3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef

Analysis

max time kernel
103s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
Size

1.2MB
MD5

5130074b497e8f56235ad2b0dfe64e90
SHA1

b1693ece6d056a05361d30a29c2ad2fb90a7584b
SHA256

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef
SHA512

aeb57fe22dcae9c1d679c5fac48de4da6c6a236029c4dc1a987fa79a154d55b66019374db52530a86c3cb0b6a8d9b3db21711d3d30c678c61f3905ee44bc9d91
SSDEEP

12288:Rcz2DWUfaZTWuKTY0eBgob0gEE64ZKAQmaZ/W3Ig8CidwRisW:az2DWWUTWuKk0fob0gEEVFQmic8WU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1832	alg.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
1000	fxssvc.exe
2756	elevation_service.exe
4708	elevation_service.exe
5116	maintenanceservice.exe
2328	msdtc.exe
4140	OSE.EXE
4596	PerceptionSimulationService.exe
2052	perfhost.exe
4444	locator.exe
4048	SensorDataService.exe
4484	snmptrap.exe
1464	spectrum.exe
4128	ssh-agent.exe
4512	TieringEngineService.exe
1424	AgentService.exe
2340	vds.exe
2376	vssvc.exe
3756	wbengine.exe
3732	WmiApSrv.exe
1888	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\418636594bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004531aa0e67cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a91abc1267cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b338b0e67cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047454d0e67cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b07ba1267cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b60f460e67cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b10650e67cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d70670e67cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000894e521367cbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe
2344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2832	3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
Token: SeAuditPrivilege	1000	fxssvc.exe
Token: SeRestorePrivilege	4512	TieringEngineService.exe
Token: SeManageVolumePrivilege	4512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1424	AgentService.exe
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: SeBackupPrivilege	3756	wbengine.exe
Token: SeRestorePrivilege	3756	wbengine.exe
Token: SeSecurityPrivilege	3756	wbengine.exe
Token: 33	1888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1888	SearchIndexer.exe
Token: SeDebugPrivilege	1832	alg.exe
Token: SeDebugPrivilege	1832	alg.exe
Token: SeDebugPrivilege	1832	alg.exe
Token: SeDebugPrivilege	2344	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1888 wrote to memory of 3208	1888	SearchIndexer.exe	SearchProtocolHost.exe
PID 1888 wrote to memory of 3208	1888	SearchIndexer.exe	SearchProtocolHost.exe
PID 1888 wrote to memory of 940	1888	SearchIndexer.exe	SearchFilterHost.exe
PID 1888 wrote to memory of 940	1888	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3221f28db567673b22f6858379ae5bf7e6d63302e0000d62153ba25552cca0ef_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4808

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2328

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3208

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ddc3a979ab0fccb4ef6e32931273478e

SHA1
ffc9aca367d20a173b1b94935258796b76b0f3ed

SHA256
c5994b857998951bc6bd0e3ac27a867d44401f7270e8532b60b9e09865b0fd28

SHA512
ac6dbfa5cda0c33434e867279d5b74b37ca146584bd9817068d9e9d2f9157bfb8e7a5439d26d3beeb69fbe8791645c66ca6aaed89fce861b1f02a1a57ee9b562

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
929b76c4725a7bff4ae1ad0b83752957

SHA1
3bac299e4fa2c596f1da5af51219d0c2047eb566

SHA256
4d6225e337e308fd59848a5e145b2c9459f1b393584e882cefb9e37cd84e1816

SHA512
184928afb9ea14ad76a7542a759fa564bf1736901c25898b9adbd104b715447bea99a174f1ce7958e0008569c669d0cf4311d7387a5645e77c96bcbbbb6e90ca

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
5feab2248b5b5c9232f9c7849fa4b984

SHA1
80cd66584f5a4623219462477a6582ed49890597

SHA256
77e1e5764a81af593820b940f43ba2ab566ac1ec7a762a24392d7ae5aafac525

SHA512
4240dd2c411008d0ef33d153a50c4e461a3dc1cbaa871ac56b05c7e568409740b5cdb015adf2575d256519ad8fc30c226e4998754d9d52a395db4bcd642581a3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ede465e9b9c6f9fd17d361d83fdade21

SHA1
f649cc334ded51aa32e46484cfc8a5b41125ab6b

SHA256
36ae15f4a035733b219b6937c64fc49b0f3be05f5220e1f3fa1d710744abf9a8

SHA512
d98badcf8d5b33cc3af28f2fe13963c09e12a53fe9aa14aaf33113013d424148223ac75b07725d1635540ed9dae1c69e08ea1c9beb4b08591d65be6563a17c10

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
41f4074aafbc2f006e6a4e3cfe0c89a3

SHA1
cb3f5786c20fee0da1511a7b5d3621861f0f5e42

SHA256
ad4019f765f6b9f803fa1089d95d10ad5af9045f06d9de9ce1bc6b3d097d216c

SHA512
d89fdf9fa09189b5e493e1e3daca34c264bc0babbb1dd7ec5b27515940990dcdd3b888fe58cb531dc8e2bdccbe5492ff47e00a5eb6ecb7d22923780d00f357ea

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
ac2e73d1bcec03118be17b82be398f1f

SHA1
b904d42a8cdf7b9e354224fdec4fc204a0915b16

SHA256
2ddc4d332b611b413c276449f2fba8e339612c002d12ac9447d2df2b6cab489d

SHA512
6f76227319dd94e306204b4361d99b007ad7f7315809444087f768750661edcfb0c7d8267cd3f23b9b82f7b6c7a641058615aa086df6873c57f2a6179e7c59f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
5e8eb731f29e36530fd84b95fbc37616

SHA1
c369a380c3c00a3889ce08717697cafd6a702830

SHA256
9aae6c89b7f6d362cae2814692305439ee5394bac2f0de293b6463c5e7e651c7

SHA512
e37d0614eef317dc333e4909043c5d86aa3f5bf21cf78cf9c6e17bb7b3837f9699ed8547e9d1b137568ffb5ed51f2766722c9b63f3d9e07998ae82db5c815f24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
fb073a3f7a230e78cbcee6a04e1ebefc

SHA1
452221560d0ea4410dd028f59ff43d2182a6e066

SHA256
6bc5b7c306faece7af6b2676ffa44b6c25af4fe093d4dac674d56dbad7011d61

SHA512
9703aa1ce9e4b5e56d6f23d4382d921b68e84a1d5dd65c8586f59e5008768b909e32504d0b54b668885919058b74055895e49f53699316037bfafcd80749abd1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
98148e66cbed9b9e2c63f505362bf2e5

SHA1
599dc89798e8219d9b945c55c8fd348b716ecd17

SHA256
f4295a2a9e8cfd0402704e8472df5ce66c95e4d8e5d3afd92c1bf99d1ea9687e

SHA512
549cfc650e674cd527ecd0d7ef96afe952e1a0cf7fd8b3a386425616fda4d0bc20452c41473e39d6c2208b4587ff577d049a1dd01eadfa505811f4b1c1389724

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8b8c94b38c7a308aab3c5a614990f066

SHA1
6ce29eba74a1862271939291b1a5c34dac32188c

SHA256
a557b95864fb2961ed89be0c56768dfbd19feae88aaa6de8e4f525f6452365be

SHA512
3952339674c04254e3f646f3ae0b80ee397decc3d51ab589327cd63e7c909b554e4ad395a8d3ca23f5702d08836867cf8de2283f0abbce5f5ab2583a290ae7fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
acb823ae43528c336e42b6973d53db89

SHA1
a4bff60d8313ac9fc1c3b996b2db0ec3252444c9

SHA256
604b34c5bc196ead984190f12d8756f9d8f423b5e425d1abc459dc938bf9b88d

SHA512
b855f58bd797ef55afd7254beb246a3d86c36ff094dda0d364eac7695247a1972a83c7f4de2950b70dbe6c17851608a3e615a918035e8b66a52faa7c06516ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
dd3e3d7d4dd8aee75e0a94f9a127b013

SHA1
69eeccd6238c1b0a1f617c548b51e9793619f8e4

SHA256
0f7f0b6c1fc1c15993030b37c58394686f55d2b8be4f652c3f08b75152d9914d

SHA512
ebc67708f2c83422a74306658ae1e3e9c002efce1418742ba53a901f880f088c8143741db69db0b3ad8fd379b7af7ff01784b08034968c9cf19d82802e4d6a9e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
5f34c2d0947a6f19e5c76e244ddb26aa

SHA1
44c6e3ae9299ec88907ccadfad824f810e3e586c

SHA256
c834a28ec7b719410dd1f1c729bb4be71b9076f1943032abb541b43dab3983df

SHA512
c4af053a7602a05b8da897e80ba3a6299433358040b74ede8b73221b76b58f326a3504cd662e81d4be7f974b44c26d9061a29d3aa6338cba6a4d3d40ae9be073

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
25d91d09275a006b452179216ebf30ce

SHA1
5027962925f256dc34b938a76995346be66093f0

SHA256
30068744be1d3f7516ca4cb61027261d8d160838b67f5e9b9fd7fa4aeb2ce260

SHA512
15249470bcb4ecbec13fe129072d285f6c263e3d646daaa2a0d6f96bb2344243d74fab9d9bf561b453104f471ccf8eda2a4676afc899cd86875e920ecaaf9351

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
fea63c560da3b188ffc5db795f9432a2

SHA1
9316bba63d5b13326c1d11ca096fa80c626625ab

SHA256
287eb3c5258fc2246aa4304edf7754b3055bef4563cb328fa53a53fbe8f7e6b0

SHA512
1b924866e051332b6d8322df1ad09066b0cf7bb332f14f6232fc298257aa83126e867b64fbbaf7ec7e09e300cdc4f9ca0a3c3c9291774507ef12ec86e6eeb4d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
e7c19437e72010ccdbc789bcf4dadba9

SHA1
80f465d6b57a07e496a726f5de32fcc8a8c3730e

SHA256
3e83d32ae5fe8b49dbdfdcb074f98cf6a46af9163565eb358333039ddb7408e0

SHA512
df5b77437750d6915f52c4ddf9f2162f339e7198f4977da92c358d2d049b0e35c91e638332727436f7513374199d84971980d066a7dc4f1b975ca9316477128e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
288d67662ce6c607faa7700e3f013d05

SHA1
7fd4cb281cf1a65bb9b6096da441a7b24e5c0885

SHA256
3867dd55e6db551bea600a0fce18b03d8ed2648350a81cc0519251432c2ebf3d

SHA512
13ca3567244a537189dffdc7cf5faa410d8ebc7824ba5a55cb59c1baf674aa32182b7aa62ec7b453e5d4205329edda0a2361dfba641b29c6d0b7712403ab53f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
90f54f6a7f7ddb8d6db273dd3f43a9be

SHA1
09262b2eac8af88b433931a1e6fbb6df589e833b

SHA256
684b23d650664cb2c526806afc16cf05ae42f982e1438762078d26a5e8b59576

SHA512
1f17ea01f6c885f416624f7c14bb8add0c49232fd5780dae9ac93ecb6f025c91e2112c513f8bf7f63a729d3c07447dd5db94f78566a7cd033ebdc0411cc68334

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
b6cba38d488fa34a1b5b48f6f7605ba0

SHA1
3da3461c8bff7fb9a6026f8944bce2d5a315aff0

SHA256
a6de309f867440eb4e83767f0712f1c8a4a6eb4f4de41a3feda23f1d4eefa447

SHA512
fae256eb5e111ea975468753b7a3f9d2b3c96b51c6e53f5897c97f6421440029d5cd2a3d80f9e916daf43862985104a1bae3bac884f26e9da3fb498deafad353

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
484b1d54d183d5619ba9eda69e6f7b71

SHA1
2fa24723412198163a6ce204b41646f340224ec9

SHA256
3d9f62ed79c5bfd9e481db3512416bdca655fa6a16e19c992b16643f08997cf4

SHA512
b93a300f1a22810791dcf569f933ebf08df92bc484ac192e681d34c52ff0248893ce67fa244cd70a48d7eb176fde559603fd7567bf01f2b5f64443e8773a3323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
d7f656d81b3e193e1c04084f78bb4efe

SHA1
e7f32f4e5d7d8ffb1f010a0d4ac5e2a39586108a

SHA256
1658b88d887a22a8786a19c9741b7c546ef0983a53a84e1cdc564b5423eba291

SHA512
4378baa2fadf109500cc0d634eefdf120100368970e8b5e95777f3bc4e9abeb16043c65254e9f1aa2b3052060261c314ad05d83a1790efc6bb0bd5c44585d7b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
2544aa2df63ca7a46020ed4c7049b255

SHA1
9ad7ca0124ac3fce05a0eadc37dc72a2d5501e97

SHA256
5d54c4794e13d166a85fe5e394d5c09ee263509039e96a0d3fefc2feaf3f50a1

SHA512
0bd509cbfe5344a63a69e8e79a9ee050b1d433d64feaf48961144ed4e9d2bb3898b7ceef22a7efab91b71b64bb10cebeec0a384a9d40ff744a95d2a48f38208e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
995c35b1b6d6c407d70b6aab3a177953

SHA1
b00efb33e619bffd723d3b769d64e1c27221f9c1

SHA256
899ff4e45369d2fcf4cd688dbc2dda66e9115702d343421d52920df2108a5508

SHA512
56d17d2301dc46694dd184ddda1ab1f50fc60aeb8ddd0b12e1430a671c1a126b925d1dd5009d7e889732742ec0c8189416584c8c36d31077e3f769e7159b9bd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
5776c084925d2df7853b570b5b95a9a0

SHA1
1aa96b930d98c4d7c7451e6999d3537f5460b95c

SHA256
badc234ebb862491b44b9c647f762dcc84387fa65e9dec4fe1707cce72aff647

SHA512
88a2641123e75036538360fed89ec8f3334897e49d6ce2427766939413da60e01cf2dfd2e5991e08aeafd2c2ca8c9ff391df76c8e78846911fcd994c81d58fd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
65bce7f8467b9374b4d628084644aca6

SHA1
0612a7534e369b947ae480758b5eb16fbd3ae87a

SHA256
76a6fd960b00e6df8032035cf55fd739efe8708bceb5f961bace23087f0400af

SHA512
5c37eebb216b59a29998962539f196f9954a3a013f1a31dd0bf798ee2aa0894efcc5be0e023dc4c4edd9a47cd5445b5f3910d3ce4772be1da83e123896180603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
8765aef6c2852e563c8a6326e4c22926

SHA1
4a0d12490feb85930c73a2b14fba58d493e2d283

SHA256
4b42d775179f80025231bc78d63b80b9a14fa0a1834ed46d8f7ebb60e976fd6c

SHA512
5293b5066102ce0a7cc376234ced59286b839bd86693c3f4630961cbc8c5d78e30ac724acc4e3be18be4270811decb7c948c53276863a82545fe8cab930d35cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
9b4ab5bc5a53d8066cdc4f2e0a296497

SHA1
b4654b4f521dbac1f0d6e302d9d868fb63f0b3b5

SHA256
bed57857891bf77a0e06d325129e332c64361f4c7d648194471a3a8e7dd5fb39

SHA512
68b0152aef4e0dcd85fa99667beac1963d814733b4c3426bd6122f5fb9aeed606266207bc16ad4035b8b57b5f1de9a008306b71ff4be3b86ffe305c7b9be91a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
9e1cf549ff2dd7665783df495d001ca7

SHA1
8798461aff1682b02142bd5c3e79cd3f4aadf914

SHA256
ee49c59f6bd64eb7a7d134166604436507c2d4e618ae7cef693c95da655b27f0

SHA512
aab3d3f94763f3b8f153b6e3a03574b5898f19031a4fb3260e920ae0f43aecbec7dbe1ffe0f9b45ad3866a64c3dddb685f2d4d34f5baecb74b26a464f1343aea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
4f1729310a3d6aa72a4de55bd4b7c5d0

SHA1
bc95fbc83586aca278f0270df88189c119d97c1d

SHA256
9ab874d55ab9b74b1af5889f7d7837281fafbbfc080826858e9d2bb850426652

SHA512
859d7c9839a5e4417cc989dca19b6afb171e2222ece562179d04b2bc37289a9456c629392f54279fd1efa7b3ff49f296655a837fe2b9c33a6a41a44e12ef48a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
a59fb8b2fe0f3f121e848a16af8cd131

SHA1
c6710d15adcec25a1cffefc1c296d21bbef6eacb

SHA256
04d051b1218184e00e2545253e7890ffc962f8b87e616907bb2ae9363c915de1

SHA512
dac022e92e48c459bc4d747b955ce41e0f496a75bedcc07a20bd665e8cd02bcdcc37f08f5df33e184ef7f06dd0778d7fb19a41c979b5efcbd3ba7b9b673a8a8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
7c6167dc5063d26e3e3a4e1d1c65b698

SHA1
d957fb686fc52aae57e442dcac8845a7f6aae6d9

SHA256
2f280776dc93796d16883aa0e0d31834b39bfdaa1d3be6ec89bfc6248a065810

SHA512
8f2f2cee3944c8d3aece105b9a3848d7b90422b93f3269f41a7903625b0e524c01688a2ca9716172dd334a764848fdb3cf5ec652004fb89c21a30a22691b5b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
c6cbfaa8077f23c9036d50c0e3863500

SHA1
ec250fbed62cebe32706fe51d49af9b29c221256

SHA256
92cb0083ab2919d5b982a92e44a2fac75788031962e9b80906a7724ae8651a6f

SHA512
10316448cdaada21302c802561e0bce3e35301b4da867dc784054c9baa0d4e336d9f6704d3ba298c19e613f0d46c54e01381ae057ed04447b7839437287f6f73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
a5ccb785d150b0eea60bfeb96cca05b2

SHA1
92a8596080673de4423f0766659ed3a5a706ef11

SHA256
1295f7bce7e72ab83274a8e3df575453c188747edf04ad0ad1e322c9d898455e

SHA512
09c518586f7bb6769f3d83a849357b9e9f09a6b71b66016e225d0cafe846c52264712267c583221ab8ef699d51f8655652c6763f8b7155b5790278f99a969452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
83af1dfc0bef7f07c0ca3957feb023eb

SHA1
805392251ecb3fbd6173ce78e7b2922f9f2495d3

SHA256
255eb9b720b6a8b52b60b4e8a6d58119f76294f3cd1f9b4c6db0274e28e2fded

SHA512
efdab972fb8fa5f137dd7a2eec5e806261093ec4190602b4f63812ce95e91816ded18c368dd476640bd91f7a0d0604398eef4e949398d536909879c9d0078849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
d1831e567a94ea79729e160d91c3390f

SHA1
f32c16afec782ad742fd24426393f7222a8f6428

SHA256
ccfd55a62bba18777505dad62476200cef4e82d350b31c668ef32594e9944887

SHA512
2435bdf3e56a44886ffce1ef43964a08272c25f5b31ca24d51ec3e25a85f7c4c2815b41e94b7de3bfcca7580ca144d0b0b2e1385dcce9e14fc9626b9957fa363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
3b091605b1589c4b2a62fcca2cb35843

SHA1
78f218d9566fbc30698fc5b174642e2382e59e61

SHA256
0064da9e2162e355b3dabe5bdd4234f5fd22c8788efff895a850d6304238b4e6

SHA512
6759297bacabccd2cec10aba7ea70f036ffe8a97d555cdc017481b7b2cde06f10b1d0cdd0b7591183d8b4403021d8e0ded1e4780e823e0ede82fd251990013a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
de34dde33118e731b9d8ebe59ce9e3d9

SHA1
dd96bbf4f698b275dc89edbc704d0c346de8372e

SHA256
312541fa1fb61f4c2114057060ab2154b76f0d25bb9aa8fba2ebc3a2c9e61081

SHA512
543a48c577d8653818ffd3bf3950039996b304c4c66b3095e6eea3ec34c669c78329bebf0e32bf4ead3a48410f60654306c0bcb60954643c4c248b61fffb3cf8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
b4961f56798b15260fb279c21b3d25ac

SHA1
ea3a9d5bbb3a3788b21a3de180fde3a5cc3a85d2

SHA256
7174978d91aaf1d37939f04e301b17586ce01fa0666fda2aa1f830b4480e1f56

SHA512
16a3ee5e5783d364333b8d585c7ab513a14366f57b8a69d07ae2996073788b81583f9b9800c10877e23fb50fc47a344fa54da507b6504f320d67a8babc6658d7

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
4ab37f4a61ddcd8b976d3374be03bfd1

SHA1
887fa77f0f1abac3136ec12e6df5b31417e38d56

SHA256
4a0856edb1a5173d623ba47e7dadf7c5ba06f8a64acc21178538b1e6f7559b36

SHA512
2d4867b84674ca10338743f62df7b2ff344bb914f369fda252b99331738ec7dd2d4b4aa4b5df2e1dcda2a7f41294ec64bade9ca7e739567f1b9dc89d05d1e2e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
eaa01808d2242fc32c079261e1d50bff

SHA1
9a1dba4358d9ead99fb985e26e81f3d073c59716

SHA256
3595c9ad53ab2a016e3fc02fff09eb0e4a0a1790be96b6d53f444e767ff01a2e

SHA512
d180f5396f5ac8fe2770dc0d30ae906211015b8048934b1580bb4c94e2c9f1176dbae52586893c880f896a8b3f547286db348f56201820e647fe05663d2020f7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d831ff5c375d61a0988b574c37bb335d

SHA1
7307da963b3cf12d0c87ab2c966bdb8fdc994e5c

SHA256
5cbaff5cb047d101c48bd0c9e60ca0e3bef63f60086bd5d2758c67e7b04942e0

SHA512
553f706f86aa9f3cfadab23413b1539e3899d6b5fe6fc3db502035b285351e1d745b47745397fb4322e77307a25ff2aca3e3b60224447e3a9d832e2ea405708a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
a429df2204ace38a0ae0c540e006c0b4

SHA1
446106cb427bb267be3f15bfe95895188cbe6c3d

SHA256
adc3a04926c40b1cae7eb48ad9f4e931af6b15cbcad1319e567f3962f911d13d

SHA512
ec7ec871c8096292ad56c336c18daa480a451d7204101120d71b3d668f0e14d817bb1d23fa586c63c34b084a112e2afd3219f3d176c7e6fcd4bfa27bc84fc0f9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2628a75a87200869e003b251fdf2a794

SHA1
16c2efb27e1af79618465c37b95d5ab48a4365df

SHA256
1194f708eeb244ff0c5f57b97b01abc3cb354b93defb61ecc46ad8569455103c

SHA512
938968507e625af8a72bcc1d0c652b36ddfe73cde4402eb8e4de396ca448e0535912b2093bdf5d8166360fe147ca37203a64fd0fd3fb819b00d9cb17f2ef6216

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
adad8488f9d6b2e7f3cc49a4e873f9a8

SHA1
aea922fc0dbb1bd40579dd1b512681ea71c5e14c

SHA256
3a0f969f9a847489862370fd9c432d2afd0f9235ab19a266b032b4db38706b39

SHA512
65971d6ac3db21818ce13c4dd3ebcf68672f8e460a88464cd7173649ec12d75dcc7502a33cff27c59ff15c6fdbb074164ac141abc6aa0388e4e01941e0980f2b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
09c0a34d50cf35cb7984f1112c2f3c70

SHA1
82527c6ecf4a6f42c5adee3effacb9b5b3b21389

SHA256
d3cfc848c0dd6ce21ed1603d39f295d847ade5097e33dcb039cee049386226cb

SHA512
d3bba22ba228e9151f1542b72ca6dd4cbec0f38e5a194d33ac3bfe59e63d7efb33d67b22c6d84b4f8477312467b6e686bb0003da1479f22ddb586124300b1800

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
637e250f42fdec1896f29832fe908f8c

SHA1
6f0e4c46a67461de662771a8cb3923a29b4d84a7

SHA256
152320311c96aa037bf7095d3f6622eabb824c552aaca33e54670e1323f5e650

SHA512
58794fdde609733816875dd86749efeaa08fc8a4ed053e419aae39d52508b636e13076f700da26238530a00738aa23faad976e729025dc9b3a920fce09090668

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
cc01a4c1de0371e3b3d942d7cbd7decc

SHA1
ff4aa40ba21a6c9d1394446143723c7f60e63e86

SHA256
60cbff467c9a44dbda73865e71e3344eaffc29469e453f913d448c3d96f553c1

SHA512
d38b9f84553eadf0ca670a4db082da4d018e3ad45e1c7e694aacc148d6f0dcac61c9fb41830c087823db4a52fd51d5c57a03111d7e27905011a04c81e44d1395

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
efd8c51ec370da538ef1d81d31cce276

SHA1
72f791184e0573af7f1306c711c6f185e6c64f74

SHA256
d300228f99bb44c252a7391b4bc59f052d13b8a078c375479a1025a70823e63c

SHA512
e64bed4f9521b29330cfed58ed53ffd2a3f140b6abaf093b7316aa95a9563dda5946b3a86839247cbc75155d0a165523cbe653867cd31e0eac8df50ac7fe4b9f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a35f852a1325441662e7552c7a82423e

SHA1
b4207c2f3f752aa66b4d2d95fb161ea8a85ffcbc

SHA256
6ed2add1466e935ac613403d7af5be06660c6524d1de365829d7312660169e96

SHA512
f7ead54cef388637a287103cc040bbc31abe450cc33ef28371876ece0bedf82aa95eb2fa99daa3febc0719d14662bbd281b9ff2b078f09e7ab83f9ac18d68583

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
13495f46ca2d97f914ad53738ef1b482

SHA1
828473bc66262d720dcf412053685172033823b7

SHA256
38022732565b6c76acbbdbd3456a402ef443a831e3943a5c466574fb5df58df8

SHA512
3c98eaab52825899d6310ffaad8b6b6d949b70f31e4254ce0ecd84648318d8e776cecec574f22295ecdb81551f3f447d11cf618b0fe6e8a286966e0ce84a1d90

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ec3c118d56725c57d3f6327b45422c14

SHA1
2e31ad587e38e474277a69fa5e20d0d8a0fbdca6

SHA256
cec335e59de59b92ed9e27fad293ec7b29abce5d63077f2eedac84bcf3b0fc9b

SHA512
aff4adbc5c94fb9f351971d6b1cf981026c8e4570a08afb7421c8639f905373132962c62fcd893fd4caea847bb69c80ed09ffbd540e1f20e10bed9c38eded8af

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
a4c26965afcaafe1953a84b6c8487292

SHA1
618df173d3c4ae0f1a018c35f79fecc800297550

SHA256
cc803cf6d131377f46ed2e580e4dd04c12c89aae35f025c9a15b3795bddb618c

SHA512
9da5aba0d88b4c55678c816ceabe547426bb2ba90e1737a6567db1b1339e06ef7da5045ac8d19a44ac48ae6c0b0599402947578b666dc9be6b36c9b45c895529

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
5ecd1018c1a25f04d533cb06ce9de572

SHA1
b9548e7aa31b2aae5affe46e05be5e8b4997bdfa

SHA256
2f42263388a8643191b783209b24240f37d8a6a8c4e9ba9292bd112546eaa01b

SHA512
5ddad5e00b19d6bafe90e23185e934fd6af9b82bdd3ce81fbb198f84cc78711ccb94dfaa3191910b8f38aa0785a3239f8438e13d303fc479aa9bced6c49db29f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
b52f3e6f5ccad75ad793130a8ae357b4

SHA1
5d4207c74eadc77c92dacf33a0a72c451a832dc4

SHA256
da6b36dc434fd959e398d4b0cb6463278546c0fd169c59727babec55c1762519

SHA512
a7b3dca024c95f50a7ab965427d26a24bca9b396209305ad4960940acdf9c0c3308a0dd7849f5f41a1cd152eeb4842836c99ccf642fbd2ac74b5037ec8a8fc7b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c5731abaf14096f7489b56096b3186d4

SHA1
cd61cfd23f73203f0d8406a7a3795618e74644bc

SHA256
68e443b102e60dd8d68643d52bb48c0a59dd9d0ec8ffc6707dca136dab01917c

SHA512
4bd1da0b08d72711a120a70cd616051c2831ef2056156836e32c5055cc8ad991c0f3b943db1adbd4a37b2deb64d2b0225557c86291c6168bb93c68c6d5fdfa65

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
8327419806a9d3776ab43b338ee98f54

SHA1
287fadca5423ffc189a90c0d01f02cfa88807763

SHA256
3ab043a2414be401cbea0f5f5a9687b2e50fb3c4d325ea5943951e892c46225f

SHA512
2e3228ea66cbaf71b439cc29bb59c5761e0ed31f607e28eceb3734fe086f562fd0e9b272238a8dd2b4629aaecc4a9f7ecb6ec75ef3383975db3a0d2e3a4a9b73

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4c1cda33e82caa0bf40065890b25ec51

SHA1
7d5f185127ccff58eb09a725e264afb2a5a6683a

SHA256
bc28cf4d517306205f2ff8a06dc4204bfd274706ef66d0dfd4e39cb6564d6683

SHA512
c5dacb48c7b6ffd02eaddd6c4736474d7344025b0b53dc3a24bbf601dedcca78da678a7f486eabf8f33b49453eb4f087f4474eee0a7a8d3b1ad956afe4b608ad

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f3cf285821464f86d0badda7542f4c0b

SHA1
d8421271f8368d5b7d06bf6587cd2fd009a88857

SHA256
23008492a3bf49270b92c9ac2c3829033d3e75ac58f74df511db95cb8f31de55

SHA512
7de8373db3d57911c7d24d6097e83dd997913e46a730e030bbcd045177c7d9ca38f538d525a19f49cf1652838b7239c4161a843088c8ab742379cb3f40324950

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
ae192298c35bdeb5ebb733ddf238cef1

SHA1
e6286819d36798dad935daa1113ed7f634bc6b09

SHA256
b78878ea1143996884fd0918a17f9cd4aa6a9b134cc9b0435714265696df4391

SHA512
072fe05e088d36fd1d841e8a116f196d5f43ce3247cd283a735fd052b5e994c0d2660c6a500306a404e7e330ef6273fd326b8f60a22fc95584cac54f4199aac6

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
e0801f0cd92f21da395de4e465d5f436

SHA1
d2e6076c016bda007041ed11072e1969b0b3b1cd

SHA256
2e2d86a049ffc1b12b0af073aa55b0ea81581330e6aaf12d390bd7198cb9c89e

SHA512
f58fd182ecef9762f034f2053e27d4825ef1e9e5a81bfcf82bf4fa1b56278d19b11090da44c950694cc5f1fc4bd70bff80982f10eff519bd408344e35013220b

Download Submit
memory/1000-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1000-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1000-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1000-40-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1000-51-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1424-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1424-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1464-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1464-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1832-104-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1832-22-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1832-13-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1832-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1888-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1888-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2052-249-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2052-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2328-93-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2328-210-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2328-92-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2340-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2340-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2344-28-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2344-36-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2376-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2376-629-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2756-60-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2756-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2756-53-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2756-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2832-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2832-8-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-9-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2832-76-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-445-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2832-448-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/3732-631-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3732-270-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3756-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3756-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-521-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4128-544-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4128-188-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4140-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4140-225-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4444-261-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4444-148-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4484-518-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4484-165-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4512-207-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-237-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4596-127-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4708-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4708-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4708-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4708-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-83-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5116-77-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5116-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5116-85-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5116-88-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download