13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
Size

648KB
MD5

e2aeae19142994f8876d0342ba4a7b00
SHA1

3dc35b0f9d1c07e96fee1789d6d672eef43ce291
SHA256

13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425
SHA512

134838513ee58d1ca5210e827663035b26d254bd024fe782fc54be24484b8a5d5a041989298e0c21b6ab7234a47e0eba640b6b3f030901e440ee6d41f523b598
SSDEEP

12288:Iqz2DWUJqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWNh:pz2DWPZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2840	alg.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
1188	fxssvc.exe
1908	elevation_service.exe
3832	elevation_service.exe
4720	maintenanceservice.exe
4672	msdtc.exe
5036	OSE.EXE
3136	PerceptionSimulationService.exe
3196	perfhost.exe
2540	locator.exe
3988	SensorDataService.exe
3500	snmptrap.exe
1380	spectrum.exe
736	ssh-agent.exe
3204	TieringEngineService.exe
2836	AgentService.exe
3372	vds.exe
2476	vssvc.exe
4280	wbengine.exe
2876	WmiApSrv.exe
4904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1a14c0d6c3a5208d.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019bfb12586cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7ec1d2586cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009faf412586cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d255852486cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1252	13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
Token: SeAuditPrivilege	1188	fxssvc.exe
Token: SeRestorePrivilege	3204	TieringEngineService.exe
Token: SeManageVolumePrivilege	3204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2836	AgentService.exe
Token: SeBackupPrivilege	2476	vssvc.exe
Token: SeRestorePrivilege	2476	vssvc.exe
Token: SeAuditPrivilege	2476	vssvc.exe
Token: SeBackupPrivilege	4280	wbengine.exe
Token: SeRestorePrivilege	4280	wbengine.exe
Token: SeSecurityPrivilege	4280	wbengine.exe
Token: 33	4904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeDebugPrivilege	2840	alg.exe
Token: SeDebugPrivilege	2840	alg.exe
Token: SeDebugPrivilege	2840	alg.exe
Token: SeDebugPrivilege	3968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1620	4904	SearchIndexer.exe	114
PID 4904 wrote to memory of 1620	4904	SearchIndexer.exe	114
PID 4904 wrote to memory of 916	4904	SearchIndexer.exe	117
PID 4904 wrote to memory of 916	4904	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13f305da2af6144fb4caec20d048aff46e53b52a0339dd4fce7efdd10d8ce425_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
1⤵
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
8eca7fa651e76dc4a1ac98b04de4155c

SHA1
6dfde123c9f96d30ea2dd75051049826218d1d4d

SHA256
ce8edece4829380f5c658f2ce7295d339a326a6704f58029c1f020e230adc1ce

SHA512
eff8bc7a57a25327107c7bbf76b69f9490234b9921164922b0694df8ae401e2fa4c0369349658acf384bd2344b0877b5325a34dece8683f256d09ead63ab39c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
43d7021cf7eaa9ece9d7aed310b2fd89

SHA1
86b5cff63e6338ee2e7e4d8b417e43501b6fb307

SHA256
5db8dc118b97184ec6dfa4b8d9e6836ad8e4fe9f034327dc4f5637ca31b4f0e5

SHA512
11faa0e09d19f2a9782bb8649b345517475845ab5d17636d4c5ab136ba0e24a2c8ed21d525d65f16410ba1a179bbcc778489139ff35189e4ec42abbc5b4caefc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
634008a891d52304732806f04aa5d8ed

SHA1
7c43a4a4add78611b40e9f51693b4163bff1018e

SHA256
71809b6bf66a50ae261a6f5553f45f169221eae54a95015ab7a7f9d85c77a795

SHA512
a5d303fffea351320ccc0ffc6db12f59bc0a2aa60a18b5d3ff464bf6c357b61b521d2a06e7fc32e1a69e76a6662bef328b86ede4a21f76195c57cf40b7fca551

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
407532e0b2f2a86cb136240de026294b

SHA1
8b27d9e25871b7eeb5afcffb32ed056a472d120c

SHA256
7509c7c4e99a1854e12663fc323fd123d3bcfae8f617302a2a4a46d5bf1b42b7

SHA512
67b6713935580e5f4b8457d99bb43318711034d5486254b8f4c50f960566925dd55b548580c3e560dbb1e8cee3ea403d0d8c2fc0da902dba1a3ec1ff66d0120f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
baf88fa1130941084856fbe087f918d0

SHA1
3e85f355454ea0fe658440717c635470c95ceede

SHA256
a5fb1c6f7344acf1056a1849d03a1cf9a014bc2ed3fe06909ce3bbef0082fceb

SHA512
726cc6c18d94ddb21aaac6a39d8716c8a598308f6f1c1489b0b589146279b40ce625333c04496f8640d55682eefebcd02e4e1b2385a162082caf3dd329f1c4b1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e1de51b9821dc6dd2dd6b97ed39be543

SHA1
4655d28c0a1d5abed31da92c1bffd73525c7c1d9

SHA256
72e97e3802b8d4c2812b396d2902a5852ee0b24893a80bab6f42037a03a0a379

SHA512
1fb2125c747cc378392a671136cdbc1fba3f004fc065249bd43c65dc912c3bb8a8014704236a7dbfd7da39665de1dd12157a855a8d4d5b53e5c852449e5b1e91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e03fb97ecb95e66a145fd14ba40e2ac6

SHA1
817c3344c115755c1ce5ad0077f19184c59fc999

SHA256
8c6784983b24f64d74392aecd1db0427726269b1cfdf7a05ee1bc9d1728301c3

SHA512
89bac34e11ac5e452925b677d5a24bb546b27fd9db0448ea09252f50dd09d0b81278726b655eefcb77e84a0862b456dc55aee88ac0796d8075fe2e0f739f0f22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7cf51820e55ee56f00f0aebdac53bf2

SHA1
945fa7e5213469200c28ebcbb0fe14410eca884e

SHA256
cde6ebc9ebca3087ddaca62e0122a18f9f9a7347760268f2d6cc71ddfab09692

SHA512
80ead1a48ba8872d321c13b805febec6eaad622881f4cdccd77cf894ebc6035340ceba0ce2f9e8c3beff785805d9129d97e20b811b6f4a8475cf996f7ef70e31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e4fffdf1d68e38f97d66b703b522199b

SHA1
83001f8498a7ffd10a674372cbc043e9d92bac40

SHA256
6e0d3a007918e126da063ed511a50eb7de88605427f2dff1e29bd99c7f43afad

SHA512
07feda0c3a8fcb15803ceda735331685829a4f25ffedd9ba4357b424a4ee1f1df55623c540ffd03bfccc4693c65591296997261191e90f008212574f5b1e17ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fdd6f078c6d5f7719f8825d215eb9828

SHA1
fa771937b85ba6798d78158367b6c8f7a29958f8

SHA256
91cbb7a44ae089502b2075882ab4d89f01d029fadc565d9001ad4085cf1ca11f

SHA512
2fd2ff233f432fa4f1716f0e4e66a046f9acd5039c3b74f1935c0c685d55f87bde03b26b6fd89e753bb2344772a4fe3d817f41d783604430bf62424bf0bb9b51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d77001eff5d0eb6995144d9972adc680

SHA1
cbbcb2ae2feb6e17361bb848a79c0e4c637d8cb4

SHA256
aa257acc1a108facd1a1c61371fef4a92c47f712aeba658417315df2fe14638c

SHA512
4a35414cc9a2d88187258b727f3b01a3b4da92ac086a966763b640f39d3f352a13abd2aa05f8c7169e57d4d47bb6fc286d738469a334095826c64535bc9bcab6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9f05294b4f1f94f14aedbce403e1f5e7

SHA1
8c84cf0c2d1e278547bc3d7341c88aba493bf973

SHA256
796f5bc5e6da9fe63ebbbcc3c31cc22b5ee9b0db286dabad73948fae24006a9c

SHA512
6cb70514ea1ae51c640f8de05794602dfb05cbd4f57420cbfba59718546e76293ef5ffdf1c98744b0a524aae2bf85759f38f40490a938293bf1a1919ae7dfbe9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8d705243df6a582ac8a093ddb5c52731

SHA1
0804d313871fba155a70379f8cb15cc9aeefdc36

SHA256
e2307a11b60625950d035a3d269d9256c46b6d3805b23f16de1007d1d8da6968

SHA512
325d67cffe0fbe529e61ac442e0074d0787ad4246689a35b0ddab01fb35dcf4f92180992a2e7eb0845cc970985b9e865fddf9a25bb2f31efbd1b14489ce60b02

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4e83ef4f3c0c715e6101ef4632389104

SHA1
fd899370773bc15f0e3b8f0d3cd58fdc5fcf7ff9

SHA256
8ddda3a7b89fa1c4be9053022d6d644986ee3a02352314a338051e25dfc7a70d

SHA512
c85fa625d59588ab63ad17192b72d5bd00701eb6a1267404937227e14fb7750f4ff86cc800b949fe61e94e6039f0d5b39331a9510a4dd0cda276d1735239e704

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
67b16eefac8dee4914329ad66cb097d4

SHA1
26a900149516c7e3b6d3e6f975493a083b68016f

SHA256
699bf938f492e4ea86b55456461425b35668932a37dc41bf47c332a88ac6c0d7

SHA512
b47713c062889f8954b76115e2689eef8fca58c21c8fcd9831e430aafa75c472928d9deababdb5c04dfbd238f611071c85c6d8b1a107f93d8d4ffcd4446c10fb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
372c78ce032e806189a33852de31d12c

SHA1
5cf8d175a437e1bef1e1143dfc3fe91318abf2b5

SHA256
16ab57681fb8afa5f1a621ea58aca7439afc38262f5fde5544a78826b5027537

SHA512
655f6605302e8e5cc90696929c7fd4e5a1e74e2bceeeae7ace54d18b54fde7388ec1fa8c7539377c138efa5fa24893642842d7e13a2599152a5b558daba74d46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
61f08511a717705f1fc1e4fc43ae0842

SHA1
c5e1b53629c1f3055d2764c7bd8aaae80db8cfef

SHA256
b59b298ed3225e384c66c19e8c1b038f58ca7d1dc804dfe67d6edd3c77ba5443

SHA512
2bc31cc7a6329f7053ff4d0ef5ea61bfb76ae6b62ff88226bedcfbd3aa46804e1a78d08c41852d2c41345e18c8551d002189b18e73503644ea3af3148b756d28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
10aaf97dce1c4e8077ee4d009851364c

SHA1
2a7f068bb6a162118e81897e04c79756b7505002

SHA256
59fde063af3b99a039ef56c3f8ccdf2742c943041aa11de05a18d6affa38b1a9

SHA512
03fb283ef98080fc8c6489cfc8485278415fcdd1fcbb3937251bc626aec675e733a4c51ea91db12874a87c3f70c903f240db641fb1fbdf0926dedcbbe365777b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e189157a649202d0aa8c255295238454

SHA1
b30739cd84b1bc862bae5600dcfe5e84663e7669

SHA256
e8ba3aa87015d819b8031d962db16ff0eb261ff7247809c8fc7578579c0a302a

SHA512
f5252c72dba7aa59ea5da36e214272e78657969506e71fbf78e897511fc7bd64930823b18cdb0812fe1b6ee4b0430a79d291614e3f9a2eadddf0a16907cc7844

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
effd1bd3b69e5b3320a158fe73859695

SHA1
d2ba55f84f09f610b6533c5384c340d794d0bf96

SHA256
3ccfa97ebf084ac9c90da2caf483fc15b57ad24f871df4d02fcfa74756735c52

SHA512
e7dbbac71479592b355a29a4571da108aff6599c2d5fdc56528a699ef965967ae4dc0fe7bab76fe99d7537318714be1622081d1d6e779989aa2a62dcb8a07fe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1d4fca4ec6cc1f809839c0dd478121c4

SHA1
8fe00d376524002aa084dd556d4d57cf95ce6fae

SHA256
0aa8d136cd77fa87c2765f444a7c2dfecc71d44d10aa3e2d1021ba32ffabd21d

SHA512
10f0fc0044d371bfa2e135b9198fa06e43ee3e32c18276b8f35d80697e33c845d4a77268ad0766fcfcf1bf1d7a4b8b81fb4dee56865524dd8cfef13a4fa91a02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ccf94ecd07b082cd12fd5da40e4356f4

SHA1
d942ff85000b457a7744202f1db106a89a60074f

SHA256
e909950854e6ccd4ee74e2a728828a5dd39f102b906cb394dfe242786ef95eaf

SHA512
d1cc2147774af2d7d19aa0fcf6db9a4cabf060e07defd4527fb2dab32285502c6291c26b8116d8fbb039019ba1fa9f7d45c9bdebf29a839a74f109224aaaa52a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
17cd3928d5725e16fc2fd0659743ffd3

SHA1
cb55abd7f1ecc1dac88bc074248c95c96a58c38b

SHA256
411ad1a33379f11f9b6c31aa18eb53a039eaccbc8a85ec7217e61cbad6ee06cd

SHA512
2b0272fd7579b25bd6e95ec42f33a5a35ff2471beb1652e5f834b01705f0208ac53c43dcaad7219f9c2657fd58c83eca56b016790082b882da94dacc023209c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0fc2af8a1caa3b7204571fde206ab2a5

SHA1
3b3d66376b43cf549b5d246ba8e0119da132036e

SHA256
99bce33687ee69cbc833b95a91f7a57199312f85821a15434b491d7cf04eaa83

SHA512
da57784602e81540711ccb8a7f190f4b9fe23df507525aeb4ee605c1312e1c575b47c8b3a0af50becd80a5b6c0f153b380c0e715c1231aef97ca26060409f88d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1b145ae442c3e6902cd3ddf1adf1fa42

SHA1
c03b15d64c06c2db8e751e6e36c21c29ce1fc0ff

SHA256
5eb3cf1713b6a20baf58ca990bee7ab8f8d5661b41220f78d4cfc0b8f97f159a

SHA512
6eec2fbc95d461a6df047973252061af118dffca96e21f2ea441bf0a28bf3f8cd7ae06853e6a0036f820069e44520c58e28c9dd4baa67b744f2e1b6098f820eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2259169f22b0c4e8a9f76ca01922c503

SHA1
17b2a936afb38d4a85c4c84e02aab4dd6d648a28

SHA256
6e3b330be5479d236fba0d191cef1af0a24ec70a1216aa3fedf4ee41c38c2ade

SHA512
ea16d98c86f210b9db4f315b18ee681ec875dc98dff712532800b4f0a8109e1bcf73130a061e91fde16ef78f1a2fd97bd4dca3643d775841726a03e54715692f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
858bf2e145b9e39cab1cab87838ad0ab

SHA1
6d4b21f54bd6e1474f492c3da52e83707da1164c

SHA256
3d41ba59609f25f92120986f58594f4f38ec9f8030c95b736b292a30a90cd441

SHA512
ef26cb81910411b02e0af5daf13369759234c45a8ae385f05ef07445981835181c00e2d2b52d83b2354ee957d63918ffba36eb5c18fcb660bfc290996f37786b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f1740621ef4d3b3401ec67c0e669b3d9

SHA1
b18bdbe347e058f932b998686abdf40ffa8c6424

SHA256
ad004bebc9e90973b872a53b1089d69b4b8bb4cedc4684c9f66f3d607894a8b2

SHA512
6c90e92ba8d758b3022c379dcb823a5a29d7a3c376cf01a45c60c16b7db54f70716d2e90cfaf1f585171b57ec25c3f9c610fb28db0df612035df6bdc37e040da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5232c0a579e02df5ebe611e72761577e

SHA1
0cc01a11e02d9ab267c69069d3e4b6d0d758e4f2

SHA256
543c0f5ef50364b6ccc87bfef2ca5aa62548c3a37a0f57a762e2293a9cb064c9

SHA512
b78add6afa7110c53e0522f2fc906689cb591a2957e0b9f83c5ef1588685f7142b7e5bad7b36b09fe37b0bb786c8ebf4914f7e050e0e07017799429b0c20516a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f5b61f14bb4e7462239e1b7b6eb9e0be

SHA1
19e1807bd124b791c89567998333b1d456dda41d

SHA256
c5cef60003d7b50455421b956d50e72051e47577f102510211a466c16e561f5d

SHA512
310641d34350557d69707ebe1137decc5caba24ed354fd2289d2236e1862fa2f23a788b844c71729d45f26e323d331e1a2b1b5fd25b2a0dc7706da778a594a9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8594ebb377e5ca951349f560ff705bcc

SHA1
e4f879db3469043b07021abded4209bdfa57a8c6

SHA256
9a1b00b389159ebd8cdeb6f427af313f1d921711205b6b2ed18f52f9fae25478

SHA512
6a753dc51a1b4a5fc8296a0de0e7ccad073f76504828a2496c9797669de43644afd1bbd689edb3506b5bfe4406a27941aaf96b9a8bbeb4e2d45be865953d4da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9aaa0407a883afc661c59344b050720a

SHA1
db3d4df1f24d9550498fa7706d0417ef0ed373b4

SHA256
892535f16b990d65a2c7343e292296a42ca1aa03e1ada1488d821bac4e042a05

SHA512
85d93e07af531f56405012733d3127cfe0e98fccbeae408b471c405ec3d324cfc742e7c4e83ee10ec5f8df3c290074b93484c601e2adc97dd723f97141b9f379

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
37caf18ec3b03d3d9357bf87e778dab8

SHA1
be43b9f76ea34b059d0e80a5b03d4d4188b50093

SHA256
79a72e61039f5ac6d2e79b06b227ae372853159101a137b8eeb9b7aad9549d99

SHA512
85f5d50b83ebce14edf4eb882c64564e0515619e609eb68c9ed19adba6895031db38a7bb31d228bc5c63aad23567db27abea97d7b87609d60b8049153b32cf20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f87b7f59461b20b8f6aeb6f2f02d5191

SHA1
19a33770ba911a967e24678d9e001efa6ec1aa6b

SHA256
73c3cbfa79f62625dcbaebb2aa292c2fde64ece5fca0fbc9f3864839c96677d2

SHA512
8041b1e8faba72405b121f8e444202b8447a4e91575b9a97bc69b9e32740338fa2be3608d818812af0910a1d32feea99eb35828ae05ee4f190252300eda1e97b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
72a560a2b891b12106bc2aedf214fe8e

SHA1
51595dd1b678738ca988b9c18fdf2b2733c921cd

SHA256
b8a4a33187f6abdc9b6155efd277ea912494aa51e36a85b13ddc787f2984cc4c

SHA512
17312d39c2daa04e95892d422d3035c49a7aafa93a8cc1009fb66e840bd38501b7594020452ee6f0842d111a82ec9858fd0934e5e2558fe2d13785b457d1cdda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
41dc4b6724ec65ff3e69e05871883d17

SHA1
ac36475f903228527d612989989c41847a418d72

SHA256
e80f34ba8005a011def12b7c9566fe0c12a6b22847d41b78e67084c2cb30673d

SHA512
eae11e12680d78684a7b948994bc0f70e6c7e085a92322ef6bdb87e3cd47b61ae1fd7e4072dd6ee905d56b61be580e5cdb3e90915590216c4bfec76e17b13016

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
0b1664ffa49d088762861ca2c9894bdf

SHA1
8a9a5e6571d9f1609d96de58db2a309722a8ad02

SHA256
6e12323bbc8c4667351f0a6c0229741a4e95edcc2c71189d35df816a887f1c6a

SHA512
f8238b20792746fb927d4ff10fa70b3c7bc9f8c3f73dbdde6ae8e906d9d981628c8e2ad39f5d8cfdff6ddc8e013462cda7b66c72514dbe958d23b56f73f9fdcd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b30cd028b890f1fcd747e362139d0df8

SHA1
bfd2be80d1e78afcb0f6c7fd716de3ea536769ef

SHA256
4d95be28875335749034949a2b67c202f1c19a543c28c394370b1e88112d8d85

SHA512
3661db31af7a4aabd6101c0d934ee4667b33ee3033afd78fc628144628ac63acf43a46d1dc717e7c8419a92843e393e1a976ef5acc91e7c3cc860fddb01862aa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
26aa9ff1408acb1dc119777fa3b4f62d

SHA1
e23c80959810a6fc18781bc3c69bf8843e2a2ec8

SHA256
fdb9d05c4a196c58619f79bd1d058abc65e7261e167f6616b54d33e72875ae8e

SHA512
b7e40944f685443ab95b46065b0ab28b0c929a31d423bb33b627b4772996e157d34f2e57bece2480fd205480698dca999a64ef88b19a9f405f4691de8c270ba2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3ac67f247b3533f55c3b7f93f8d18540

SHA1
f54fcee31a4bab9945942d521f10a52b19da2478

SHA256
0ab4c60d36a4a36b668f479d7f0c1c8c36ec021821721ed37213a1b546167410

SHA512
a7399eefa3c271c86a11f0e5e9ef5f251744a885ac370c596993fdc37ab960c63c9df1ce69bd4fb27761fb4846a7c7fdb8cfab7008fb8ed41bd8eb39b117283f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56810413d22dbd6fd935e4638a25bcbf

SHA1
565537b5bb4a4252aeb1a625870d6f3b35136a4a

SHA256
2de33b3995b4b9468c47a9d919faf81cb5c0c742813502120a98c08d1873f695

SHA512
9d8adc208c2966ad4d30a1886b5c33375a5ff07ff87a42b66c4e3f3bd4c6e8f014c5600659e5c0d8ce8e54aa036ee7fb3601410a6829ccb3a7e3e30d24f2ae53

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
aa5f17262465d087d1041abce85e6dd3

SHA1
5639391d69713491634c648c4efd946339dab7f1

SHA256
5311d9d8fd66f155c68a50aa9ad6e3c7cfbd6f4d145a66f5650c00d0cce4dd67

SHA512
a4744bceef565410dc56574e50f848851885da7b3e3e82426c6158812703bd4e1232822df0a1eaa941dcc11d96341f59c6419f92a1dd1284e76be6255f92f69a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30abc686154930b69e2d13475664b656

SHA1
1be28092af9e91969a769eacda46d4350c2f3692

SHA256
322527a07b2bff3f079a1d72249163b8f08673317f0a176b8a0145f61a99562e

SHA512
c3e476ee348f3c41a9461a1dad0790217ea610c946446cf534a5d01924415d70e1728be79adf88e7d55cc1814663c693192ef2884e408dd562b238ec04b78306

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c53c08d162e61aa9df09a8d3a63cd150

SHA1
7d3c13ef4c63d4473a83ead48fc5b205f1283e91

SHA256
b864cbf6a9852f37657fb7d1025aa4fc406d01492a5014949009dd6a418c3c87

SHA512
04d357075ab6ebfef8847f460038ff6cd01669697bee2977fcf6675689fdd5f3b7039af17317351080215e4323f0d7d550c10b07cb6850cda8f97ddd37f03bff

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
66327fd6796a3435cb5beb34b6540a59

SHA1
5ddd62a5cdf9d6214f926e0abd2e61b06df12dcd

SHA256
a2e3b740acc08a309d6a84cc41bde3cb47312388e28af0aed02ca15bf8c07259

SHA512
6d40ef29d9bff2f9a563ded3ba09b0d508bbc7b1a09943c73bb60c3e08cb8ed037f97370679bac350da2bef7c87e71ec58afde5a69eec6235b25608a3fd05f5d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6d8ff85a8ab8046c0a58c06a0f56af8f

SHA1
472771e90e65530b3a988f7cc0e24871286a96c3

SHA256
78ce6df535db81d2d644df308e461cac572946bd264e920194dcac59e150bec2

SHA512
283fe11eb3987125716bee2ec8ab75a0a5294bea318c2ed6f2422d1a10d3dc26d6813c875fe128e628c415a7b4d8035a57ff24e53c48db20e7e29a0e5d2b7818

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6dfe37e237d822d1e251417647def25e

SHA1
ab88a9c03c65bdc0ba7a043f6005d983734226c7

SHA256
54f4835c92367cbb2a609d3404a6bdf8fa5932146040dab2085043f5c0ab87e1

SHA512
e30b6b907d3229ffbb59eca5828eeb5e2f0f5af06bbf83abf1c0ec915750b3d0a78c323015364b8054fdce66b3cf79edd3f6d930f43001cae6586724c7b4e7bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f5e08e8ba8f5b908a1ab0e92d983efa

SHA1
51a8f92a7fe9bbdbf7e756aacfc801ab5afef307

SHA256
ed253a9076d2b5c0106fa96927216708831cf94fb0d8018721cba3d73bf4a245

SHA512
d52d91b501e6060c7b5e7cac30a31abc168ca01f944df3a95f70bd9ccbe6cbb8f766c9e60300a566fe2408bec53bfa479b2e92eae2668a6fc8ace42eb3b8e2b2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
66f264bcd9a7be6277aa9b4921cdb444

SHA1
5e403db8666cb92b1a054cd69d3224d843827de8

SHA256
6c5a513d7f0b0c6c168051c624f09eae7bd8d6a078f4dce938e420c031bab7fe

SHA512
4ae259a1d88525eec0f1e6f2401464c8e74feaaa78d3d83d1367955f540c26c4c5cb59edd94f442f90da9edc408baeda9414f0d7b10f0876b666961909de4965

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
243486e2b8a55bf9cbd51b8ef2f4edc7

SHA1
3d6a4be76abbee5b3296f3a53e36b4eba7127371

SHA256
4e693cd3acbc103a8b574ec731db302bb2ce179acd6505bab9ea4c9e37302f99

SHA512
c93c3ed4ce49060456a7aa3f37c01418b28daae99bb9426531d848bcdfce75ee5ed7ed945f458c219c15dc5b31d50723dc2a7737bf578156cad44c200c4cd19e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d6c2426038e4ac850952e7773aca8d6b

SHA1
0bfd8089adb814d5604325bb765162f15484a600

SHA256
07c263755e2eba72e406d6626d9f63e6b8e04640ef6bcf5c0c51e288bdd82bf2

SHA512
a06fa3e61567f9a5499f4ac08dce0563ae6291cffc42abe58309a58f4fa67013896431a06f4bbe8379bfc8fd045d94b9c64c3fc9c3792e24d7279c91c0e69ab8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9c8a97101d164fff597c97030bc243b3

SHA1
ac7ebc65d03dc54895dee665f566731831978958

SHA256
d0f8c90d662a9348657c6579903ee121946dd36a0e56830daa955b9360adba09

SHA512
f826d213d2f1ef6da5483af46aacf6be456d77f72e8a88db4cd1b9ec2eea5725dce77049e699067e140212a815c6f82829e15e2c4d2da7d6ab29b92506502297

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
69f0a1afeead00e903dd68881e701a5e

SHA1
49afd03685c30daf3908331ca94ccee53fa1c777

SHA256
1acb36abac46ec112ea4d530114b20bba584a6b8a57b735383607fcf08d0002c

SHA512
60f3f360abbc33e5d5875f016f078ca19211395a9e606ce52a65403fba086d16e3c0ad55d7769550b660dc5de7f0dc7edaf2f1729359a5de243d4654711eb548

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
85dad68a2cccabff73ec9adc3d1f12ba

SHA1
45725c3d8f609771662db30d76274bf790154c28

SHA256
f80989bafd80ccddb494f11eaef22f6cb080d990c1436a0ef6f65bffcaaf6799

SHA512
2be445d9dc9a6aee58a6d2ec8196b46ae06bd889c348fe960f5c1f64e73e237701b62a31768eb645c18a1fcc04007e307b2b624cae3d38ab774159a29e052032

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
91ad73271b7eb99ec22f29a4ab15d94d

SHA1
487038eb29d47613b1716f1f0f57dbd531454eaa

SHA256
be084e044d8508401972286ee8896581f44dd9115ad9324450f9feda6eea1b05

SHA512
0c96bc7bcd9eee0ccab00bef432a220aa6eb239494c4fbe94f745d31074ca5758a9e7ef939dc29c1495874815b665aa84f0f01bbbdb8191fb3a12882fc35fcab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8ea0ff35e5a3677ccaab0e8487c7e015

SHA1
e025e012f921c40bfbc1fb59721ec1a37daed377

SHA256
8839973ca05a787a6257644f26d7aed545b14c0ccc941afbd25f96074d6f7ef7

SHA512
100528083b57ac68839b4494fe18f56ad6338777b612c4436946a41712d095a391046d20171182ef50de9efc42e9e0eae0e8fc10beeeae9869d8912acf04da5d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
edd867e94b5363177527dbd406753ac2

SHA1
2e3b188cc92800097c9cb2f40d4cdc53b3fdde4e

SHA256
51863c2b08e1587a3eb1c9fe6cebed5a6c59af3f57d6281617a68964e82e3703

SHA512
22fd8e3635f511f736f16475b1af67be2899fcdc4581c9acea3a1485416eb5047db50eceaebb6276a44044b3cce8b1cc8c135a5ae3ecbfb10fcf36331e925324

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9e80e81e3bf40b59681e7fc454210fa3

SHA1
111ab3373b395f70004c363f86a9388ac8f34588

SHA256
85f1e7ec2dbcdf8c70315bcc3251eb7bef28597989ae1ebfe574c0d7e15b8dcd

SHA512
fd7d56e0503bb570a14131e74236020fc31dcc3102c85fe2bcff6707f2e7b60fb4c2e4e537fbbae7757e77513d0e6674ef8161cd671586f990168d2caf09f27f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b51c02bf7e9191e31b97f07defcf3e7e

SHA1
f26dff417669fb37147cadca54f80a94cb972542

SHA256
4e3e168e3b4eb5344676537faaeba0759d0db20e8a336af99f5a39d7cb654b47

SHA512
e0575456bff12dae3393f3c506c9f0042fc9bf350164c17f39dd229062afcc920f84d46d08d00a894c0a9590dc554539b274169bdcd6865741903098e74184a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8e61708ad8d1e6200a1ceff3f550d239

SHA1
7a6b95c1a4707258b1f02a53a2dc0034c441f51c

SHA256
bccf9256b4aee7ef6114197442c345f2676022622cd992d2ac375d9c74d12741

SHA512
47bd5358d964073d68980e3944bb22b6b29b3741296ea329a159ff75e147d5aded51e02cec8588ae665066920aea47cc8f8e76cb6d55391263a010f9f1ae3db6

Download Submit
memory/736-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/736-624-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1188-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1188-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1188-45-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1188-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1188-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1252-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1252-90-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1252-1-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/1252-483-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/1252-482-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1252-9-0x00000000021D0000-0x0000000002230000-memory.dmp

Filesize
384KB

Download
memory/1380-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1380-572-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1908-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1908-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1908-56-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1908-50-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2476-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2476-629-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2540-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2540-269-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2836-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2836-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2840-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2840-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2840-104-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2840-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2876-631-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2876-271-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3136-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3136-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3196-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3196-257-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3204-625-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3204-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3372-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3372-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3500-474-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3832-195-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3832-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3832-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3832-73-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3968-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3968-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3968-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3968-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3968-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3988-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4280-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4280-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4672-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4672-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4672-92-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4720-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4720-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4720-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4720-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4720-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4904-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4904-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5036-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download