6daf7433b6bcbbbd2936a82456cc23b3e75753121acbbfbf615a47b72d793bd81266d3ea7579cc54490bc09727d4beab73e874a3695e031f6727788

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
17650cad4d8e4299b69dcfff9480b22f

SHA1
ceb2cd8a0ac165c8183ba8c9fd8aadb40c09178a

SHA256
226561c6bacc9aa6c2b5c93fedca01ee01289e2d3becec53756b56e6d3f1fa4c

SHA512
5c17684170beee99811cf2172c04aac20fe2d450ac5331c99521ea7aab3113097213ac186a0816c69a1d2dffb997f6e560b1c1e082e9366aa5323b4b46721304

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a2c365c4103d85ad92285b08b730366c

SHA1
9e45e383b913d2af6e831064396c90b90decb4fc

SHA256
2cf73bd871d3f4550e9736d6f575876f38008ed5c9449c209ec4db1345d66ed5

SHA512
555fba2edb33256261384f0eb98071838d604311b1c254eba7e4ee99f4e9b91f5c30a2bad21353b596ae5b21f938b219e06eab09662e7c185f6d789754d6a94b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5fe4d2d156ced085d4e66532049ca3ee

SHA1
458d99e698b542cd8e9afeb41830ea73568528ba

SHA256
c8c1bcfca6165b5d4d34fe6a63a4df55a954a3342a79ab6ac85a324dab457a50

SHA512
0f54aa135536bc163eb9789482876ff9b89c199edad8ad1cc9142662aa632f9306ec77a4bc0b7200f6a76c182347a1ad4d0bb326b3581b79d60cf18741b7e0e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b0eb78bb61a422cccc9cddc54ea75539

SHA1
b1acef76640ee9d42a0aa214f9fd51dfab9fb183

SHA256
8ebabce916459d6f3594e904f9a42a8cbb24caaa9a1619573cc2db275cb1fd4c

SHA512
d8b644ae726afaffb87c2561f641ea0612facda98cf5a5a5dd7476bd90150d8a0524e4938a93a18ac24604651d631881968ef86804da8760b2c3ddd0abed2958

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a2a3dab3a773845433915d73b9caf5c

SHA1
93e350470dcb657435fbe9016f0a03f829557671

SHA256
f492ab136194a489e5879405b35f06f288bda44f628e62edf9204bfcdb9cf54c

SHA512
0ffa14443798a5a7f048f09d180deec33ff782f722eb1882923f909acd0442828cda48ff9c0205c3b7674d98ac0dfbba9adecdd0381d15fb4a9274a4d92afaa5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
190bc46b5d33f8ee11e66f10207dd84d

SHA1
56c4e37be8dba2489c3ecb72415c5891e56d275c

SHA256
4bc72755b45b891a1f2baf4b36fc28738aa33b686fa1eb1ff63b2849571eacde

SHA512
69c86c045ccd3d69808efb858ca7e7a8e8b653117ca462a9c2211b3c50fc561a7ba778e62a7154d2bcc4750193e45ae1e91e7f7f790e9335de71504e918e1048

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b6d664bef45012289d7b41ed68ca0844

SHA1
17801b37915b09594d63278125906b5eee5f75c2

SHA256
e5c5dd43ef5bf0b498c35c14dc85692cf0b3528e9d5e2056e26bf9419a253b61

SHA512
b2d76cdf4946c3e62373ff8e545c2a4fb37b0f3854eaa38e1a3c9890306688b3c2e5d594d0bb752a45d109e5d16b0311273e930ba2bade3da8e0401fb5663eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
94d58c8a4f17ac26cae5811f94e248c8

SHA1
f40b1416e0d9cbb336916e185c0e5955d1cc6506

SHA256
2c1f5c3f2e3bfd211a8c3c93cecf1cfbe3024317ea3b2cbddf5cf5e5a38406a6

SHA512
cd0f59affa1f553a57ca5f478138f3376c482761611d6818433847c34c0805b50e9fef3efd629d0b27aa2ec264e2850e47617a8ce90c7665a05947de40b45890

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7ca14c114d72c2fa145518a19c68d64d

SHA1
43b07106863eb8428af2fae25e59828ffec7f2ca

SHA256
fe48a12e634e445398d0ec9ac6e190f2fd1d69023e37e7232391c808e8505b0e

SHA512
44c52e56962f1a386ecab47be33cbf6e46f889f13bfaef3ebdaaddab241b1ffc0bb670e8b93e61b4588357f8c843372c87e426f7b14deaece836cab6dc69dc0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2fd25a3728b42931927b6638c55101df

SHA1
3ea21f570bddecbd2d139a1dba96697fb905ec61

SHA256
54d682ff3bea99e5d44d55fc7c7f7a260c6f1f6b2c3635209f6e9e6a4066e61f

SHA512
c8b0993336b0f39fb0cf4c255d3b0c7fac2f910676ebb16c2bd75240cefb783cc0196c131199fafbb170c9d6769b724ed9de22a33e51fe1c1d7ab0a81f1f454f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
40d42b6dfb368470de2d7ae9aca33123

SHA1
4ab4bcd502710697e887d2a3c5490a4bc5cd5221

SHA256
2e5d933a88205b3cf01e08f21f2ec23bb1b2fe1cd8e0ccc748f937587b4f5076

SHA512
b065edfa7a027e235767b2e1d22987b33eec999ef77c8e7a3a4614d1cd1436974ac9e149dfb241dd9df2aefcab7df25fb8b1cd395de8aa9000526471f48cd63b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
af58a95a50081093c0f240a95615f85e

SHA1
38884b3d6a4163bdfbd917c195d8a27374f815a3

SHA256
9d13171cd139bc0554c59337a60807d00032a3f0a62a129cbe3622db967c0f5b

SHA512
a1e02d1472a9c84ca0437f43789be370eb00a950ab636b6a275dcb36ec516ee05e1e41dbd86d378a9d8aacc3579c35f2407cfabad6c5e78ce19a7de01a276222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
75721e4d41dddd782eaf75eee80dced6

SHA1
a62f99b006c5a8d2e3ba488bba63bb94f00e5ff5

SHA256
f131aef5dc3fdea8c4c379dc3bde4fff8705d6de373c50e70271595a95da5fa4

SHA512
0a0275b436f8c9c16e8bc7511e82ee0cba1cf8b000e7956ff08975364541f7fe229a4d4273caa01ac282599488f373530cf55638aba7ff04caa439b80bed0f07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
29c468ef963d961273440f0cc7283061

SHA1
0d6a60e5ccc452840008f621602f55af89334ce8

SHA256
42ef940c44d284aec6cb7b040226b5a44f06d05fb0744b57459d80609307f560

SHA512
b2aea263884ec931567d0d9554a207a897dc02563ec47fb137c5ab0d089a818eda7669e94c69679ce126940891cdb713a348f8232e046bae4c96118e932ccfc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9f4540a675f87f0d75923624a830f309

SHA1
f5dd3845367c57ae80a165aad6646dd511bb18af

SHA256
02d847be52f3056013da5e03c87c6430e3ceacca7b032905dcd828adb4d8614d

SHA512
f08b049f5ce26e453e3ff7ede1325fe301680d03b7aab2258bc0b8ea271c6240345ccae32744828a378566b81bc0d6cb14aaf83207d2a7c8d7143f862ae8ab03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ab85242f673f38a656b310f8911819a6

SHA1
9abf44439c2aa48ccba828e5dacdf9014a4e8830

SHA256
dea334cfaefdbe9fed80a141f88e5a645fbaabea5c114439797b0ce1b31cb875

SHA512
19393027365c45a6a626095f494079b138217f8c9585b1e0acf69384ef4ffe07912f430cf51ff8ab4fe9c90627a51a2cd539822272bdc4577ef039cfd1d84b8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
191493c40f5e067bb29313ab520b2b0f

SHA1
602d302e3cd523a5a3a90c807e232d1deeb03b57

SHA256
6bb0dd0d0bd48ffe03e6927351dc8817be2ee41ea4e05c37926cf4803ccbf57d

SHA512
72fb53c557211fda31e062a133c48cbb3c7238228ba386ad1fed87efc73abe189dfd81ee08f0cd21a76d72d1431c356220accd10a3d2101e797d167102753b2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
07eb0d8b988f3f2cdb4326969c06d27c

SHA1
34d0a32efbc0286fd015540efc8a9ce5baca93d3

SHA256
f08dcffe3e216a009a56cec0d0d7abd4ca103b9bd8077028e9672d6f898c5546

SHA512
abd8d6d134a23ba9d381f0fcde30da7140d248a22dc6dbb13cd2fc4862319cb6eda51b75bfea1f8260f08a63c78b3ae41b6ab9f17cbfe58603bc24a806211b84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8e05bc3c03dd496211060881c09ad004

SHA1
efe075265a3e6361ff6b9c8844a5b0d2783faf8d

SHA256
0bcc90c860a48849c42c6cdb04847190eb629a4f2c4d3ae82a8b754ed425751c

SHA512
7067376b3d5716ca14072c51364fbb1645b9ad7a63b57a4de2ca6c35006384da7f013b4237514a7d83b2e3a8157a096af46593d1252e41396f543343e4da4f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9a74281892df5fc23b81c11cae9e83a0

SHA1
4f46ce91c77bc524423e936655d6582f4402c393

SHA256
9591df356ac99dae9b09b385850175fd69f0930725e74b02ce6ac5ab61de5e19

SHA512
3e6a256526c66f475414e322c9d9fcfd3d75d4fcc4181e900c2036095a103bacb87684cf6903d65906193a1bc3ad644c20a19542da1577a35c6f6929e94e1620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6995b0f6cb49a3c22acd023a13af294c

SHA1
8270a1e541b4598d4c6d063471bca8148156e6fa

SHA256
810bb9a93cabc6c40a2e975b86b64f8582515006f1742adb8a885f3fc018da0c

SHA512
d96c7c07982975855a3a1529736ea9e68ea72a6404f31dd176c6c9a11b3394cf16d9367e14fa2d13ccd09ef5380a84daaaa4a5e24c191e6d111b3e01ba51d786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
afcee57723bc77b90ca2112574f32963

SHA1
4c2395d5dc3de1cbc4d03175544029b5da8232e0

SHA256
6dccba2fbda03a63c41c5b0558dccd3fda83c1dc3a2be65d3319a7bd2fddde7b

SHA512
12eb8c82f7b58a62d9d319940285639b5b67c3ff604e87e3f63225a7e78339f732443becf284eae408f87fc33c805f415feca0e9b63a581cee74d3bfd4ebf600

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ddf98a004ddd6735cb6a0657e2506cf9

SHA1
ba09719aab5b74289957f99e6d87fa4da7389c7a

SHA256
9be1c116e2e2849a29761605d4ca90fe5dd0196849262b85025c8fff5ef06a94

SHA512
4b2a9f490630c9f65846a909a1faefdd65e88f9ded44dc0b51fbc7f107f6057ac7773a23558e5a6d00456ad72f12aa8c3b8892406c68dfc69d329813e14c6140

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8e732d34a81d87db159591a532ed3b84

SHA1
03b32a438c80894157e0f32eac01fe0b113dbf90

SHA256
2691a35c5901a635e9534807e80728f98bcd7f8938b0b2bd8f0b8c7c42042ef6

SHA512
b00419064d5537c7d64be8b19156a70959cdd43d5630f03a669f18adb413ba220919835c29b9b5b209b23bfe34ed785dd914765b77a6772559a7111a9ce491d0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ad13f7c990bbe2f23636ca131bd74bce

SHA1
3462743347128d99fd75d7d28eaaf0261cc98246

SHA256
3d8e13bf114acf60bcfb9fc50ab4255ea6828b617622814c52b8cd66552bc5c5

SHA512
bcb8c9bf79f356344ffe08cadd8f4609438e965d723a6fcb96f2304099edd2f74fdca7a48eb4c60d7a03ce625c99c9725bf81535eef110cd7a7a2d222ea8e9aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
da1be9763a330e512e804f7a19914a18

SHA1
0b5bae1222f0cc73fb9723750b323ebf01341166

SHA256
ad212e175afbbcf6ad73c084d1304c59de7c1ce373001fabacfe91c46eac0364

SHA512
d4843101ffa0d3ddb17eed11a166afcf038af821749604f7254a2a43899a15fdb5aebe2c035a9932ec477fe68bcbdbdbe43ce3c33478dedaae3c27ecb6c4acea

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
77bd0f19c1ede792052b9e84b464e4c0

SHA1
5635b56e3d4ed489933a1f6f34c154785cbc4a05

SHA256
2df0585ee5779d40d6738f315d24bc2ce7a27cbe1cd89d97ab544c62f285ed1f

SHA512
532f8fb3927244bd0b82251e593ef048914cd09d2f900d17b0450fef4bf844c5a8d6a2ae0be374d09bc510447a5a8b122ebe79144bea1790684128a3b6c81ca3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ad3dcc28fcacc4923860666fd0c528d0

SHA1
eee40f3217dab087cd0ec9b55cbe8fd77f6ec59f

SHA256
36692dd149bbdbca5361ee5b6b88ecad4c578ceb05ac92749a1a2ff6f937e41e

SHA512
1dd8d36f6a39a3234dd55e600811ea6d0b967cf22c6399cc4668c7df1a0686e8aaa78e9ba76fd09135008dca9f8ad08956f7b70a90401a7ba7a31438c7442510

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6b80fb634e9f3687da94ef1f67666f75

SHA1
5d5cf63a68004a161335fbdf851e6a5c4493987c

SHA256
0a7bac03446da73f483506251fa9bf558072426f53778a5a2dbe208567439abd

SHA512
d1816b020db3167988ee0fd87700e5a7cf8c107243aed2ea31daafd6d457a46204bc6e1da71f833368e07e66fcb7a0fcd6d44d1edaf35936a3ab780c04c68fd4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
38b07a99d318e791b4d06d3a82ed7ddd

SHA1
a6360dd1c45721bbb622acd2d449c76c4cf7dc37

SHA256
de49c394af722078a33943b6278e2539b25837a4781392aedf92ae823ef3f6f7

SHA512
6e541a91867f8ca56f742f9df49dad24359911be2a2b19f3396b85d4fcc4f809595205752b682afa55d1a81432b84b3418b60f3f282e3d0cd8aee76aa71ba104

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e3e3650c653bfa7f74a651142659fda

SHA1
16b682b395fd2d6e578be79abcbf5d9832a2fd8d

SHA256
191fb268e9cd5ffd79c25b368a38492711cc501d9ce43703c2bbbbf61fdcbdfc

SHA512
8963aa2aed33c685b94cf1feafae0f95fc81f5bbbcded0c3f9d95c6e9a26c47c2def26c3c5e142b549163f33248df23dcf06595816ee1548ea40b446622b9bdc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8a8520ba86e5ea75eba4326f5c6be79b

SHA1
c8c3bff89f15da7bc22cbc608405e81d4de76b9d

SHA256
5cd5a7fa8bcac1218f59a711714f31d9f60f4c122d5777048ba6dd735d4ccc4b

SHA512
74128607ae2062a8e434293517a0b01f4c42ab3cf29add5bf6b349f09d4062ad69a4590d0d0fd834ef43645bd43e9c7936625225bd7539cba65e0f93fb18b26b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d8e30ba1b555a28a211e7204a6a643df

SHA1
bfbe11b38aa12ed5a8f37dc1dd9bb066d26c33d2

SHA256
2509f1185b8f14e924eadc4ed19438c677b4f0a4203cc9d8e5ceeaaebe28a050

SHA512
21174e018916a4b0bb2bf5ea94a8823822a876284862a6db69c4c9e4cb7ef72e31966ab437008aabec7fc8284b164c2dcc4410b3db702c5eb1e335ea3142e27b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
407f1c7fac8ecf0293691a31e1684aa5

SHA1
8aa5252fdad6cf004c53d5c2f9da37e0bed67d6f

SHA256
f06fffd66340282047b42850b07fecf81c481a86d2ac01b9947b7415ae9f8dd9

SHA512
4ed72d461bb32e39baf83801b40418f6329e5d6900a6eaeaa5994c0c96e0bd4291a4c20316826c5f0651979211c06327459a8158a0b263c2a3b5cb2c074fc921

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
496b0654d6ce8a2aa506ca7345681816

SHA1
ac463dad8b12ab96d64c465838788a7aaad182ef

SHA256
1c3f76065bac3aaaad4f4e56168e1348957442097cf09b490cefccc438b85379

SHA512
43fa3a477745e9caa1fce0dc529d5e30abb82e593b3ee9fee0b0da8cc27f1b47c0c7cb800550bcad6b16fbe79ed6a6a23950d5267c73fce3bae8423a7968f92d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
76d494e64e4ed2465bbc079d574288bf

SHA1
4e82b58ec3a66a58da443e66c2be2ee28c2d4b77

SHA256
fbd78f740a9a77de9fe429a975693ac1f8103f4a77f3af2147c4cde5570eaa5c

SHA512
cdf3c6d18f012e22ecce238fab993c951c2c6f56ad56427fecf69a5ca1842d09878226ea3ced40cbafe14b36e1f6bd7f13f8a3d5fb1dc2bd5193fb43ef51f37e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a74667dd09a19ebd57132a886feeb062

SHA1
cf8ae28396d58cac87d05584c7b3095ede65af8b

SHA256
26ee8f5e4cc651ead6033eb40f29b845796aefbb9fae393ec959ecd56371f5ed

SHA512
69f0da02685858a98d45c416b7851d081a726f585a494b99c03027ce16a483f2cdd1cadd93fb329e9563bc1c7a5b314fa88c151633a66e7f2c1f8d55d5757117

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d091d9134dd12c9151ae61a5904c3978

SHA1
e7927505f4b863b4cf3684cd4adec150a58c927f

SHA256
ec700dbf7826d2566a18f364a36813130cd7b181b3fedebefb02fb10cd405f7d

SHA512
8a961195af93513bdf9d38ef86ca5bac28c238112bc0749c914983ca083e4ed060cd8f538ea976b4f63dbf6eae88fe1754d9e1553c6fbc2b5360a004b4c9d1a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0878ff91cd0377026b44dfa5be8cce63

SHA1
a55227f7f5e08310aa53b6cbc76240a434929e58

SHA256
70019cc44f62876567ffabe60266305b53fb2354269914bd42ae01d77c34d85c

SHA512
bb8446dfb634b253b4a1f1351a8324f446e8e726e1f7b4d347c9b3683f1e9da42864dd97db6e92bf7a175e444acc92985934f0ec6a03b56ee652cd958a157bfe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ea317303f00f002876a3f1042d629ec1

SHA1
4c77b4631e022787c95d4859c971c2e424ea8337

SHA256
22641aee5b2c64b9c8ee8ffdbcade665905f4d73d81f346758fe1577aa8a5a11

SHA512
fcb9ffdbe5c0186602e878a167f6247eef5e60be598cd5612074d88f8da3ce3f000f35dd7965a5a83a7c6ebf27a1127a993a54ab0983bf09b5e36b1025418482

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
610aeac74577fa0094be3f9191bebb19

SHA1
251ba01c3a00c50bb41442d2a700a93d3db36dac

SHA256
e1746f542a9f2c0e4ac54500f92d15fc1c2260ff0cb881c472ac10e40d95b0a1

SHA512
5e23cc795ad87ca50f9a4258254d172c698e67e1215c3de246b25ba8f4b8f37fc7564b0dfed1dc8ae05ea946637cce542ac39f1845f9c7ee489e6d87713bef78

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
da40b42386cf16a898551199d664118a

SHA1
a06f8269ad1feb1ba6c0b82d495f2a4058dee9d3

SHA256
dac71891d4cefedf2e754e9a866943396568d7109eb363899af69391f5a1b8ef

SHA512
4618b2dd2de4c21050247e50174f3740a7cc27abc643e7d6672b617eba2e7c51514d9852ac6ce28b9c5cd2b1946036b14d453730318b50ac0fb83bb98ff45d5b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
033cf08e27ec5d6ea79fe559d4a84b80

SHA1
4a4a9560b3127b2d195906cfcc7be8bda82d1bd1

SHA256
d91ae17ae6fa3fa66c041a6dfdf8980edd9e1cf6e21602a1f0726fbcc1cd3b5b

SHA512
905598a64f058da18eb8ce851349e476d7afeaee6f49c7f7efceb8506cef06017ccb93f4b2c196d16d443208e98ba11fb61b9544ca3e3141654154dc4e1f1d8d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0de16e29fd9258b31b171622bea4688a

SHA1
33fd4779ed71e04c990bdae4e8e2f53d8d3b0453

SHA256
bcea85692cb65e54bbb54dba6a641b59d7acefdca60a6d5fd998f3630bf5b46d

SHA512
ab4aa84d2da4d4336ea9481925afcdafe78266a189a35a29be1c0117a8be802098a687dad71dd8505879d0fc56e02f2a95ed510b1ddb7056a8234e07cef0664a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
721503d5840b49190a6aed6f89ff6ac7

SHA1
b0305fcc93135b413abdafb9822878c21c92499a

SHA256
ac6e4bb564da4069e0b4128cb96665795a8e63644f448875aa1fc47f8c9e9b1f

SHA512
88d3f82b39fa4dddbc087215d0a95e28de7b117d760d264e7d58394e426aafe6836779cbe4a0ae8d4af235aa8c5e616b9e42b4fb3d0bfc41ac6f4efd1e6b16fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f6de8d515249c8c6c7da1c7590fec875

SHA1
6fd6423863b932834302cf0dfa5c7050b12101ea

SHA256
6ce61fe0377846b8b7b94d9d68fd533f42144b7ff76e162311c77ab93ef6074d

SHA512
bf3dd534a7510e1b6b133478e7b9f7eff03d6c4ad95d8e08ce5cb0236804239bb062362cf56549512374d736e106bb5cbde43e395b4ec7fdfb3fda44b4c3c234

Download Submit
memory/216-249-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/216-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/856-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/904-237-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/904-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1036-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1036-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1036-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1064-112-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1064-225-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1104-95-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1104-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1104-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1104-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1176-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1176-566-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1216-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1216-80-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/1216-74-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/1216-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1952-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1952-262-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1952-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2156-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2156-569-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2540-1-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2540-433-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2540-6-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2540-72-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2540-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2656-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2656-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2712-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2712-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2712-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2836-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2836-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3104-47-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3104-53-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3104-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3104-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3148-90-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3148-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3148-84-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3312-555-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3312-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3472-563-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3472-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3980-443-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3980-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4020-37-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4020-43-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4020-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4020-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4020-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4248-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4248-570-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4448-565-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4448-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5064-564-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5064-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download