35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
Size

625KB
MD5

d7495cc4f92b8895458086fc0a6f4950
SHA1

cb5302052e7b7e72c3d96c408829838ab10627a0
SHA256

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62
SHA512

0c7ee3fa6d0efcd9c47faddb142294120574ef53ff7df6ed3833f27f6d30db7f8eb8f0a6a6ff9e40a5037ed2a94bfd2214a2131d63bd1515be0063a1282430b7
SSDEEP

12288:k2dqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:R0ZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3400	alg.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
3700	fxssvc.exe
3012	elevation_service.exe
2204	elevation_service.exe
4596	maintenanceservice.exe
4180	msdtc.exe
2388	OSE.EXE
4932	PerceptionSimulationService.exe
3980	perfhost.exe
3020	locator.exe
4088	SensorDataService.exe
3660	snmptrap.exe
5068	spectrum.exe
2020	ssh-agent.exe
5064	TieringEngineService.exe
1752	AgentService.exe
4404	vds.exe
3140	vssvc.exe
2028	wbengine.exe
464	WmiApSrv.exe
972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9525bef54bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd65015a6fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc4116586fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d69fe576fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3a318586fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000732a065a6fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d061b586fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d5329586fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffda165a6fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe
2108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1440	35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
Token: SeAuditPrivilege	3700	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1752	AgentService.exe
Token: SeBackupPrivilege	3140	vssvc.exe
Token: SeRestorePrivilege	3140	vssvc.exe
Token: SeAuditPrivilege	3140	vssvc.exe
Token: SeBackupPrivilege	2028	wbengine.exe
Token: SeRestorePrivilege	2028	wbengine.exe
Token: SeSecurityPrivilege	2028	wbengine.exe
Token: 33	972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	972	SearchIndexer.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeDebugPrivilege	3400	alg.exe
Token: SeDebugPrivilege	2108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 972 wrote to memory of 4280	972	SearchIndexer.exe	SearchProtocolHost.exe
PID 972 wrote to memory of 4280	972	SearchIndexer.exe	SearchProtocolHost.exe
PID 972 wrote to memory of 4948	972	SearchIndexer.exe	SearchFilterHost.exe
PID 972 wrote to memory of 4948	972	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35618d71ab02efd2ecb930aea2d4029fe4d44d8636824227eb4dc42ff2521b62_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4472

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4180

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4280

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a6407fe8c5b7ede6e0bae86521256297

SHA1
da8c33f5c6b8602d1cbe082b23f8f7dcbdfb292f

SHA256
9b6e64772716b389d4584454b7c9e178fe70793493c77ceebda02b7296bb3fc8

SHA512
5a0a69ed1bb40f0fd2285801b2dddef442d1665e3eeba5c1603da1ea5e30500386b6188652da58d1b29356fab1e41de50af73b7eb04ce2fb47a9235bbb9ac230

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
0224a58ab56d0af4426742fceb3afae2

SHA1
890e037ddc46789fe7a815f741f942b355984c88

SHA256
18b905958f432adf7775ab3dda7f7ca9e302b510e97c96d3bd42d37d29daba1c

SHA512
5343d63b262ef0595bb3b3f822a7fd3eb5e29f1589f0229e61f3632eb19d546a65a293649a1b59d6af7f03eac75c683dbf04ed8d67f64df88886ed99d2b2767d

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
6c066e7dc5bdc785d801b739f8825879

SHA1
b49dce7559fabf40fd75f3d5ec1cc8843fd46df2

SHA256
1d3b35e3017095b67592900ea184d1bdba248e0c3275b740dc6829a1f5dbea3c

SHA512
75856043680f17b066d082c8e92679c8ee8f4003c76be69072d63ea9c7ca7dc7c7756def7f42bad444b81980a524c96f9b649a087237aae7503aa98e639f9232

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e6767af0198b61bd4d5cc1e50c3ee358

SHA1
8c2eb68c097def2885304e12490a4746f967a532

SHA256
6f7ae2aa62bb0be5ae140f211eb07a740dc7a1fe79921d380969023111bc299a

SHA512
af6d69ebdb076ab475c8081207e473850856b1a88786184c2ad6fec6e8331616deb1653ff7ff51c809b776b12e2d71020c4adae3342bc561da7b79ec6d41d7f5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
cb326d4b5ef9d792c6e0b291d11db2b9

SHA1
5fbaf25e6c8da6298d828564ba4c68e169731cee

SHA256
a3223f9982ccd952e538138ee595f1f33a5232fc348a61f33be12090eff4bca2

SHA512
4dadcb048d4d83bc88c9b973caf3e838611fd65ecc7758ac47ceb775c97ab77d6efdb6eb7c0f48a031dc59d3cd2b4de31858b92e293144bddc63be5f021e2116

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2abe34c1c6f18e22202b50b94be9359b

SHA1
1c5711e46a1b44c965c3689389e4568d9904b5bb

SHA256
27fbe85170c9dcc4fa3dce54fbe0ed6ba842f84de07856c0ed6c149ef779d87e

SHA512
1ad025c351b2f4afe819071284961739dfb59a3d183ba117a83686389a074e508eb0cbb8b2ba6f1d13167919c4cd51ca799027772afe27d45224ec73c97eb46a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
0da5217d3b4d8e8882a7c8e56427fd08

SHA1
cca36940f492f0eb45b57a58e59bdd1346adb2f6

SHA256
a852b9f437164dc05911eb2de734ef22039e216832a37141ca3b0328a6455ff7

SHA512
0f159590c31720694870e5783612e865d464498a0117cb6bf8d78aec0c1750e6a69cfd3b978908baf2afad6ccf95499df9094bde994897a4ce26742809486e58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d71e1ec49b787871432411ea564ab4f7

SHA1
6547f4b3b00f44e5ff7b47e66b5a5574982f96b1

SHA256
e7b00ffd0685ff0c24bc002feba8c60ab48c97b05e0c0233bab0dd266a81e74c

SHA512
7632b44ae95719ae759cb847cdd45e56a4b41eba779c332f4979b8a3b0e266aab5430df8747ce05dd5564d6e095751b9c04ebb4f4a338f7ff3f58f0f11b26504

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
67891573bb99159d09b88809b4339d71

SHA1
6393f04b497db5bd22e68bd490883b55ed687e78

SHA256
7a6ea3acc77bdba3a4a8b72bb44d9f706097ab1cd1e414a685271457d0157e19

SHA512
f458c0d48d4ef1feeca705130e2c4a6917e94e682decf07f2bcab028e5a462149b4011095f17f42337bd848f8fcae388ea3bbf6eadefaa968759c57fe1e097f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9fc1bedbd15e50f577b004762706c8ca

SHA1
9eb13d003dab9d5aa4727c8076cbfe38d7a3da70

SHA256
719c6732de94196141e40d68f7d3b27873ee704ae1a53de94f693e36955e7193

SHA512
3d52f1fcdaed4f9726f17025c634b0c1f0ef1c2fe962f377cba7caa7258f144271e45982e75611ae50ee21f5cf9b2219cc0d932c32178a99c19e7bca71535ae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5fce488b5e3b7eeb430921b52149602d

SHA1
54a3321b1c94f70a1538bbc9d3c610a40e6cf24f

SHA256
f79101a8e34beed94bdfaf2d2a9636249478f238d9cd27b2fb929a0d10c95a95

SHA512
dc522c08744b4514f5740865c91bbd5248eae285b6bc88ce5282545be7857630da163914734a58ff92619cd93e7e2f20c0ca520477530e1354bc069a744abdbc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9af3166cddcce5742b954af169322f85

SHA1
e60bd4fa3b8720eaaddb96e3d08ca1f7bb764776

SHA256
6d8e45a9389036e6d4cd25b3b66b7e0a387ee9f5e310946ca7eee20db7b1e9e1

SHA512
b13d47a4c007e242c9117af338dc19ac3ea73b92bd11869e8162ea7040ce62bceee7881ad1a65616967effd5dbba7c49f966d885136c85feaf849eeeb64a8cc3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
57eda46f4e6912a5416c2c35167507da

SHA1
92123e4cf9bbfb909f90af811855863289a19950

SHA256
df69176d7b0d3e54fce99ae91d643d369315c59c9e42d6f99cabcd4ae0cef5a9

SHA512
4eb37e8cd28a5ec8957bf798e85a6986a1abd50fb79917ad342377fced619610ecb34ccbd61e01bfc77ffb05f0fc74ffb41a595dc1705401f62f78d6264a950a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
9b378cba16da476a4a03a71e030ab7e7

SHA1
3b9503281785e17bb7f6f0c83658206cc0786327

SHA256
f431b4bf10f8d1cec898b268d837a2af7e02fc315aaf72b325bc8faaf2d93160

SHA512
1d1076e73e114b47a58bd0ebb312202688b5ba1bd15cde4e77dda708c9be3ca57b838ae694a2a8b5739c876d01745001e458d1d438f8468c6fce9af4295b4c14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
18dc31ec4dce8ecac99d3f3ad79b665f

SHA1
5cb8712f0acb4a1e54f034d2dabdc5a85ac4d175

SHA256
2af76986e9e453ddf9842466ecdf1fecc58e4c58946d5ae8a8aaac0a39e21bff

SHA512
dc522c54b9aed282956637a0042d9f794886528782ea3c0e323412f370e4e83031e2aac722bc39b20f654c31d3a14769e8050dd606e327ea113f1913f1e6c43d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6cd07dd0af8f5cf041eec3397da553cc

SHA1
f36025965edb35b7891ef0f3e10dc895978ba7c8

SHA256
c4905a959cafe20777d67723667ac91683e4ad27bd7ce571382b099c48d2e015

SHA512
73cb4b215d66919c24360d6c1d9841a794227999350a6bbf0f11afc87ecbbd970523be49ecb0f58b88b17305ad0c1c0a78e148998ff15cde8e7094644c9bdc27

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
cdde1320c92b90c6e12ab8668ed0cf13

SHA1
320d87e04450de5ff975a7d2d0c79ac202286a39

SHA256
bac4935f0209aefb0c5cd5fde58c143379b5a57d339d59fb1811e06588147d04

SHA512
e2675514aa6b6390d6d3ddf14e60bc6050f8c74cb869e7d2b53c9c26fa05a8c39f4bcb80661ab167c2785785712b5d27a9427f0b13f5f6f23ec7c8f15cbf3456

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c10f3190e598f1abe93cee745c0391ea

SHA1
4cc405b17f88f90faec4e1783c1cc4e2b7604bae

SHA256
c25ea6e91927e687ee18e8a2024d1bcde3ccd7a9d712ea814871dacfa73c601a

SHA512
4a7e4e9fdda1103d32dd34c83e48fc52e3a33be07e8f96c5bc09f336458693e1b1f8da0093363988cf65854f4fa66f4fe11d4574e68122a220e88fa4cdb0fcd9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d571dada57f5774ff608a4f0ae6f2455

SHA1
63a08612fcc89d58332dcb87b87c1cb93589c392

SHA256
1c1fa551ee2438463af33fa41ff69aa1d0c54be6e21f6aa54a8b626379ab03f6

SHA512
179dd70066168b5f96ad6a38eb6ffa3c84ef53cbcd7f425de23bc7a6831a79ec432acefe0cca6f5cf3511e5d1cef12ba8c8e56c5e2d737a1eb690066416d541d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f1d89a0851eb6dad1598ad91f9431195

SHA1
c6af1500df28341740b1efc8ee3a5190eda7d595

SHA256
371527f24e7d74cea20c2e147aeadee104f09dad7282e2fcb0e42fd92b7e6b85

SHA512
87f74cf585aa6bc24156c981e195de2f291b4548201df9ee43f353c50f36f7b0addd481576a4fd1c24d6c99219ca43c2d66b2054f8a168bb6d56bce1c16b6389

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
d93ba04453d031c31bb718b270b2a5fd

SHA1
af28e35f57e054a3fc073922a8810c5381f3c7b1

SHA256
ea9aef6e1a04b481c51a49f1e21cf05bac14ebadbc1ae7b065191052727c25e2

SHA512
7efc53e38e032677d1710daa013c600e7a3e2c9f73f69267caca38ee86d775cff923e4b7269e9232945a02dbb343c050a824577c985a72c07803a959d55124b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
182aa40eaf006e064eb8d4070ca93301

SHA1
7240a7b24f7898d293695cbd423f696908e471a2

SHA256
838d2459d6dfadf3b54c981711382b8de6fa7af11f1bb5d40fe50644b79d9840

SHA512
ce0784f8b183153480414812ebbe59623be5f2b365546c29787682d89313b747d9ff8375e6aab00979f0bb1e670222c200a122a757d77ae6541d3c0f3b364c95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
1d187cb56b3ff6987a6148eefef77036

SHA1
d11690e21783cf5404e82bfd5f2fd2778e694d23

SHA256
1425894a912ceb6ab62b835c7b6c3171a5a85fe9e36b198953b084375017a62a

SHA512
ee9c68c8bb01a309a7824b558ea8cb66c7c4b134e9db19ca6edc36ec13452eff4f7dd4e5f0aef3a6b508b590ab777b7bd79108b6cec4db111e7ba11fc2b9d494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c8142f19aac39116e5f3845bb6914985

SHA1
b5eb6f07d2b1da4eddeaee8054f970ca8f1958a3

SHA256
dd45a26ebbf831b6fc37cc44e7e2d545f04bb964cde5351659c780b9aeb73c17

SHA512
859c9b1f777b275181aed2519fbbf7d73c8c9277450bcb68f353a8273fc5102a3d285b3d3bb1298c31a1d8538b8c9b7df07c573efd7845aafcd3f301b6e422df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
e081526742b4671d083540f902daaa7c

SHA1
23aa81f991a5ac76344bccb97f7149ae4458ae70

SHA256
35177d1a7842d1e1cc1711e025d2d9a7970d4f0cc40d4e915dc4d983d2d3ec45

SHA512
a28d73f1c447f8e7559c9f4503a74ae224ed23c50eaa2946fbb7b4bd01715ac1f8359fec598e5fbbc01ee6f7a47a60dade2b3e013069e6b5e206da65e2e14d9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
7a7bd2224d112c3e05765178d753b688

SHA1
a7b1b323a08861476f731031cdf983da03d5f28c

SHA256
185d18dcf0a7d93442d3b1d89184d8e13e361fd9a2a969c6743a889f77b97aba

SHA512
5977f761520c87cf76bde6022364eb0d5169bef92a9bdd90a4c0d7e360eb8832f65994b33c09b2dad6ff0eee14efa640337ce08cfdebf4d3503d458135ebe9e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ceb7cde29f821656bc434bf10a526954

SHA1
8eb7303b00455bdde8cdf8ba990e271fd52aa2a3

SHA256
2b3b3721f72ecaef384752b298faddf607859c6e39d4b08a81147859323aeb0c

SHA512
0d1bf09da89a88519ae8376296410a87ed537677b7e23c638c7dbb6d6ab07ff6b17515709e2ff372aee2993377065ac97131975a49aec777acc03f8c1aca1c74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
d86aa1352bbc2ed12d39a12f8adfcc6c

SHA1
eab56ae96475969188092b093eee6acc2ce8c2d5

SHA256
5e6aeaf04ed99730375494f89d662d959cd6ef561063a7051784b3cfdfbfe0e2

SHA512
bd6d7447a43b71eab0893dc95f01f507caa9c83af46ee87635f9412065332059d47657aae086966d7e1068f9ee4719a5bc5f90fa79333528953507d8c5273e4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
ac6e2056179a06f28562e77e7b1d0697

SHA1
89e55f7ad74821af74d8435ddd3b8e06b1c14f7c

SHA256
b502f36fb5f5a9c58afe54a0da74a2e4be6c6c75ab3d6f0f2df7e9f0efb44044

SHA512
6b85a39cf77b8e59b049d786e51bc63a3d777ab8f655890e76521da3b2a1da4378119d672a13a7bb4a874e2e1ad88d671f23dff65200631d8f37b79325ccf9cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
4b207b2b5daece79b4c459665205ea9b

SHA1
a3a19f23fe5c3cd90a7173963b4860d643e3421f

SHA256
ff8e49d8a27483c4fdccf0793ed528e5e3760bd55b60c73a12df6728aad00c2c

SHA512
90c1796a1431266bf659af361548f7220e23121cf502f5192d70fabdf0fcf6ca37ae997ac9a0e413e8aa8cbacc5fc1cf2123c3af611d152d8075cf06ab7873e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
483aabebba3ed254c23f7e9ad6cdf82f

SHA1
071a7754c1ae8c69fe41526c2f19bd7f6d0f0f2f

SHA256
294bb2cb78a5fcf980d7cf2df8b5703cc0c3f183f81aeb91499d984f1b45c399

SHA512
3f307ba2f07dd78397acdf049b9784a8d1438c046aae7d4325c87c71722eaf3c4b146f1b1c483994f49fe73026447db778eccf7be607a949626876ff21cb443a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
45d8addcffb75c1742b60e4982ec07ab

SHA1
a5126e0dca3d029535fd22256397816aef8e5d7c

SHA256
260d88e8c4738fc0059556f4d5943e6361a929eed8c176802e52cabcfadb7383

SHA512
19bf7b61c01c0e704ddf4516ef9c58342ec1e8d9d9cf545f3d4b6d89b19c9e37bb93402f94fe90f811b7cb8702b382981ca76a3677f3b87e04ce85f589b4c3ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
ea6b9259ead86745d37047172301deef

SHA1
8d2d5d203c45e5a505ac4022c5344d35ccc56e50

SHA256
ee02fb1ef88f7c8db20d049b064d062e60be1526c29ba2f83576d1f6222131f9

SHA512
f3adce76f76d8b5779b7e1c14cc8faf59403db708b4f3c744f74990bd3c7f3691243c220ac07ed2ae4fc177d3a3ba94b8dbf4c977a9c178e406fa7aac2e4d872

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
d8b40ec42891610184a803748adaea44

SHA1
2e1894072fb45e1d2365458fd8a09d14266da94e

SHA256
e790f96a5765551159d37064b8391488b6e9ae9cb60bd3cdcfff2020069011e6

SHA512
dc2ede930be6af8c0c9988594fbbc5faedbaf59a015f046b8db5850de4b4168deb6a89682ad48c4c8e97373035fcdfaac5d107f4c2d5c89bf62969696b971ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
064e3dc50828b1fa7b78fb67d1711a81

SHA1
e03ee368159fa449d372a6f65dcee286daa738ea

SHA256
f707c6e5abe7bd04f4d649e3000c38a84de73eaeed4bd3c113207f456f47c304

SHA512
72f5c51a9c1bcd7569eeea9fd62ee0ad137e43b65d8fd4f7bc0b92f1b99affe998636b0928099ef2c7f08f8ff12148ca05193d7ce89a6236be9cb67792fb9964

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
aeb1be9ff9d91e5604300902b1fde701

SHA1
e5a2e857b6b7bfa0066b191c6b696b69da7314eb

SHA256
d630d096359eee8d2035d1ee6fc7113b1bb7a7cc0962bb10383932ff85e059f8

SHA512
bcd90b6c4ccc7f7a0e4bd82edb37c00b2a6637ad315ccd0dc75ba44ba581ad35cfff17c8d67758f2df6dce01229b11d4a8ca849f85b2acb8c7511cfd5c766e27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
acfa56e92a7656c6d6738a9cfa82d579

SHA1
3dc57a0b69e85fc4805d6441712a295241615b3e

SHA256
5bbd1ea8d537ae6cbe599dce5dfab9e9031a35b7e528e1dd2d45938d3145cef5

SHA512
7130c652b2922e55ce8c0137f2b228e82ae9f36da39c5f1d4f1fdb3887f1b990f18d5e3e72ec3ce680b295231b06b1f13373ddfe9953050f60ce68afe99ad85c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
19103d76e1385805e5ea63a6fbb64464

SHA1
69783477ca32b5b92f7312c205a9f80f739c4a40

SHA256
93970e4c56e3f7ff6e627abfc527dcbfdecc1b67fb14fd2d4c194514c364e7b3

SHA512
5b6702763827f498a97092a02ac2986683a5680d2ae21ae97fb1480a87b4ae42cbf66f00ccf01aa4aa7d42914876d6b5cde6d10706ad67cf8d3eb78197c7624b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
32ad96b3a8ac0ad74300830ae3c11c5a

SHA1
9b3a905ee28b6c7cfa9e80648298d776dfbee49c

SHA256
8240dfa267791fcffc11465e8c059e07718082aac55bbe83777b99fc0b94c48e

SHA512
167fc3f5f239686416050ef95ced257e3fcab7d4b1464c2fa1c36c67cd29d9e2b7b70f8cfee9faea0e03c346113a812da4689e25eb0572570b5e06689c14febc

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4ba104717feaac2c54cf213260257919

SHA1
ce3735bd4bca33cceaece026ffd177affbd06548

SHA256
660f0d857980a8f41cf3925d1556567e1d00b4ec77342d788cd8b8805091fae1

SHA512
81467151ec7c39c63057b8534e744abf72c2a257e014e4f1d8011aaf799dd65413718e6dbf31d6fb2a7450150a7c90b5794ec22b3fefdd864c3db0000fc76b3e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a9031828410c6b06faee01a3829a5799

SHA1
73a265dc47e85f1b62fa427c16e5e2766d7b18b0

SHA256
f781ee25630a0283f47b273d9abb92a1ca8b313e3a2517214c61b246359319c3

SHA512
c555f479cee63ee89156814172fa90b25af142149bbf3b5604863bb10cc1c1d33330be9d6265b5cab3dd4f34a28cab097e43a6d4349b9ba045eff7dab0f3c079

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
0282e4010217c4fa5838b62543c5d293

SHA1
a239dc22caa279d66e0e4b3a26446f5e33d7b9a6

SHA256
656c4695ea60455baf4f1bb056a87397edbcba3f6b4919221a240d43cc020f8d

SHA512
d39f42ab860e96c2144469ab3fcc1630af83ef421b8b2973ffdf07813fdaa9e158584de42739fd31cb83199cae94dfdfe95358f554144cef59d46323c541fa55

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c2b7587440380a61142d808ebd659a89

SHA1
52133d59f2c60d3c8c10d4b6f95c9509628f8fbe

SHA256
f5f722fd353790435d193bac9d30b431927afa608af028c1c75a190f73e50b5f

SHA512
be9a353325267f0e6088ee6b024f71221302f169b9ead5c33c98c921a86f4df4f2779260561c6ac83a4b779e93259f44410d07248c3c1fa433c98100b46cf915

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
9c583f525683ed343411333acc3622e2

SHA1
ff5e8a7f2d113617192760afea28463ce9c30839

SHA256
09d22d84b5bea5d911f78dacde0f0b55426705931ce7e01d99ae44d9648023e5

SHA512
f9ae56a11e1d637850dd46d723b3b209dfe8477ad9520fac43e8ef4ae148813ffde16b3df361f15bc9b8ccc3dcb380f509cd7505886159ba68f8dfceffa43979

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
302790e515c1746f9100aaeee47f380e

SHA1
a569df91d2c0f5548c8c145b894cd82a759c2b7e

SHA256
c138758dd8527043a995c116754199ba246cd9194bd996896a1dc2cd2d4228e7

SHA512
4e9232a9764663a59b65ad70c6d3b1a9a5822d9f1af75881e275522bc57521cd43196032d5fb60df072701b52a559c96b0a2306687f6322e2d768cf0f6ce50ff

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
4e630ef5d3e05e9d8e2a2cf1d7c330e3

SHA1
e336480a36460cc5e5afb612a73ba3178e419b00

SHA256
2bb2b7a4e99b40d4565fa94a57098e8a3a4e546c56e6a0d8903e213d8a52b7d3

SHA512
8c5437b95dbbe7f738902c24bf44795d62291a7b0f367bf57578ba7c72c5d431a874b70be033c2e3e405472039a423cdbceb89ebed02b32a011921191b515925

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
fd9d27227e1df6ca6141a8b6ce4f48e7

SHA1
89660ece952a68951b2a8f888b23a0d62aeea1e9

SHA256
0ac577ddee042358f308c0702320ff23c8faf8159574a0a3c2a9a304f12d39d0

SHA512
fad8252a1c9990a15d4da6915d181104adfb5ac16b2f73d0978580923a9a3113f21b7d3b3238f4cf4f476ed3764e1b9385153e9386a1fbc5b30b156f6897a042

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
51d38cf9a2e30e4ca22d14f40db030bf

SHA1
fb360a7fb2686bdc9fe224a877d930645c614d61

SHA256
58f68cbf847faa258d9c81b4a6ba86c52e0002363b3c70c947c1779e21d54b47

SHA512
7948e45f9c5d1fddf8157b1399be735117a083bcdb1b3005938d2e01f2aecc9299286a966658815d32692d31bfec74e4942c7b749255a7c1a7114c251539433d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
96e96dd007264875179299173399ec69

SHA1
14bb9652a98f0f3e76a0cd0c4f3740dbad51b02c

SHA256
31edfbd4aafc1d78cf50c1e51f52c056e90e416cce05f055c97692627e4144e9

SHA512
38fd1d974b128915adc530c7d8603f5d611b35bbc52940f366081eba971b74a51044834d37bdb95bcd688fde2385f858fba63c200cb8812fbd83e2d6087f5aa6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
639d4ba47eb7ce2867e7715cc6137114

SHA1
269a748e36b568193edb6703f46963ca8beae45c

SHA256
b44f50df6012be94594846ec5dd30ec278cec86ff45526b88245dcb1b6c4d194

SHA512
98776270d103ac99f8228d659ee5b90637f171579ebd8a50857275ff83dc84070d7daf517a1dd02f6af5be9dd7466b96cce58c9473db33ce475c5d6f53d20984

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
74ba8e4e674472a99bb5147d89beb6dc

SHA1
cc01c5485bd46b347468e7da5eb056e3fab0f7b6

SHA256
79ec88450716343073acd20a3530089b6ab325ddb6c6148618c4611b7f6eff6d

SHA512
d62d271bca6ecd7720ef64279e74e2775e6d9ea7c965ad9abd7bef9842c61e7ce20f0e012ee12081775c8774ca78d6c7355cbd1d0e5788b9075981427f211f34

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
fe11c4870e90c8ba2e55835be31c019a

SHA1
6543885d28b6204f3eb310eb4936279224f0b9ad

SHA256
6a3048ae7f05dc866309d9561eb0361092b958bbae59be2cbf52af9a54d39f37

SHA512
ba03012e3c427c6dbab84d11f3805090ae53da245188d7e26cd3d0c8cb7f6b206ee915b541f2f76e8ab9d5b19c53a44bdaccb37c6b86b4457f64e2dc3e550ff4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
84c2e402d4642750591047754cd567f1

SHA1
b34a6e165fc86d0746b3964fa57da98c4d11dd33

SHA256
cd1388e5d3728917f71c4e31edad9c6b3bab6ba5c9e188790e3aa851fead5ef9

SHA512
d3d28ee18ba6761f5ab1e7b03c3447954dbe784d7067dcabdd0d746b4cdc71428c9a23e6bf7f6d7bf82369c30a07ad5c83f9d7072804f683029f0f5513914875

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
7a03742ea2fce527c302ad584882d40f

SHA1
e4cc4536289f7f683d383189a7fc8df94886948b

SHA256
bc123d0998e4b4148cb92638f55efb14a8658ceb5ad2cc8473e1bf6b07019007

SHA512
d3d59cae30f24c7d71ea7dd3e9b657c185b864b2fcc5f326008d8fab546db059b741ae6dff4508a33dc443c43ff85087a068da16f993c8061b49eab52a4622d2

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
80fd47fad79faa75d3c11e480879a8b3

SHA1
4b94fa2586c360fafea97ff34d4811abe69af76a

SHA256
45058dccda18c3b5e78d7e162a3a6a32426136002354bd94263a2b0b0f09707e

SHA512
6b97d6186bf8c152e1b0bbddcaf457ba904a4795c027f1e89f7ec486d964fb1aeefec0ab9c3532e43f46f89c76334c8128933456608ae679b95f3a4f8d408b38

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5005d26415a5ceae7800a5252ae946dd

SHA1
b64cad610bbab7a60a215be9837725fbcde7addd

SHA256
5c96a1c35eac29039fccfa5e6f50da55607e9656fafdbb60c4a4311951d77a57

SHA512
a3979280a70220826472357174ca42d0eaa2308ffb33139dc582678030eb85ed89d74bdea5f1e274a7d96ffd57e269dbd50d35100967b9c55229e48ca9847a5e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
cd27b8b3036b481267518ad3c77bbab2

SHA1
6c070fb2ab7483608a5fe4eca3ff8ed18bf63880

SHA256
f7bdc58c3ea836d0ef0096b89a400117c6d7620803fcf7c250d1776a81b88afb

SHA512
64de1240108eacbe0a7ecda41c46eb5ba0f2f8fb52c107f90e715b0a387b60d978d93ff077a0fc9cf5502c6e5468afb1eb69ed1a42e9a4d8a609d61ad599a650

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b9c82bec0488a4a1c8a6c904689a1a3f

SHA1
d9f80d14fd4f0ba6635878a591b618e29d7a77c9

SHA256
dadd40c0a8b27046de8b71f312d010bed725bb7e463646d1c699c0bf80ac7b17

SHA512
34ba42f2a4feb29f766e172965d34f7864d6cefbca4e2fbb2113da1fd8a830e3aec297c22ffe0a6cdfb47f35e06e2b19b4de9c663ccf4443dde01c32081cf6ce

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
f8db0046f1addbae711c70b1de9fc078

SHA1
2a31de79f603ba7486e5782bb1aa4f13d7984a10

SHA256
af8aa2200dedef0750e7c82fe30dcf09b6fca82d6a13371070658488a6ff2dad

SHA512
24400806860486ff861ebffd7c261dff459b3c2ba5189d3594c84426b0cf2ae20949e3e47fad3056da8b811b4a465c44d358218f478a3da36a913f96e55aee61

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
62995ee1a1c4e63328e9df4f71fc346a

SHA1
292bdd8677cf653832edbbaa5fcc314d6aa17933

SHA256
56c7935cd86a90a8c35737b85250d74d047f7a0f3198d5ec4d86a640073f7bce

SHA512
a8a31e8b54525279ae29b62e89fa70c59f092a37cc5a512556160ec07d31d1969ad0a0c1e4011b4a0b95288db98649f6beba10459a9374b995fa6830d8042fea

Download Submit
memory/464-646-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/464-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/972-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/972-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1440-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1440-2-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1440-477-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1440-6-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/1440-82-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1752-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1752-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2020-637-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2028-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2028-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2108-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2108-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2108-134-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2108-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2204-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2204-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2388-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2388-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3012-49-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3012-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3012-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3012-55-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3020-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3020-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3140-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3140-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3400-18-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3400-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3400-12-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3400-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3660-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3660-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3700-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-35-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3700-44-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3700-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3700-57-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3980-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3980-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4088-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4180-214-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4180-90-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4404-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4596-85-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4596-79-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4596-73-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4596-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4596-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-113-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4932-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5064-639-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5064-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5068-519-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5068-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download