32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
Size

648KB
MD5

657f1b00bc17e21affbcfa9a2abb6100
SHA1

6c1fd507a702b2971a2200cb2e8b2aa895b82c81
SHA256

32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e
SHA512

e918537a89ba58d3e1597aaf13cab01466a1e567089a0c4101c002848a02f3e0a3bc2b7e6332c65e199cf93dbd355d932dfc89dee21fc100d009ebe6ef1b1f33
SSDEEP

12288:Eqz2DWUjYJlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:dz2DWwYvoKFLgYHJWwl24C15rDY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1668	alg.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
1400	fxssvc.exe
2320	elevation_service.exe
3468	elevation_service.exe
548	maintenanceservice.exe
4488	msdtc.exe
4988	OSE.EXE
1824	PerceptionSimulationService.exe
1712	perfhost.exe
4976	locator.exe
760	SensorDataService.exe
4484	snmptrap.exe
3548	spectrum.exe
3436	ssh-agent.exe
4700	TieringEngineService.exe
4832	AgentService.exe
2264	vds.exe
3084	vssvc.exe
3656	wbengine.exe
4688	WmiApSrv.exe
1768	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e912650ec8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a892ee068cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb2f18e168cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb30f9e068cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029272ce068cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006aba02e168cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041046ee168cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085f41ce168cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6430ce168cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021422be168cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f11862e168cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
3628	DiagnosticsHub.StandardCollector.Service.exe
2320	elevation_service.exe
2320	elevation_service.exe
2320	elevation_service.exe
2320	elevation_service.exe
2320	elevation_service.exe
2320	elevation_service.exe
2320	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	408	32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
Token: SeAuditPrivilege	1400	fxssvc.exe
Token: SeRestorePrivilege	4700	TieringEngineService.exe
Token: SeManageVolumePrivilege	4700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4832	AgentService.exe
Token: SeBackupPrivilege	3084	vssvc.exe
Token: SeRestorePrivilege	3084	vssvc.exe
Token: SeAuditPrivilege	3084	vssvc.exe
Token: SeBackupPrivilege	3656	wbengine.exe
Token: SeRestorePrivilege	3656	wbengine.exe
Token: SeSecurityPrivilege	3656	wbengine.exe
Token: 33	1768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1768	SearchIndexer.exe
Token: SeDebugPrivilege	3628	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2320	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1768 wrote to memory of 1324	1768	SearchIndexer.exe	SearchProtocolHost.exe
PID 1768 wrote to memory of 1324	1768	SearchIndexer.exe	SearchProtocolHost.exe
PID 1768 wrote to memory of 3240	1768	SearchIndexer.exe	SearchFilterHost.exe
PID 1768 wrote to memory of 3240	1768	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32e9e2a1b7f8cfbb6347b01039bb01cb8295083119a3de419b215b9c351ee33e_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4488

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:760

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:64

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1324

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8aeb70cabf4c0bf8661f7e5773509e56

SHA1
37b8b9495105664393ffc908305a058387141300

SHA256
90a66312d81c8c072ebc8054f1cd35166cb2320d060869b6e400d959907e128e

SHA512
1f56af5aef467b44bb01d80e7e5796986b145c9608385a7edec5090c2969e51448850fd3ee0f25a2342421d90ee29ab72adc810185db92721643e4d05b97d5e7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
bc5a54c12a2f270ef4edd14327e69ec3

SHA1
53ab14440d5eb9b3e38746c6d90a9ff7c961a856

SHA256
b9e80cb93bd337d39a22441083f1b731f7ca95227632d32c79e2a5d851b30dd6

SHA512
5412dcb4987333084ae6e682aaa8478acb6b6adf5cb04a79f6d5c518268a790bfe08bb1c350946778149c9ce49747eeb9eeb7070324e5f6ac31d45d46d940f80

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
cda448c7405e821407add0b081b32c52

SHA1
a1e574a4d646f88143a8911d6e9e7183f44e692c

SHA256
7066e19a739cf1bddb69a049c3371d14b0b36f0f11bf51566f00dc04e1c4c485

SHA512
1688023458e9f9c5fe7ead671ce5e07975ea28a597c15a87a6e998d1d5c1bedab49a9c0f0a11339eca3d018302c3e4cbca453d4f4725d55d03174bf93280e568

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e0f3b427bb035aef6b2b04a5739cabc1

SHA1
1ac02f9d7fc34eaf4e5a2f220e4f2829a461bfe1

SHA256
84bf4261ed051b348f3a6439430a1eb53559157e5d13c4fd03faad9c1b19557e

SHA512
b9da106407bf1b127ad61576687dc5524b0971266b99691e181feb4982ff082c949f98ee7357e3a90186fbd62992e243c52e6180d8d86f2d9d032bac1ee6603f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
173fb4a6e9b4a9e7229b3fd77045376a

SHA1
ae7dda39aecf7cb36614890b0f3b22d995e0cf0b

SHA256
5453ea89c999c162dd52268f9cda53f441a9c2cb624e7694956a6bbb5b30439d

SHA512
ecf3d452db08f489f356b4c952b2b2aae907f44342de0b2750d699618921915743c7b43d69dcb68a009fdc7f5fc662d4e4329c9c31b4919b494b8277887d7be6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
abac6ace4eb0291ec652194e1f735e41

SHA1
99ecc73c196da15c4b2800a1798118eab3b082f3

SHA256
5715bcba2c16131043fae7a43f60fc4f8456318d6d2a707d35ea897a91543d26

SHA512
93bf996a4bd706ffd5cf28bb0ed69cfffe093991e2257bc69cb68154dd72487e88c547e0f9a5aa2e8ca82fa4b5efe79824fbb39f9a2f52f9f9fd8eacf3711814

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
e045594a59d03bcf7970f1436421fdf5

SHA1
32bb5c3fec2504a6b240e77bb669007ceee3b2dd

SHA256
5b00b2e907a15d6f84061aa7b3ab984c2f899a74ba369471c521fe3b3a99863f

SHA512
ce8422c6a765e92058a5940e7527a25fd310bf3f0b51d17434826f8a7baf628cc0324cf987c6c6b515f182fdba39e8afaadf181360abb578fdc13289b1b5d076

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e9a0058420aff0efabbe5c8753b7fe40

SHA1
f0a7ed51f9c381fe12aa41ede2f0a0f1b2446538

SHA256
b7ad81cc80588a4da0eb9fb2ae993b0ee22d6894eec8ed463102046ab7f2f10e

SHA512
48b30b778d67ad57b302c73ecd9f3e27ed2483e6daef90ae3fb21416e4ebda2f0e88b02f46c3240e918e79636d7de2ecf866b679e0f7338f87c5106278718dd9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
86dbbeaa0ebdc52f46a9f516acd31fa1

SHA1
22ba4997d3bec6aefe892c07abc1c7bf6f2975a0

SHA256
570953fff57743d548ab9dd4aec79fc01d955d6a9c664448e6dc288e3aa0384b

SHA512
6c51a01b026969a498be380447f52290b48c42ecddc510b9872692266df968e49b1604d709b6c7c61776240707bd095fd0c480a7fefa905adc5a405a216cea26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2ccee3b023b0d6ad43ebba9282cfcd96

SHA1
2d651ec1f90086bf2e10d09779fb76e6c1cad59e

SHA256
68298446fb6e1d9d2ddcb5b681bd6e30f0d0d55707e2dd4e3adabc796159a43f

SHA512
6cfbd4b8e4171f0666ad3d0864107f172c07e64f6b4cdb7db63f35783e8036d26840ccfb72653be8b40d0b6d4a4fa1ecfb3d685cf70aecd907d7b43916994230

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
d93d44d245a58a1ada16e0820aed0e6b

SHA1
e9b237771e2fbe4b326e5954d4f15f92f6c6a820

SHA256
4eb3a093666be4f50128afbd4a45bd5c39b2bfd5195db9ace5db57ef434c9548

SHA512
c057ab4a42ba022af5cdfbddc4319d750be887817f01f34079a99a1c4c901cfc76d011f7ae04ccd3b472d570489cda460b8c701e3d9e369f79169b30adb7b01b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b0914cf85602b3ab0b825b678fa62a6c

SHA1
f2ea9ae77b71f0eeeb8af9a8ad3e4a73557eb42c

SHA256
2dffbb28bcf64ed07e5e4e3a3798c214445a753dea2a4936e6b75799175b8f45

SHA512
0f4e070269dd4d9a8fab9c5228a6d1aefbd3a707d11c15a6f1963c11343101f6a560887954c6b3082c17455f0c49095a6da78a385971ab298283232c7fba2000

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
fdbfea658877ef72cc68c8f7f390eb82

SHA1
bec5ce0a9e87177c2352fc5d4325e3f8d16e9c79

SHA256
cc54f95e24620a104e28d94a961721dc1f820ab23085875b1c4f1a09aa382961

SHA512
967505db95d89cf6f93547c51d990d7e0a733324ad4cdc3902713e9d42d35ff0749afc495a97a828d48a3c676c9676da034bc6a03bf1a23e28be6e9a808b7bc6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
daecd18063a16801402ce0748600ce1d

SHA1
26887e77c02f0e9e8325d18293265abdd384ef20

SHA256
393026d71e5499b6e22148405beab741ababe3c71d219e8665ca0de0ce15ec13

SHA512
f9792a7a17031d78b3b5bda5caaf79293d59311e77ac2ad393e980adadf1c25dbfdeac321712fd03b781e89972a0bce999f295837126f39c1e9200dd9fc8276c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f9ec8c8dfe914ccfe57990235fdb6210

SHA1
dae7f383e9a43060a72ea4451f7ef9d04f8439d9

SHA256
03b6836eae55797c48765fab671ea6e60e1379a9a7af6567a8f17d688cee4285

SHA512
50f750ace473359dff4c308eab60cc5d650232fcb260058713b43e0d7af40cd89116c109c2d528599347024abd8c5698444a51a275f3a7ce0d094c49ba0f49a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
490697681828422e45cffe8b9f2bd81a

SHA1
58e139639c86ab495fb0cac6bdeb4fb8d3d194c6

SHA256
e736dd0ab382b154bf3325f7ad154a05a7b315a247b0977dfa8765aae816f5f5

SHA512
28401dbcb7d4f7e3f577d0a30308f4e516a51a11ab2c9d945601bfb9896e12b5835eb6f2dda09bf96590075aa996d847523eabdc2b454ef1f36f27dfeca706db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3976390c4ee98b4f7febb8f5a2b3c4f1

SHA1
edd297da7db72a61a9acaa9e6fac39633dbf0708

SHA256
fa756f3484fc6a27d83f382cf0afbf0248bbd7463566088948cdca00281518c9

SHA512
529e94e1fee89b0e6fb8382fdf854c7f6cefe5c825b97623e7ede2d779e6b8319e255dd0a6d0bed96c4ae466da9bda2ce1709730f5278df23248e1accc69fcfa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
866f27b046cb7d14b761f9bd6d6abccc

SHA1
a017de0e763de3c2c1f07945cbfd3f74c05c9623

SHA256
1892965b4a34a965207db19c7dbc8e7ce597d425eb0a36629d18fa773be06b98

SHA512
d79c63b995a210179fd136589d7dff8da226a0b4493382aa2381a08a296be3dd3c1df7600379ecaa10c67a9ff4ae05b616bb851e122214a82b44c372fc01267c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
32732416118456a59e148cacc3186cd2

SHA1
6e357ded4ad419d7ccda6cb9885190f959e6d4c2

SHA256
495a29ffd8ee2f1e26ec0a1528231f76950e321caecb83bf0586c87eab5144de

SHA512
a6aeb11190de97483bbe9f012167b7f5279e98314a527ae5c760bcbdb1d73bf1ed7a4d71ed583237a41335cb547bff4a48e97518bbd4fe8a5c880148b39467d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
045f7d6d0da068e284ffe0dc1e03b478

SHA1
5d1acc123fdb527046afa30a779775817aec27b6

SHA256
870cc3a8339fa425f42f3c049488943a0f6c6a8ed405f561960b4a47eccbcd2b

SHA512
422340c851a53e13ea078e1b54fa3c4bfcd94ce8bd25f67d131e67ad315465909258964d6e639df7aa855117746946ddef0097b58c6919991319657133c8dded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
43e0fec8aa89650337c8daa3b8c902b4

SHA1
9ffead08b8de1719e3a0b3d2bc3564d068d71a15

SHA256
8f7d20493f38a3454bf0859ae9987ba11503b0a5865f80452e6270e349784638

SHA512
f071f756d7a5a395d8bb0374b1c4c004b9c0d45172d5804381814af734d8b9f1382f4bc34ce301bd2095f3e59c7fe7e17c9a29d41745144819f0ced56236bc11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
4550574665e854003aa2a118bc703b59

SHA1
e18fa7ce9f2532a11debf27fb9b14b9165076f96

SHA256
d3e057306b40430dec6cbcd13740759165746427081d9cfa15cfad6bf6e20fd9

SHA512
5c9c6ac95b8598a9fb4fcffc27974679159af0bd98d588a35fc0d63494e7bc0e8946c6fefdcc6c99dd8611481e72d1695b6cdd211ff907cc50916cd2e02c937c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1e2b72d2bd8d21919a5f4ddf7cd7defb

SHA1
c5acd2c636f8d1e80d92b81e018410aaeeb5ad82

SHA256
48d99a98c4d0c0a1ec4692467b82901fd187a49b66dbb76637ff466aa5fe3485

SHA512
94980a86278681b51fd7665afcfc3d2de143cb095154b320c572369b454c79d283474a21237b40881d37cedd43b5cb516c91a075baa32dc8da398da84540532a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
72f731cb3e19fef2f8f1264e533a9a12

SHA1
7269bf99eddb5ea8aeb9dae0ac8101c17edc8354

SHA256
9f8730298ceebe580425d2190d43aa50df95ab920fdd7148481f94bfa1531830

SHA512
2870199e0346451e975b306ae21f17259a7878f425f716aebbadcfdc1ebcf0723a8b8985ca23afde1dfc29f49a078e5b6f99caa75056fe37b33da94d21278323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
ecd07d61c82a0426ea6eed4898d9ad47

SHA1
47c5e307fc7cad9af793a776d63f73f7c5227b81

SHA256
b3b03c2c6afe8cb0441fb37c71f43a3589fb812eead7989ff73fcfc41f4c18c8

SHA512
8331e0394a34b61b4efda3d073775a8774d283b07942bb31124b816e0958b0aeccdcf20374af997b960ce533ff74d97ae046c74ca22ab2b19b7b8b13dacd7ebb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1a98603c7b6166e6a33a243197ab7cca

SHA1
2f00c74fe5830b5187fadc865ff3d97f3bfb5f14

SHA256
205cc4ffa26d27f65e3d572f24a3a1ec8d813b997877c321dc98c56356aa4d1a

SHA512
590cabfabac24bd9d6fb4173d0891a521b81d27b4701f0257f613238f756b7604074db09d0aa357ee554a68ebc3ae3bc4f146f61ee267e0b2bae65bd46b3d418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
96e7c5b017d0f2e6e5f2269593578f02

SHA1
fa387bbc04e18aec956751a26ab3d4d3e9724ba8

SHA256
21947dbaf718fcc7dca97f4ecb45c47a287bd1fc4a4a30000f502e422323826b

SHA512
4062897f0646f4e072f7e34b3674c4842a7615c9c99bf4048d8b43dcd7b3ac8d2d1a25781ef5fdb0e7defa0f611904cf10ecb7826f03b2abfa032eef73b8c6bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
72a4e41636cbd9b25f801063fc24f22c

SHA1
7090a5bd387fc1ab3fd275af849a2de5efce7a97

SHA256
07deb941f3f295a137b12ea83a34977f38ac3b3227ae83d88f5f984c2a459c89

SHA512
174567490a776e96d3535dcbaaf8af61347878d4e9393521d3a9869c2d41568861c8a2b899bad63269d493818b6b1f410e6e382a589db6745fd71eff57244b6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
4fedd3f2b251c5eeab73b956cf805ce9

SHA1
f925d70df9b5f946aafbd8ccb9552918d6e1aa07

SHA256
816fa4419f7b7aac0e244e5249eb0ccfcf14f1a1d9e7f35174348bc5ca1bc683

SHA512
2a85c6d66ca94aee948254ad17f8f4461de953cc0d154db6ddd4dbfca306d143daffa27cda5000963a043025bc7364665678493bf437df9f6b2124e09bf7e1c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
a815e35e304a76cc0821c07ccea12789

SHA1
e2ff90aafd86184152541c33f0c80960f7c4d1db

SHA256
5c8589ad4b3942a6c4b811e2544e4ee07fe7f22d1c6c1ed7787aaabc01603d13

SHA512
e17c6dc9f0fdab55e70a6bf876a621db4ed4891c382b22e044c19d893cfae5e08bd284e5ea72a8f9b79a320a5244b88785d17ad00331a5f004c6df926531e407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
8d089ea6a77b0f642423b200137aaa39

SHA1
de13d3fed66a5c6b5affa72866106ecca2f6097f

SHA256
55d406a22f79bc51677e2381c4e25ffa7d1b4e050434093b45dfc42711661600

SHA512
131c33c55ae7a7601a7fdc1b8de86d7a74fc213899a5e33f333933fab4f4c9d12f9551c08976fb6ccdea244c5c2be61a258795e157835b69dc0dda2e6b51f117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
ea2205eda3794e8a4f54c8c8b06beb24

SHA1
6a15ace842a406a5019799873123896a044e76c0

SHA256
455d32837a74c773b32a77b30d378700cc0ce7ab5078774b8fa419582d960fe1

SHA512
a22e740f5b41ca3bb512fe7f70680a7e8b7cf8a1c40680b44cc401affdde7bb8fd65785d967f6de9c53e71a8496388a6076f9b9b8e39828c26be1b96b18481f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
7768caeeb984f769f77d884b7bde189f

SHA1
d7768a81cb96632b791794dbb15594dc4e463273

SHA256
10e36df662d0de42b08a7d0ad77166ce6950f73ac3b6ed9b43d1b67be1d7d7c0

SHA512
c55e1d6f556443aa3380d6ff40a2b07f4b4338c267fd8e385055e0e6d07c58e736b87df56c232b05980665ccaf2b77f2b587459ffe4ab82d3a7e5b3724b3502d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
8fa073dab44886c01049105da70359db

SHA1
1b046297be3101e30b3c39f17966b7c53fc69687

SHA256
2498cc4a36e3d2d0522967afefdc6478e019a7f65053cef0a34a23c97ae91e4e

SHA512
6fa0a5e3e4f6f1d883303079ded672002c2261d4bc108dfb82a5f711c497874aae2ab8c04af512502e281a2e99a5eea176d6959970e5a29a8183bb14957b4ac4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ba9cc062bbc200da15652049fd33d417

SHA1
5aa838eda36e35194364bd08f178cea2abd0abda

SHA256
1534e114212f3f74e02a90d82c849f5ca74500d69140227fbca2a8ca0bdc468e

SHA512
36690f41b7f91a75649c361e68f9431b11427202f07e31608c3091f756dae8e7996dffd1b251f34550da282558f028eacdc88b7e5ecb9a50a56430ff3ad83f0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
0d4c2fc09ef9288928c538dbadcf6964

SHA1
e3f71983232e6b880d751260eb3f97ad3250a91d

SHA256
6c2ecca618f174b406e5bedd5ce4dd7e1080920785a1f898c2f0af8ef09e5fe7

SHA512
e63645d9639d271339024133468d5c26e8ef706f796d787db3ea7677680f54b51b5a450fedb8f548e13348e2f88a5b40342f5c08fcc6f5f2b71f75dc290796ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
c785bb762dbc5d6ee2f08267367470b1

SHA1
47001401f4858d8ed3e79c93c4d7bbaf9db9f722

SHA256
da59548b1288b49b54233fd0720c9a0ad6d47182622b828154f7cd1dfc50d51c

SHA512
e8ad2e3428f368fc26287ed03daf02d685c0ac7b4d61b14b0b970a6a036c1c61fc75ca4b74874f1480ec98bc3585ea8ae4d0dc73e3b45858ba5e8d221ec1af9b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
2027b926bc5024cbb64d970e9dc8d2f9

SHA1
0402541f4338fbbd9fe2243da08268cc8c432d1b

SHA256
a72330beb461b2f865597267ec8f9cb570f2476da0ffd31c85f7eb2222d91963

SHA512
79b07559252f4a9c3cd4f8159ca6a042246506eb3f2a490afd5f3c3e31901913cb25be7658fc96d03ea4d62dee9bcc6f600e857fe017e94038d5524448570cfe

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
21869936433c3cbe52cf9ebe99d97d9d

SHA1
a356d9ed6c25fcaa419bd49eba7af5765f82f1cf

SHA256
49cd360c745da5a1ca619b903813ebf5d19e979c9429a653f25620a505a34dad

SHA512
75174813aecc0c77ab87f5199592036edd8891e1643beafae6b51053330b25883b9051d9458fc6f26e2d5c96ec168b0ed3f3f533bb02279a6c44ef0b2429295f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
ee0e2f1b0294fc9f03cf3b2ccff81814

SHA1
e1824611bf983d54e82cc25f53b4dd505d21a5ff

SHA256
2ae33c39c5328fbccbc4e5618db0240671f562cbfff2d128a280457ae99be79d

SHA512
711735711da613eb7d17a6b72ae01ad47b1bb34f105bd8d0c056f20222fe3eaad0165d1abfba8f7f16b21cff7df03a854cc37da4dfcc15c7f642d17249adc151

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6d85c0056b3585ab98aa3ff9dede9d4a

SHA1
b89d4343fac19e8836f6be82057b398e02fa39e9

SHA256
081b2181f114a7a4a48ee7061a050477e8e4c63d593c62a23916661d42e77290

SHA512
eda93bb683f632ab7a3c7cda636a062beabbb1577058ab3f103eafa15103cd052c6f93e00ecec01ac8ecd06f2c00f6de0bf0b06ccb942078302524b612bc4a97

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
2e231b5b114a47e8c60cc0036aac7652

SHA1
59ddb2315c4373a8accf0aa5e9cb223cde30c192

SHA256
e17db99c2b2e4eea10f97bae94c891b4260c7dd827b7bbd42d981c61eb110920

SHA512
2252a5c147c563ca03a8847383e28d80e13b4a1b319074525f5357c02ed7416d11f901df58558c96635f5ff6ae11cc21031a1c93f2dacafc4ee2440f94a6a0a0

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
624f29906c35fd854f996b9f7d132005

SHA1
b86456a13268dc1675c3ea2f8d6119eaa9c3a262

SHA256
68a09df324348a24730948a3301a40c119c4d18e11cbe0e7ccbc334234ba4366

SHA512
9f331a6b154f96136e71b5324e56c6237e9f4917bf362b72d09c5bd2bdba0e68ea04e4acec22316e472abb2a97f118763c2866f4ab88f0fb0182c2198d3d49da

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
724bb6935c7fb7b17b402abb3a1ab180

SHA1
aab67d95868eb5a754eb3db5e88bba455d2a8e2a

SHA256
a90e5a14e814f99e07cf1229ec6c6485af1fc788d93e79959f3d18143c187521

SHA512
afad0a65eced315886916d11aa705c12cd22f2849cfb66aa5fb970b86128d0f5a18699570b71d668d78d1d8b277aabf39dc995559241ffca069ddc5cbdc15684

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
01912bf86449eea5f19d6f6333336cc4

SHA1
54c3a469101f777c2096053ed64c8d9502d930aa

SHA256
b200036bbe5b0cf86d0d8a5080032307594a06b0865bc866680e938e25b2b148

SHA512
6b6d3f985f267f1193226e39bfce46518de4345d17a6ab942e5f535885645a587ec098691af2f72ac316fd7bdfb3ca770acc0a9509965596762c59229fa4497a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
0ced067776924f1f789606043cc5f714

SHA1
a340e8e84ba2c7da7533d7e6f76c18f400cfbad4

SHA256
189c88097fb08ca3dc62561424820951ef5b4ab58eadb0d05c06f5c07212e022

SHA512
577b54d13c26be95e2cfd5e9724bd510e536ad1db4c94dfc959e5455cd5e7fbabde862ed04c917e55e5ab689b12358a391a40addc1bd7ccc556c38005a191e49

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ee9c0dedf55856948ff8134bc69a80dd

SHA1
bfef2773216a366931dc9b737216181ce3dee018

SHA256
d746875fad57ff1845d574d1e2adf1d20dc45346e0833120afb51bd542a2c479

SHA512
e6d82d3766b60ee4cc19486555aec12b99934a54929839a5ffc7dc9d961ba84e5bd4397fce1364b9d5edd5a19fe8ed12ee34359f7197fd4f381d6497ec4339e8

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1b3386cdc2f835f451df6d5fbb2f6054

SHA1
4060c971293f03249eb734c55acd5106f482d6c9

SHA256
41a1d4624b64c82ef59d4409997af16f4793704344c054c82c323321c3433090

SHA512
bbf4cda59b699a5c2fa8a0ff64717baa3883b8c779de300be97a035ecbb0648fc8fcda7eaca7360e1ed2d3cafa777b4842098ca66fdb880ae033a4db78b4dd16

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bdf746b81ccc82fee4ad5c29059cf847

SHA1
f4dc33e8995216bfc267cfcf8eebfe95c749bec8

SHA256
0c4f401ba7acf5891301281f01c00c761aafe19cffffb1eb1a03703e55afaab0

SHA512
94136cf23c9c2d8540c508a34d136f8d97b185e4ed3b44ce6c7bd6feab19ade39bb44640c76ba6b0bfdbb89c9a36dc5ace5c83c867fac91002a013e103aba4d9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
500543b6394f91d17ec1e924b22cbaad

SHA1
f1eb438eab1d79ea72fdacdbd964f1315fdd36f3

SHA256
c9a3a307fcc9d425d5d634b7237ba6655490717c8c3f62c5ba53f50817d143b6

SHA512
23014de46e27028f328f4ccc42194801e74a7a4ad6485456b12936cf2227d3e1f63778df184ca4f09bfcb34847f5eb02f0bd2c79634520264e1c29b2e3524d02

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0417c975821905ddcaf82874b8e8ae3c

SHA1
e4b348062d6461549fa2debe3a979ac400873253

SHA256
cdd8bf1cbe75f29bd13f6b5e6cea814b1a0b3112ed90745f829a69dac0b7c94d

SHA512
512d06ed859fa665ba57353e3ae1f555d40ce2a9fa60ffcd23b643466b2b041d366c84ad29abf67d78d27c888006703dffb2a18632b6a33cc7da8c4ede0dceca

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
0e54c9b27bfe892959f1a260dd875a69

SHA1
91b6eb4f0384e30f3e19152327789f44f70aa8a0

SHA256
e54436172f1e6c160154cf21b86fe2b4c0508df1d430d1b5a91a04ae0d7ce430

SHA512
b5daaa2d26bf4d81b8b486eb394b2628b9b3a6d97c96560b919fabe2b13a96df8bd11186446f4e8a72a85a7382a8cfbfe3625e8a115375a3aa3a5bd98e3b0e1f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
048fdd071d5c94b710c8b9f313f2a0ed

SHA1
df126813be8a2c39b306591b0ae5cbb209de7c6e

SHA256
605f368f4936e474962db3bbb7363b1d8c198e6ae69302ff7dbba801f671587b

SHA512
479ca3e81b50fe2a8750f56ec6ddc65c19866ae9bc2e11fbe634c423855167715001a23926f69a8e4a4183275955aedc8a5dfe48d40b42a9588a9ac35b55eee0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
6a1fb67d7406646852676832c280ed6d

SHA1
544996d0614f9fb61fc1dc876a9dd13093bc093f

SHA256
b34eee071b5c59ba9de7209d2af9d6d6452f6932bf966b9818808abc1d7a8865

SHA512
a1b94bf381d514e2d77beb9af6275caaf867fdd85031aa89eead10d5ff877abfb468b99eed734c6a3e130e6e1e588f953c15dcc4b1d9ad8967dc29d0b4b8259e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6843c5ec5d20f62d30d6122f477f7c53

SHA1
85f533774a79d99b457266ede96aa96ab8a7cdbc

SHA256
bf6e3945a4bb5e24d042e4a87718a1c0bd003dc253cdb01f50aec266632d1347

SHA512
34ffd86b027037b51724dc9cfa40ab3e6b0cfe06a45cd78a52da682364e2bcaf56fbfcd4d94cafa2786b8ef6d0a0255500680f6528f18c49cf2b31c9838560ef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
cf7b8646b6e947688019c9db3890686e

SHA1
11625379969b8a216aeaf295f35e48f00260a3d3

SHA256
b8d6f3aa352d81c72be61db2e1b4b6b7ff082a6ef33b0bdcd1884290061f1957

SHA512
0ae990388e362bb1ebe94551597dfc8fd1c1df334171b66ff24cf70bde20339e3558096992dff01e014b48f2afd9daf0c90830e2aeae2cfb9240d1c1e95ff58b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b0398e5462f3cd124696b757c578e0e2

SHA1
587d9a833d22372fce079647985c77a1274202d5

SHA256
0c95267941c6e01c641ba7e56243a9a9cffad89cd96b1a50c110af90c5c9f045

SHA512
6d3fa350227b4ff07dcb9aee939027b083f02e9f484227acaa037226e05ecfbfed6491045d7e11b69ab330fecb31c31ae2f411413fa64926630ee52143667785

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d6eeb59a79d77cf3bf578b15a099cc3a

SHA1
3c4fae71f0708541a9b32faf3d61f40c4ddc9ae6

SHA256
b503a0c69d20ad404c2657cc545d5305a429f81d92d886f3a59affcf83106cc0

SHA512
071e5662623a695da7fb85b1850cfefa0ad1dc27b1ef2d115b8c56398a0fb682d60e8b7d8c33e797551d3b17dbafc087ecff71c1c210afdaeb08d5cd6278aa36

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
45e1e5d662bdcb532736cfae2c6e20d7

SHA1
88c20ae1ad86f8112684b06e66665b90a5fb145b

SHA256
da184ddf87506f2b9314ffc0a8131f1b61da81a956e4bb6ad63fb257f40a3ed4

SHA512
75e3c18921663a2d0b82d46c02e2e5f1ea97878c62763637eecc8135d7156c877adc6f7b41e91c16448b68bd8b83ba4af98fba1100114f6a7f2f16620ca65e94

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
7c42dbf1f11be7a11b0339b1f79484de

SHA1
2593efb959f1dcbe77a9ef4cc1b817109deb2918

SHA256
3354409eba549026ecd4f08572d6fed0546a444b0de815334fba1cfa9b3b63a5

SHA512
23d59313fd64824e2ba387e92921ee2ceb25afe2d18f0e80355d63586068f3cc56c38fae74d6a19781a7c39d5cb9e06fd0dafc7236eea3b7ddc8d1e997496126

Download Submit
memory/408-0-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/408-439-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/408-441-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/408-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/408-6-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/548-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/548-65-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/548-62-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/548-56-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/548-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/760-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/760-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1400-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1400-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1668-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1668-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1712-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1712-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1712-103-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/1712-107-0x0000000000680000-0x00000000006E7000-memory.dmp

Filesize
412KB

Download
memory/1768-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1768-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1824-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1824-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1824-88-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1824-94-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2264-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2264-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2320-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2320-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2320-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2320-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3084-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3084-485-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3436-481-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3436-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3468-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3468-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3468-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3548-436-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3628-100-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3628-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3628-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3628-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3656-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3656-488-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4484-364-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4484-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4488-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4488-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4688-489-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4688-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4700-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4700-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4832-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4832-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4976-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4988-84-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4988-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4988-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4988-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download