35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
Size

648KB
MD5

d99a4d42147831c6f1db6e31e3a3d1e0
SHA1

dfc3197b9eb6db088c5230bf4afae9d682f22772
SHA256

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12
SHA512

6ff24fbc0f17a6f017fb81733e3bc21e3de9e9ac5b77537bdde258363574b62fafd1ea5f97ba5cf54625b337785c9cd1b03d8e4a99fb551e75332dfa3629db24
SSDEEP

12288:hqz2DWUyOdlI7KcBBxeXZY7Zoxxau7gnijY5C1uP8xwB:cz2DW3ZGXkHu7gi05yu5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1352	alg.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
2960	fxssvc.exe
684	elevation_service.exe
3472	elevation_service.exe
4024	maintenanceservice.exe
4960	msdtc.exe
32	OSE.EXE
1832	PerceptionSimulationService.exe
3128	perfhost.exe
2624	locator.exe
432	SensorDataService.exe
876	snmptrap.exe
64	spectrum.exe
3356	ssh-agent.exe
1524	TieringEngineService.exe
1912	AgentService.exe
4576	vds.exe
4344	vssvc.exe
4452	wbengine.exe
4936	WmiApSrv.exe
4988	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2d32b68dc8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

Processes:

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a0536b76fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8a85db86fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc4031b76fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067c55cb96fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc465bb86fcbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006486f9b76fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a15d11b86fcbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1312	35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
Token: SeAuditPrivilege	2960	fxssvc.exe
Token: SeRestorePrivilege	1524	TieringEngineService.exe
Token: SeManageVolumePrivilege	1524	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1912	AgentService.exe
Token: SeBackupPrivilege	4344	vssvc.exe
Token: SeRestorePrivilege	4344	vssvc.exe
Token: SeAuditPrivilege	4344	vssvc.exe
Token: SeBackupPrivilege	4452	wbengine.exe
Token: SeRestorePrivilege	4452	wbengine.exe
Token: SeSecurityPrivilege	4452	wbengine.exe
Token: 33	4988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4988	SearchIndexer.exe
Token: SeDebugPrivilege	1352	alg.exe
Token: SeDebugPrivilege	1352	alg.exe
Token: SeDebugPrivilege	1352	alg.exe
Token: SeDebugPrivilege	4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4988 wrote to memory of 1404	4988	SearchIndexer.exe	SearchProtocolHost.exe
PID 4988 wrote to memory of 1404	4988	SearchIndexer.exe	SearchProtocolHost.exe
PID 4988 wrote to memory of 3488	4988	SearchIndexer.exe	SearchFilterHost.exe
PID 4988 wrote to memory of 3488	4988	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35946d85fce79300996c5913eb023b040f3a459fd6a910bdd8fd0b7dd9fdcc12_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:32

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:64

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1404

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
e55ccda244825b9c8b843d51a5cd7b51

SHA1
469f8aad5fd366fcc4d242b42d8804275e1df398

SHA256
1394741122d8a5a6d7bd4dbe1216e246cb6f1b72a671653feb5768fdfad5c458

SHA512
6f629956bd948bc5d78af3656b1afd17316e878932079b4735f9b9288e833818c7cdb2d1be5fc72c50ecc916d7213b69ff6bf2e3feb25367d281a54d2cd634ec

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
fcc1dc9520c991ebe51206e4a7565e47

SHA1
ed5269e35375e2f08f2e3a56f13330cc13f99f2d

SHA256
7b75dfbfd07021929da0e0601d05aa168ce05b0b1029788ff6acc3ff3cd1b2ab

SHA512
e2438203efe9da84a867a19208420391ccc3fe1292c30bcd04db08cd0db7b1e60b168d0bc693e5c9fe6991af7bc6ba0026a352ba3ecafb35733959bb0a9e124a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
13e88b4caff8c89455eea3810bf27037

SHA1
d9950b454e0014c01f9a9a4a28e7a7c48fea92a2

SHA256
128ae52e2ee2b61806422953714d84447085836cc9cf034fe705424418fc7a6d

SHA512
1fdef72953785d406131e4fbcec531f4d4348b710f4b25a5cde9e2149cd1553c0271209b93593e272cb958f1a2215ae763c7eff2c4e4b0deb607c7711e52cc85

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3c564350f09639201c9ed3268cb9f03c

SHA1
3e6b47f8d5da9ebe5ca6f6a2b6b140a29dcbc061

SHA256
e2106d0932bcd642e7cea55f5a8e015b3969001be3306eaf9b9c4aebd07ee2af

SHA512
5847273fb402a07aff51cdeec3276148d44be8a38c599882754e64cb5fe0efe692b86df09f9cf4d9356bad68d0177d28e058a30fe7ee4734705569214d76b608

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
76286bada6aee830f13b219070b1dfc3

SHA1
5109a4d5964d68910ef7ddef78fb2af00d2583c3

SHA256
e371b3c99bfe1fe593e66fb0a6f11c5c4f430ff2e7dd12e3022df3d86f594e46

SHA512
5becd95bb9159c5f2446844b4cf13ee7e48c7d30b0a910f181cbb35c7289586c754fa4dd997bc5d9e5c0ce2232edbfcc538301dc40a0b89f75109176957315d8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
e0a00ecb9d0b6d229f6162268750fc12

SHA1
4c1bb0797d7854752e692c5eb8d8c4f57f8b8876

SHA256
6d7700e7c8b7ab70654c72b45d4b61c25da7619c0ba81177865bfc490d819362

SHA512
8a2d9a93bcadc8bf83f227af512677242015555bc025a8ae4154a47e1b7ae6a99f27d6ba51f14a0da90e8c754c38c1dd973803c59d4150c31ec4d417c0e8019e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
992451844c095b5c6ff5ae8c186bb4d8

SHA1
4b1e5788272c41732b75677bbe9c97a132e8bfec

SHA256
e88d20e379f8eec05db27264b143704d876fa6e8fe1512644241f651cb04b4ea

SHA512
21727ecfd516659161ad8f50c2a5eb81337ec7fe8546dec3583b80d406ee3eeb1f462c994f079c2ce93aa0a18309eb4f16a126830a61b5c77da3e1be4b68c997

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5542a8061b61a244bf4d466a192bd462

SHA1
f5a0971a605bba0a788a59e752cbcef5ae33a9ae

SHA256
5e650272ecf5f09ba19bc3edad5ba24508a076e8ebdee2df903a68508c2b1acb

SHA512
57558042ecd3dc648af1445b5c058b345defb4f4e02e22ae5cefe03be58c053d4f8ebe9bd890b4c4fae21c3000a7cf5143ea0d8a17c54fc6fd9d2e596f5a7309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
10de1cae9114f247df60b027c5ee567b

SHA1
5dbb9577756f7edda4c90169b91b13d4e1c4e269

SHA256
9b2d3dc7013b41ce67902a111f2fd289e3d4dc830efdbf80765a711d115f0049

SHA512
4bd1dfae637f874d3ea3be2fa42aa2df64e298fde8c6ec7bf2ab2a3da9641f173cb1b17e89e1dde237b08c25ccd9e90575ad4a7c223d5f88d1a38eb602b4bf44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c6eb35031ecc3ac7ed5358617104e2ab

SHA1
d7a47ec149ee291a54936ab3cf5ccc47c68b6191

SHA256
cecdfa8fbd8ceb2bcf34e496f280e76393bf069e2f24776e092f193bdef54af0

SHA512
5ee1eb1ed380058dc895a8a4144be2e1936957c429aeb9c44f1176dea56c1a42a9cd6f03b5ec8f369e049bc3f826d177b8d357beaf0814f2528c7b80e6992fdf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
d623ac64c3e5fbc7f0c3127b3a438d53

SHA1
15dbface9feb0831b3e1f3d186a0f2dce121d44b

SHA256
24f5fb9a486ca31d24e67bc8e789c4d36aa18efe8c8384ebebc65d2cd5d7bf8a

SHA512
323e176be64a61adbed0b684ee7cd290a7a53ea556512f9ea5bf6ef86aeb4dbf4db5230e7b9abc818cef5d663af709f9ac2b1214f19311d50b9e447102bebe8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
efe66617cc1ad3e1d8e7e3117a0fbf74

SHA1
a45a91fbcd1b1157b2770737ce42e963c042a82f

SHA256
990cf605c57b266e2ff9955e742c4fb732c5c2002fdc6e3c05c01d537820bb4c

SHA512
3ea46f8a04f2524332b4c54b5d72ff8b20b0d1bab32de5c2b1b65ad5d6cad09836ee416e3cdc10c819c862835367ab7769dffa07cc3a96220ec311e5d9f28a87

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3ef2bcb16ea8a604d1d2875c25e00993

SHA1
e46afcf63ec9612f0f5c533e83d835ec6ec96644

SHA256
d970e90c6aa32e5f85295f502567957292069b2559cdf9d721164ea29790dc70

SHA512
44802de5906ab10510a84a7dd4e27aaf6bc935a4df34298ef78b38718898586bcee1e5c32a4f43e3888d45fdb8f730ef382a51dce19852cc6fa2185e17388993

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
571807763237715209ac432d0d9cb511

SHA1
df1e37f67fc755438129196c8d880668ed2676e8

SHA256
a640fb7a65e57e0a438e5c52914730f950b4c1558a9ddc687dc0531ebdf7c6de

SHA512
bb3675ee20286ba7581eaeb37e38840b230d82d3e2f52d9fbd84c436d78b9b66fbca8b22eb30446bae98055244e89254011b397d12d305eeef173d1333cfd781

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a55fbb076daeadf91b51168121d913a8

SHA1
09c09e863cd2bd5b6eaad849413c1ebbdc809f08

SHA256
d9c063cf09de4bdc46f69bb504eecac32f49ba5d51644800b3644d03a9c4c2b6

SHA512
f04155c988ee653f788a8c55b598b00c331b32101973b617c9b694570751cba260c1915f0b3cdefcb88d657ee9fe8338b95b4d28d4cb51b50e639ea65a5eea53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
c97f6a7d1ea51b1012318a87e20147e5

SHA1
b8147831c240e3fab8082b82e186014a4b2d624a

SHA256
1b5a62750b98c304f3dc76e9b4044b92490087940545a3fb74b03a0f3f5bc20d

SHA512
6a87641339088fbeccd33f8a588cf3a3dfeb5f9885a511c957a5959648a4de52494043b7576038dc7791d485a94492bb18c9989735c875b8e36817dc73c23172

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
184add6a963753dbeaf646d58eb43cba

SHA1
04e73456a7de204e26b14dc0792559c20fbd0276

SHA256
9ae59c22992cd37c503a6f538b2dd2f383791e59b01719fc1f8a98773b3b4600

SHA512
59be91813afa61967ce837387571f5d84e547a386d11953fdb070db0e98963ba4295cc5db901b0149627a3ded1adb2cc44d11855fffc66b089dde7598f2c20b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
7785f83e0b2529e45a2051a54c8cb7b1

SHA1
edbd4e45ce7e8dc62f803eb910734037ab60ee91

SHA256
204cf2ae2814554c9d34db3b3a3eba36495732d468a60ea50173170caedaf786

SHA512
e13845fdc66ecfd52e85ba4671f6d28e0f1c1733d679c3efb84e0b2e3a4f5c9723efd0c00f9497db0aa173de4d8c7197f50af0e6effba440bf83c6e682c76a95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ac083d68e08cd887dda3e6cb4b3439c3

SHA1
15e2505c395763ec59f0c3cc75c7cf34c9eee0de

SHA256
187448bccc9c1159c17aaec0cbdf15b8ec96d6648cb476c97d999a3176790659

SHA512
55054e9c90c4bd8debe513ec07d003abb05c1a5fb0a3cd5c375f5c2537ee4fcf694b315010e2bb9d816d62b3acd14d6a466971ae694dae1e460574517ad5dd29

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f8fda224ba27dccb284c48bf35ac0d2a

SHA1
c6818595b8a8cb8c615b6a68278c3412e9c63def

SHA256
b35c809caea830d2e7e029d12ca6d8cdf31135130a45e43f1848d672326570b9

SHA512
b91ba49b57166fc69bb59abb861ec9418761e9725ab66cba8a3badd3301f2dd02f361e1e6049c0c20f786ea172b210d01c12fdd180879088ce8aad742ed41fa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
c5dda4fa61fdcad72b82a1ba838bef32

SHA1
66efc466ba03936d121296dc94f64df61dd8f479

SHA256
24194fe179edc05e0eea927be089d915b045b3f039f92f72edfba220c89639f3

SHA512
c9ebcc417ef15220dd9534d8eec9df476d64c942c8af3fbff506d296bf47fbbd7e2e7d0b8baa171532f812ca608ba336228f84b2a9dbf01099a6f1e8eae1039c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
33e8a1619f06be85d045e8b8c0bff96a

SHA1
c550a05da45ac78d35c0d50980759460a889582e

SHA256
003d097c6666f1d421bda6c7cc3847f568c79e71404a4a43923450ee88cc02f6

SHA512
8cac0f2769bb1b948b4ca8627e8c998283edd044c4c5f0784db9e9817ed3beec5599aefb7458dea2c4d3d3e9b6ae4a4ef39cd0a6aa21c011a4c62877a71a55eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
5e88decdec16c43b657442e81feec392

SHA1
594af295a696173561e5fe608b819966b4e12b78

SHA256
3e691bf6dbd28c62da4a57af060ac30c7165123537bc590da226ab314b30702d

SHA512
f534659b5388590f7dcfd1c0ef4203bda1b500492177aa7252ad89f4e46279a36e428842cb171da733024c9910f726d40cfd56e1820642cadea54048097e3dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
b1a650ee9c40ffbbd6da72eea9af27ec

SHA1
a9e968ea9d113f1e7f11646342bf4772f7e95483

SHA256
cf97c5af642bfc29ae1cb77cc557faf390c781b446c103cff4604d37f9d1f7b4

SHA512
0c99f4f1a31facc87078f8fea6c60ffac5f6002af1bedc9124b850a1bf1960f78d9e48a485d13ceec5ecf76a66b9486ee75074a5f937b14f2a5ab3efd5e789c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
0ae1fbf34b3eee233aab945a35160a37

SHA1
be4ac8cfedb460389ea1ae519b2dc20034c5113e

SHA256
850afde08361b7721b8c18bed4a69fde14b98a44493f94cb90c21cd4500fe5e8

SHA512
5cd67cc929c24cd14e9a22ab426a6dbe20c52b208ab6825df6e6879a04ebd4a200ebe3545c8fe1f04613dc15a6225d050568384e21de29526993f088ce0ef677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
339703eaed098fbd4d0b120514c66121

SHA1
f45b28fc562492b5b27cb50b4a79a08a032b2c45

SHA256
55f841f08c893dc45b299fd2ae9f5fe761a4ffdbf841b6dfa257e3d1b0e698b7

SHA512
522d6ab98c5d029577eb537ed245a087102b65ed17cd3fa415b47e0ce0cd0f0dd325bba004d5748ae282153cba24d8c73bbf43d25dda448b197b0f2ad3d5a986

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
cdef35b79f025d6fd3c048743969811d

SHA1
8b1dde57e64854f5e6af62dc0b054040d7412eda

SHA256
9dda70fcdbd312319d1091039c2a5749990495b70c60c572205c5cd8cbed548f

SHA512
c98c3d0e06b1665e6e904abd176bdcca20763a99343121e68290bbec4250f7ae8fc1d6f6d842f13e29b195c84699e4b8cfef71aa530f7ca660d33d24aa6be997

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
4f4f3c775a1c7a14f92aab029535283c

SHA1
aeaccd11579bc2f08adea1f000a0f7f60e5c5e79

SHA256
b2eea3f0280b8a731139bd8f14da01de2374401300e64428be680b812b8393f2

SHA512
a39328c37801b20c6e6024366273e3250327aa8b2cd2d0a1c7f53d161d80f4cc268ff2585a9aa5589969389ebe3b2a93a854332ddab5a60d2a2a068a225c3abf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
a6f587b2768985fcf50963829d4ddb27

SHA1
8c3b04e7f71797b4c6cdf07a207c467aa2a202ac

SHA256
105c2ed725d69ea4260220a9be1c4da643717c2cfa8e95cafb89791651d067dd

SHA512
d2f5540d6dfbed526d74a6df82729b273adc5b93cd14827ffbf66598b5a49b1497802cbdaf816ed57197e87f639904c6760548017c0ded650174f347f851cc41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
d01294fbc92a0be7fc0b5dc4fa589a03

SHA1
66d31e743cf31580459dacc706c060994def08d0

SHA256
d4ebf0e0b5a6f6920233d551fa6f1ee5e5d72d9bca2807d4f719a5bf6742a207

SHA512
455bd9b00dc634a3e9c6ae605961db1d0b2cbd040a6fde945c43e3249cde1d10dd426ea1c61af6431b1c88b194301bcc3276f86894bffdc213bbba40fbc864ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
46cb6bbd3e55a1e4fa28784dc512d40d

SHA1
3a2e03f1bf516af5e2df203f32e105d665766ec9

SHA256
95284d6ba45bb416f017ea8960adbb3aa8f5cb9252ad67a354f9db48af9e5355

SHA512
c583d443d10a87b041a63442f122088f276b9dae49e4cd169c8734e3ba938776697ef0e96781380bb9d6f63037e467dc015a079dd03cb9058424b945325c05dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
c70fb8bb794e2f699ba87b70aa43d17c

SHA1
431c5d78572e7e3c746e46616330079001009898

SHA256
f11d7d6971506750f58dce237d2971653d6d70b39843d877659f1a38b3f7152b

SHA512
a91e9342bc591d4fb2d004a50e87b2c1e6c7bfedc2ff576fd58d8bbb083803aa8e29bd9fab226c3e946e8664428298f0dc4bf8841fc6220e483557a32999c6aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
8d31dcb7bc6eb38749fdff92b298b330

SHA1
1df88c4769f4b6dcbdfc9d9df28a10ed3ab86b88

SHA256
346c6b5d9a156e2c2141e123d197e1378f7af0ee676b6dce4952e497390d09f2

SHA512
e9045a4ca58f2e08e4555bd97644e2c60cf0d369cf3ca59e7221b794406caabae80c751d0ef41981928a5aa9bd14b929982b42a4c269ab786c94de04ef5331a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
d7feff6f10808c31a1bc85052a9aee82

SHA1
734e4354ec5a60be032b43660fada29e7d18d4a3

SHA256
7c3c75ebdc8c8edadd8bc1603f3bf9931c9b686641f6d2e587516fd23b5d2532

SHA512
8e36601ce8273b13531e5306be7485de83dc3039567c06e773309d1c706ba10eaba87d8c9d2a2765d6b7fe275161356b66fe90cb87c3d8e0e3d4dfdf6a3318f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ef57a1ab593aaa4c1b679d63e5c33b5e

SHA1
828eb55203d7c3542e9ac762d9341b201312dc0c

SHA256
bdd3404509f2db50b046ecddbd840d054dbd6a6c72ab7e68865ac6b3acbbc54d

SHA512
83c4cc6d092baee2aaab69b454b6905168d6ef2d4e39fc6b97cee9277250fd238387da9c53209ef6d95143858ccd7427b0a64f4e517591b3d17dfc01d93e43da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
bb3adb84134c1b9a5f2ef0c28c602bdb

SHA1
133752645228cd721768a7e2773e3f1fe7a8f4c7

SHA256
1100e94f3b5c10ddd0ed4fbe84c6c2d3d6b14ca22a68bd17fc9ccfc2daa6705b

SHA512
918cdd6e7d2359c1753b9955d243ed2d3f6a210fee3edc88d190d6421dd766a8f1cb58cddec8ff3ad7a150bdd0ecf710bc362822eb22ca5053e3516ecf9e00a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
a6e3337b6358c661d527680ccf345f3d

SHA1
0aa5e7acaca65e4cddeee15164355145b8c97666

SHA256
a2316fff182f77e906f401283510fa821d7cf33afbc5f7851b586fdb0e98ce62

SHA512
7f0dfdb7065b0ae548230f835fbd2133f9608f5090fa76bab499a9191a565f36b8745307d349daca921f4aa0010b22424034e5ca4e1919f96052a3858abb7988

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1016619b17d92d5b2a22cab4d44759f5

SHA1
f61d13f0bb362b6a1d88111f3cd2aa99b3b3eaee

SHA256
b52748217fdb753a2038487806d80bf1d69f1e7174f895e75bbb99a6e05c9311

SHA512
6ed5d9be6e22da69c0b297707973a34473613fde2509520a8826ae6e7874cf1f94b7e5afd9d92775af82b950cd5889bc793bb41944658f0aaa03b0e65bdfb373

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
6bda9b60c938fb125c3863367b54e38a

SHA1
d23e62932ac65b12bfb07c3685930ef47eebf55d

SHA256
610b3738f22014fb76a5f491816d4211fafe1ac3dfca14b6781ffe0b853d0480

SHA512
36926fb68e74c3396e796f1cbd3683ad08cb0af1054f40a83a20fee81289c7cc4892d3fe530eb47a3e95a4b0d55f70807a312e8dde67a37230e87252e87eb464

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
ce4b5099f3bc732a17d0b7f67dd3fae8

SHA1
ae35d56a25f82f264d5797d613e79baeb2ac84af

SHA256
9f7dd142a467601a0d14c6d16af5250616e40f2276cb2f720cf19e4a195d7a88

SHA512
1aab7457dec8f6d0a01e17ee6fb494b6db2b81220dddc953b60236b692bbc34f257e2cba0858e80807651e47e53eaeb91cf96b8306c5f4a4c8d63a457dba817e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f924505f944b3a8ad47fe211205cd878

SHA1
e5e7d6e2fa936f0057c1e853a28b908117a2577b

SHA256
bae8b2fbf0b0878247370886592298d2cec8853cc7071c87ec33e4c9443b4f32

SHA512
6bf9e3d5f6e94debf959dee22f64cca1348e8fe29955af2f1600f4dd4aef5cdcb9dd10b19ee07878feb5eb1db7119935a4a3198e912b797d2ed69e46fba825d5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c288814c2a63f2d14c255b804ce8bf44

SHA1
a814f151ae9942cc045b93b31a69c5d6b9244fbd

SHA256
8dde56287096794c06eb0ec04e420b970e23bdb3307f194c1d09620dae9f84c1

SHA512
b040f234500f35ebd719db8d865ae08a2b59da9eb4110117effc0a2a82436f6218d88848291d12602ef73b1303f27ea5ed5b446e93c8328de059818978c4ac8d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f91d3d296cea7919574ba78f65654a4c

SHA1
690b7ba0701ba82fca2d441c225d8b27feb11293

SHA256
ba96c96ff0e801ef019719c49859d41fb449e82f86107ce65123ed4865d43673

SHA512
dcc03f2640f80fc238b18c018865c6c4f1680348d28c383dac98a51c1151a15f878035d792c2f72d752c8ed23ab2d4bf8813f79bf2fb86fbc2a2eb2707fd7cad

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
bc0c5d0d57dcb18fbc92e426895b8b03

SHA1
927a559f475490487c691233c4a845930c852a11

SHA256
42b06b541d6cb975a8ac8b70c24ce58c076b98ed69d5f6492f6929dcecdbd17e

SHA512
dfa25b6e6cfccd13cedc3544f4e53ec26f396f4036136adf80c441aacbc36dfa80d2cab8298fa322b4ff30fcc5fff69423a83f222ebca6c2663af3a1914f143f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
a15cb9693b2c85f441e4c25b2be88b3c

SHA1
98db5e0a348252fd88fe743bfb7c76e6ff9d4894

SHA256
9d7e2f39026f2406d70efbf137d3ef0febb3549316b741b7c38a2b4b5e33d0e1

SHA512
86103320297483bc973aa807f789f088283f9fee98eed41378ef71a7c3933ee8fe0121f19a581f5942c5ddbc05fdf7a6353b05afa9fee38f4e41e0963eec3134

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
be6d39963983f2d780a38bbcf2c4857d

SHA1
bd5ff9344f636d24b43dd62f7b12ccb1a896b554

SHA256
60ae23ee74bbac23051291b95c204c49b5f882dd1496c404d43631875f2e7262

SHA512
5370fb198882d6774e02a8498d8c1cc220c75ed5a584cf5217d4a3b1b3665a773dd0f4464b238597946cd0ce4e57cde7002218d90ea9dfcc9b1760326d98af61

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
3d906526fd88628124607c624aeaee90

SHA1
f61f6b5bdcc9ea0a92825283a0f9fa46cbd80079

SHA256
e614434050096b6ca46367a7bd998496ab8c120c690fc615cb126e3820743485

SHA512
6321ef50307f7dd12001297f1d545d94c7644890cc05c36cd9f989012b32f07b6b00dea6c36f69625d2f9681a7d7c51a3efbce6cee12af6d147174c4e326cd52

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b087a46be3a25a7d352c3ca02b9bcd2d

SHA1
0f15b58e4eab246694e0d2bd1f994593b8340e08

SHA256
061fc9214f330a1fd0ce88ffb6f6ab688936b0077929ad2258a8383480fc70c8

SHA512
94c5ee4eda416ffaef9a0a4ca9dca6da501b37eeafb7e922414aed9a76313bb92e8eb097286931365218268b96a50fa722405919ce60188785219de25e607202

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
26a9479aad33550a9447523576cd5b7c

SHA1
4624705f85228ca2d78ee3d17e3fcd3fe87ad45f

SHA256
3b5d93ebe1c5a06253bc07a35adaaff7123561b77ae76ea51c9989e0b1a4421c

SHA512
fac16f543a4bdbd0fe1e01bf0d7a7e37035683322f4b10050843ff83caffc99e91ee2d10616ff13414c80898639b02065e9939cd335c327bebe3532cfdfdfe00

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
f436307d1ab1b0c1dafb2c47b76e86e5

SHA1
f5ecebd0ab3158e146029f7a202e66c9f431e4ed

SHA256
af43f3260159f1b2048df3dcc545ba740c734341a18dddd0cc8d91d4316186fd

SHA512
599b1f07bdee7e73fafecda120efb6fef009096554a4c6698baa89f9ad3fef75121d53fd993ede46833e279cf8960f572b52168fde5b3591198e76101197c76f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
2d8708ebe3b354ff390cc649d03ad12f

SHA1
5a830dfcb226501a0feba1104b95c3e73f3a75a6

SHA256
a9d0c837b61122643ff9c27cad4addf48a7f2f10e3377fa66808858d0b3c4eb6

SHA512
69b2489fd2161053807e197624cb224eeb85dcafbdf96c2ae95225d52d57434ead078522a4fc378264a732a47aeedb059ed84673ad6e8451b216665cd7623f3a

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
5f47c1f01e36f7708798120b9c1746f3

SHA1
937acf4b4bd78f0900039292c7f0a38df6d1bd10

SHA256
9fb337e95a39cf7a3660aecd5d07a00253a55fcb30cb27db53970ff862eab028

SHA512
252ca5305d838a24017e617919a62705e1a6ca75e67e687214b3919a0596227971d1c842412bc4df79488e1f08d926bd46f7835b9745567441233166705b5bd4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
5bb5daf38a251cc9d252a6e86c181f9e

SHA1
4d8d1b8dc62f144204c26648cd504890ce13fe55

SHA256
1e3cbb615c093b94bcf3d214fcaa0ccb65ce7c1f6a03600b229ef7e4dee84091

SHA512
ce1bc2c8ff31f28b5bdd241e54d2cf4f47ac4e7676c35d4f5d7d6c032f4da011cac3ebbcc4c7b6340a6b7f57224cfe36100f6505958b0386c42d0348b6847a1c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
7c2506ccc62ecb3c469044ae27a10872

SHA1
3530c6c51bdb1dc2e239d501d854096ac74cb27d

SHA256
db32217eb06eca67a1f4b896ceb9a7c9519256e747601bd2a9f8e18868046e67

SHA512
a8ac885da6044a03ec5650e9b0be2e282eaaa74a23bbc59a9df86981278f46ec46b80f47844a4cc701186ee9926ac77d1734379a93ca29517d2f3281bf67cc77

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c6cbe00b0226bb3d4899e1e488677cc2

SHA1
ed02a0339c8d9c7bc2113921d33da3ed07d4dd47

SHA256
3dedeb35212296cebd3da191a1dc78cc1349200d34846918ba744c33f5becf9d

SHA512
fbef2b2000f2538e0077a7da4e85e3929dccbd81d478bd95afd6af8a888e88f96f720adaf0bb9955b8e5637b82f7b7a9089e679007a4d0bea0ffcceae1b17b26

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
2ae8e9b0c3cb3260947e43fcb2f3ca5e

SHA1
4837396970936de65a4b62cbc53f855d406f9fbe

SHA256
767167fad72b9a30a3e62107ac169c130afd8285a2d074f152f49d85cf0cb3e6

SHA512
afdf5134dc4711d32ed75811243e447b03e19e9e4fbdafc4304b4330d2e1bb6c5b8a78612865c9306bfdc11d5c75bc5ed35dc8f39e8efc1b57a791ad97a4467a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
db4fa61db41f8d8883fc72d62d16fa25

SHA1
24d80e44d7a0b24cbb64c9619297ffc822e3f7dc

SHA256
17829e17ae38973796b9399d053852e2a9e8e36d03c4fcb194f86768c195c698

SHA512
6bc948619b84b72607cae8550c7e5843b2cf6aee47d751d131a4c33d5f325445783b49677cbc4c4ae65d5e2a9742c35c1a60b200fb94555294b7c83996c7ee37

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
0ec49a98b7dc16a34431e095dc4d9799

SHA1
cbcab5fa404e72decd0f0f37e785ed32d37d2c42

SHA256
f080926a8295a0e77fd50b805bb3c41a153f84de6afb57bc23f4cde5eb425b68

SHA512
4eb53556b4a98d425b0ea971fa1fd6ebaa9b91579a717ee64c77945fa1a0b8de11be523400b30daa31d141e886de13e2bb59a1d164a77e6012b81bd53bdfbaf2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
032696f35c407382142b70556694da8a

SHA1
747ae5f4130ea5a1a42d3a0e58c761264f50aeda

SHA256
19e28267c042d4457bf6746189256491e8210f41660e752e74b0f0c8b2a0e62b

SHA512
cdc928819b25512602c53953ad6af203d41ab50f4d34c2b0e2131560e7cbf5c3d858782bffc8859b1938d9f59dc499a1daf4ea369787a03a0f846b3ee774ae09

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
db1549179714c26b7b243e41b9217f67

SHA1
a3a3e7fa6073897282fc12fb1dab70483843c43a

SHA256
2add39cd08f570025728d8070981cdc6e28fe02ad871278c52975f927c7e6d9c

SHA512
e7d3fc37654119df4ea92ab76c9e0a957bd9a09287bf467d5b6bd756cc435b45d03f2bb97d0c566b653eb740dc8cf193b5caefa6b5841568fe919fe4596d5b40

Download Submit
memory/32-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/32-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/64-551-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/64-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/432-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/432-619-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/432-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/684-56-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/684-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/684-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/876-452-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/876-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1312-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1312-98-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1312-2-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/1312-9-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/1312-513-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/1312-510-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1352-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1352-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1352-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1352-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1524-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1524-620-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1832-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1832-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1912-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1912-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2624-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2624-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2960-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2960-39-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/2960-45-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/2960-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2960-59-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/3128-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3356-616-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3356-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3472-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3472-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3472-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-80-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4024-85-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4024-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4024-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4024-74-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4196-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4196-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4196-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4196-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4344-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4344-622-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4452-625-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4576-621-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4936-626-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4960-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4960-89-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4988-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4988-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download