372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
Size

1.1MB
MD5

0f005e8816b7e6df233d5f9d4e4ae700
SHA1

7774a4687f25d9c82510a735c9420480d981ba7e
SHA256

372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94
SHA512

82cb173a5c2b70f1cf26ca0ab4388a44c4d52b6360fd7d5342c8d06638fa23ae0d7bfe9db728022028baf2a7c3647c2e5cae580bfcd9f9b0882708f238cc883f
SSDEEP

24576:9wyjcbxnxofN2w47maVe6FPiFrFjWHRlMugdD+JsRgZRJ4fM430Eg6nET7M/IiN:9wSQxnxc27KFiPM8xlMPdlR8v4UC0Egv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4696	alg.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
4144	fxssvc.exe
4112	elevation_service.exe
3080	elevation_service.exe
2252	maintenanceservice.exe
2388	msdtc.exe
1492	OSE.EXE
4140	PerceptionSimulationService.exe
2072	perfhost.exe
4456	locator.exe
468	SensorDataService.exe
1316	snmptrap.exe
4132	spectrum.exe
4708	ssh-agent.exe
3764	TieringEngineService.exe
3404	AgentService.exe
1392	vds.exe
3824	vssvc.exe
1328	wbengine.exe
2640	WmiApSrv.exe
2440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7e12c039c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\BlockGroup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000838bdae73cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b36dcae73cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000917ec0ad73cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043e1c2ad73cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009690f2ad73cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b354f7ad73cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000185b7bad73cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae92b4ad73cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe
5016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1944	372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
Token: SeAuditPrivilege	4144	fxssvc.exe
Token: SeRestorePrivilege	3764	TieringEngineService.exe
Token: SeManageVolumePrivilege	3764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3404	AgentService.exe
Token: SeBackupPrivilege	3824	vssvc.exe
Token: SeRestorePrivilege	3824	vssvc.exe
Token: SeAuditPrivilege	3824	vssvc.exe
Token: SeBackupPrivilege	1328	wbengine.exe
Token: SeRestorePrivilege	1328	wbengine.exe
Token: SeSecurityPrivilege	1328	wbengine.exe
Token: 33	2440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	5016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2440 wrote to memory of 4312	2440	SearchIndexer.exe	SearchProtocolHost.exe
PID 2440 wrote to memory of 4312	2440	SearchIndexer.exe	SearchProtocolHost.exe
PID 2440 wrote to memory of 4932	2440	SearchIndexer.exe	SearchFilterHost.exe
PID 2440 wrote to memory of 4932	2440	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\372fe1262c0b32aeb9ae38aed4493c34192af277ed8508f4c3af65051f0d3c94_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4132

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1484

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c8e940e6f10b37577ecba1e76691c931

SHA1
296783b0b450ab561b612ff30c118b60018b7d19

SHA256
a8a60d5ab2df518fc118866b065e9161589a182d76451b24d60a6fc121708ddb

SHA512
971ee5b7992580cbfeb25323743a8903e110c9518a822e8d0d5de0dfc65be2fc1b3c34cead7d9fc7560d653365e6e101986b9ee4b8891b53cc434eaf26354502

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
609f199dc25af95d8714540b47ca1b23

SHA1
e7087079eebc9aa6ea535e9e1b65564837471ed5

SHA256
eb835042922d3fda1d1e6fd93087dded0e5c95f38671bf4803a23683b0a216b8

SHA512
c6272fd4c40a57f8e8cbbb43a058576f9abf26fbcdcdafbfc82c815251447ccb4b37c2436743e393c8fed063ce8c2c9a67fa3106bb2c68965b7519fb925d3a22

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
e9751e72cae8301d265ab6c95b8be4e7

SHA1
a7889110cd9086e36ab862d456a224b5b1e470af

SHA256
9cc36a6a9fca9016a77f38e07b78c1e7c4c4184787456348ef8382eaee3fe389

SHA512
9efd4deda0dae849550835105035c6b61499e8f1127a4ce45ae6ab1c7fc392780fa10ea6545930016ea086a3bb696bd9b2f03766c2de04b2c5da5a92d7a22da3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
11a09479deecd3215ecc7d4e601eb8b3

SHA1
7f863a1946f927932630e9642807a0b8e6698499

SHA256
3c7af4cf0bc7c8496d7faf798f59975e5ab72dc50bdcecead16aec5c2dfee511

SHA512
75029f3ee717b83c36f63f5810dd7b5b2cd6a08e6733bd28436fc61ea3ad3efce9c9ed9a56bd679630488ed910de9162e9157f1221df6ce6b4b98a5ba9127a7a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5bddc204fa61689a84d97a7aeed786f3

SHA1
16ada846d2f9f3db1eceab5822a56e5b92354948

SHA256
f942ccac0a74308739631c9f9156af5d399430171244351522dbeabb0aab1b8e

SHA512
831c2a2a0f9273e7c1d4de0cf648258a70ec3cf5655a000b769dcd4dd8f0e94ae4970ff2ddd51660c77ac71865c69e46c969c92d0e05a2bff5fc29dfbd1d4966

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f00aeeb900f7f5dc54daa8c9b60c05cb

SHA1
763a07b3c926c07ed39ec4947fa2ed6d4e5db02e

SHA256
3adb7f10dee52b4184d489c1fe4f7bf7ef9fa180f5fd0ee8d1237e2b79534335

SHA512
be9eae69c0f6f8f6f11ae5b2f9ae1ea32e736d8d6c579084fcaced6fbbcebbbd31e47e90f5d9a7b9e4d3a693bfbc4ed151ebe4084460b26f07535e27b669e81b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8bfe13cba59379eedce9dc4e033cad0f

SHA1
2fee23d91c96291d5a130d476b3b5f2d8e2d742f

SHA256
d7b1fa77b03803b77057b6e2dc1dd29883472d5a3c7024a9713cb49d67082ac2

SHA512
690b17fc1472e923cd7d44c5a4f2ef933d2f3b77596f7d81e59027f22589a95a23595a7ad71f1a33d8ae0155095ded33df8b1d1bdd2f5a9ba86843eba07cea9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ab8c637200f03b06c996d84d294ec15f

SHA1
e6f7deef10d867099e1321cd9d130abbd41938bb

SHA256
319edae5f3d652c91b28a633f3e9e9922685b8642acde296eef6b23a5677af55

SHA512
e2211291286ff06ee9409bec3cc9a3d2273b548089c01bc53a38aa52c23768a37b0ba098b1d642ea949f7aa9148cb1405ec2490f37acfa71eb43b14a225a04d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
5c8b9a58d8c24523e876514167bc0d95

SHA1
96b0aefafeaadef525ad5e1c0f245f8a6c2bbae1

SHA256
6056080d175a566386b0d3c96b46cafff1ef0cbe74ae52b530ecf306af764bd2

SHA512
67ff85f012dee200abc111847e72add6f5ce03fb955a77bb21f4ec57bed1e112a2c8fddb598bd515418a22507a487a72e41bee7598d6e8685433b1ae4a2fb3e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
38257fdf5745ea068e4914228b3359de

SHA1
62c75e24dd0690693ccafeda437cd32cfee48698

SHA256
09062730df3699f4d35bc3fa1b8947cccc32e37c6c34f08993ade22e60e54b0f

SHA512
88930d90737a119a8f77fc6f8de29bc24d9a8b01eb11b002dc03a3a102bb5cf6825c057baf50af4a6873b5045b03bf83954ea4931c3c53d761b3d116f65b37c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8c7f51b60e56f4a937d3b42bf03abc3d

SHA1
5dcbe223216a1299e123ece750f0002e4aa24efb

SHA256
d654d0226c3e4edb65a30aaec40eebb086c6291d1d84a4701f4a79451f6bc6a2

SHA512
eb410105dfc40d776d2d0b8b0cd479827912f1cc5f9c36ba6a3270d04aef6b26328074aa8897999e9604c8d4c9f1b684993aa8083e34b66b537b1eab67129888

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f6451223db36d90f8ca23ba4c8001cf5

SHA1
9485b96e775e8601ae0a3acc766f89e892b2ac95

SHA256
4f2bdeffac55fad2d2ee8630e8938fd237fbc92c4188f2876079edf6c038da48

SHA512
26d3cdc8fc7d2d6ecf3de568c2744a6e05b540f19e515937ac7d434a12a7a3cacf1006f914c068b375977d676b5848e34af1caa055b8c15db6de308898b98b2a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
c0989b4f47f95a0c73fe2a81c09a2408

SHA1
cdcd9a1cc19ce78b10e1b1b6521c54e4b73e10db

SHA256
9db7bc8afcb0b92e68ea131909b58618d57a32483998bbb0cfb04bd52894938b

SHA512
2530ac85805e3ce10c6a6c1c9c1ef7290755d316d02f94e90b77c2ae6adf283f2c1214b3f229c3afbe9ab4cd6101a371ecb3e141adf89edc1c0dcfb1141e0747

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
86f071066303c5076b486bca465ca872

SHA1
92a9f632136f0eb7f0a859c62d49fb8cdec7263c

SHA256
21d0f45b0f9a29607416f08b607faeca937187a07dd78e9d23155f29464147f5

SHA512
753a9d5ebd60420473db9f6c6e9af279c13d147141f7807c70d2702d63388f1030b26083689ccdaa20cbaeefc4724f037e4e3acd1b3d32ce0eadc4dfe4e3aa00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
c6bdbe2d44bb12a90d4e1d1ae39914cd

SHA1
3e21ac9a98e872a7583a5889ab73dd3177bdb409

SHA256
5d035e814cb9291c48e8f30ff2f2b195bafef14f95aa59763ee2387c89ea77c5

SHA512
bcf198fa58a1b7b989667ff447fcfe6db3d4a9966c890c66e1a44d5e13b3cbf94ff660553627bdfd3b536fd1edc93906c55b2ceff56c60379a019b769317fa2d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
5f5b8f62039f3be314b9c03ac57dd48b

SHA1
234885722ad3f525a9e0edda7aae760b3d38402a

SHA256
b4275be11563c4279bde005005662aebbf429377ae9571e34b2d86706756e4dd

SHA512
311d8764b88fa209a6ee0908612d11ecd3a07e6850b6c85d27bb5fac405c788a948c9ceb1e6ad39db15e0a60b9fe50fe7d62531b5e2cdbcd37a8d99d26a7cf33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
075deb816744add7bd2de8dafd175258

SHA1
a18a53f81d9d550446468a4f915d8168781fcff9

SHA256
8d21ad11d86d942170a579728eedb6dc36f86069dea9072c1bde086200c0cc2e

SHA512
f4716d8b9178767956a5aa7431cd069fd17170d0f04e0ea741de12189510ad4d6ede0bd9ea3b1b63860bc7a81b210b5542c5da154f33fb3ca255f9ff0718c130

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
3a2ab679ac212e2845daf2fe415295c9

SHA1
f4dd592759c35210ae9fc009f2220e645e8eab4c

SHA256
750578f95b00a8a575dc33359fdeec4e4671fd4ea039ba1268c3769845c244c2

SHA512
4e4827f83c529a54ac5b7b189990d0e40ca29c9d88e249deb015d529459a30f100323c35b3b3da33356c8204ba20425fb8378a528a1fb002846a5d5ce54bbdc8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
de182c757a2f826813a2fe84d2da9943

SHA1
5147b07c4bb0770a0618f1d0992217f240982d71

SHA256
680b595248ec5fabf88d4a56099bb837123e5c6ba31524ff8697a84fe477e4d0

SHA512
2ac73f360aca83ccda4b4a6e651c3703b6e66070cce786db402f77cc12ccb2f179577562c9fb5db78c007561363fbeda0857e5d58ed81c3381042c4855b4fe4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
11a63e2614c93ed8ca07bf93e321466b

SHA1
c5b6f2e6819362f32307d18cf6e567b9a99a2b71

SHA256
8b7663b8ef91ed56b097de13870d7b2ca3161531cfff8a401b527ce75f113f6d

SHA512
d32b9ac58d56cfbe4e1f614f935dbf1a8ada32fcbaab69350ae855e580187c5d62e4424110fef034478eb586c10e175e50a4b0d067a7710a1c6bfe22525c17ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
bf0f2f46499402939cbbf912b13fe746

SHA1
340d1b690cc6b3ae369a1a4f3006dc6f5f54881e

SHA256
99219424c3283e4ff51b45db8c0a7b5fca9e6bbe2677b7ae3d2b69e496068944

SHA512
b9a8a349d2ed582c5cad77fd697cbe5e77314b26acce93479a07eb4b5c6f73b96c63cb532e775e8e336248fa3fcf178f6a323cce32934bc0f1149f1c7d8e5a90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b2c16d8590f2dd18c4febfb3bed8e369

SHA1
1b88e8809d69e8d2e8242a8b1954ec0791770628

SHA256
1d28f8bf97ef689f56ffdc6ea893f3ca47f3b010ca669a5f5e78f164d93de47b

SHA512
2bb3b5bae3bba6458ef529a495097b113f14afc484d560afe2249f665c914be50a3a49a24f76a39a72d0f49238db2cbc6288e8286fcdcaaf4fb0f674f8b2eb7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
c479aa44f1e54ea514fa877a60fad85a

SHA1
5ebc7172c8dc4201bc9352e26f8ec5eef543a2c0

SHA256
722e8ff6f060a33d6cd9023b39ba704626f2824f3dc69aa28e8130b3a06df52f

SHA512
023e08c03d65eac1551b0eb4081351a0797bfa75e3fb207163850cfd85d9e66685882dc8188d7724a5c2cd0cfc435587ecc0487851b2395fe874900b44aeb0cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
493f8cf27aef5f52b06e76eafc95e532

SHA1
45251d275179444a83c2100e0950bde3800c5997

SHA256
e52564b14f4f29c4c1c7d28ebb31615428f14b0adf4a8f2ad8267e923981ec88

SHA512
0f61ae3b62d6fb1afe4181c109d2da6830d014b249a3fdbd0beda22f7217db2d46af74cb3ce4b492ae296145ebea26c11c42a91d839fd8a3d33dda6200123107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
a256e6a3741b4f13dc404be13fc8b303

SHA1
989695fcfd70111c185e5030c3f1b497621e295d

SHA256
0d3257588fbfee2cf08701515b8b9bcc7313e346a0f00be87666fd8c0ef8e290

SHA512
bc721126ca7d56c6ab7a4f67721408047f8659bd965703db8f94874b22f2c040af75d4bc506a0e46ab761a4a27d0c523208e493245eb3f56ccdaacc9a2189a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1e9a67d9c2e894f0ee4347de7bd71704

SHA1
e61a9c75324e67929f807eee73735a68b4ab66f8

SHA256
92575ed60d882d68f11231db685f210e16651d58138895a1b367bd8a2b32f3ae

SHA512
c7260ed17b6657470b6632941d7339acb32b14e65b09c4bdc2ac5af7dd0a31d926d095ed0a565b47b92272cda297f87cd0e5739cf77b71211663d5185282a29e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
46dcaa30e6ef1b5d0a503c6289c772f8

SHA1
f4be8f87e7e5c5a586eb593ca6ab73e39a2f6ee8

SHA256
bb3c8c665926cdd1ad06cc7962658a22896aaf98140b3fd698a525b37ec41855

SHA512
ee6f1d0c49f5d7ffe9bdf6533096892df2087b664a3d06f0cac2f1201ea39ac77122cfdc814b927055f6d4045053456e086f9b83234593ccbfeea0baea228342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
a677147af7cf42b1a90a47519c67451a

SHA1
3bcc58f290134cb4fcdedf4709a7ee1d41b18df7

SHA256
0a065d59ff5b7e99e08a62f458a9981b85eaec8e89aa47ce93b05886927450e5

SHA512
a9ce322bbf335965f9ebfb22fa1fcc35b0021853bef66da33f66faf3205c3bab6dbb0fa7510c9c4374140d1a5c086509330d8be690c59ea64b501574df1e62dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
ef73fdab4a21999b175b54e9cce7a34a

SHA1
c59762fee0e13ee8ac646b576bb5ebe2693211b3

SHA256
61b9aaf698ebc32d0e95ea96bde38803c82edce41fa50570a961a822c218d0a8

SHA512
9f97a76e680a5d2dce76e8448792e8cfe6b08d1d11c7d94d2cfbfb5c8bf7fc5fdb4226266c691f77ecd1a8cba345ea744f8a526bf3ef6acb43d987a654445873

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
dd8ec7209ffd48909875dad7f2634679

SHA1
5ad21b760ce73bdc66397c35ba472ae5f5a75f66

SHA256
0fce712aac68942e98b78964bf23e1ea28fc29f8f07adf9a4e92069f88df0393

SHA512
c0c9911b513dcb02a223b0ad8450d32d9e489dc8c0ac649bc5651bdf7a97f8b475bc155f2308c74fd6e15215d16e5c6ac70ab282e9fdeadcb8f484c9a6d95bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
33ded8a568e102e724916f616a382774

SHA1
9181cfed5e424cb280758a5dd71c6e221c536f1f

SHA256
a79dfeaf4eadffb9397914d581c83cb1effa9c1f85b5baf4e6943fb823d4a6f3

SHA512
2282714eee7f146376bf7bcfdf67d479d1cb74740038b6c896f78a90869a500db75eac404f18f1a4cc3e54236045bfd817607a8eaacb6bd7147a7c25dfda884b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
7debe89762b57d7ab0798ca9bb01cabb

SHA1
6a9cd3f3cc37c22d8e51d04d62b0ea3f5b14144f

SHA256
1069be6549c2fd0c1f7fe909ca7e39f0e3ed71aa9d7a0f00b1f330c83c2a33a1

SHA512
8e30681a4b055062376da1fd074f7fc2ac689f273119fb6079ebfd68184023297dd53d61858fe8628c3d13eb0931889d51fcbdd2728b068053458512193b2b4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
fc06474d12bcef014dfdc87d09ae036a

SHA1
d22cf49c929a48b1027f77c31fdb67605317bf5b

SHA256
8a928dabf8edfce9a6684086237e2d727ef470765b70dd065c5a85e834768de9

SHA512
4360cb514a118e5352f2a9868671fa5b46187c16182f01371d58059fa04429b70dc0d91a66e6a133954481b7050ff8e4065fb3d7b6aec486c288dee15c881c1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
7bc402bd8f1a8e27f10c645c54d47c23

SHA1
df040017f3463ba7750ea103625d57aa999e02d5

SHA256
df6ca853b234846f6c4f418c95901cdda4c36948e6bff511aad93763db3f8b5d

SHA512
5ef65fb11544e10d44d3e3c4f29c1a47b58ca25d0ebc65bbc8d30d5833cd7601e461bbb571569cd5aac0ad0c97102f3ca41da358b2bf98b685fd38d327c31fdb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
e1e51a2a9ebf988b9d7ef92dc5ab241b

SHA1
1ee626056f0aafbdc9b5bd66d479abd80ae13ea5

SHA256
7b8f72f3066192578de1b9cb4a1df2c339741b3811d0051d250b3f76f6a72465

SHA512
fa6fe102ff354a1aef16e08b68fafd242e43ca4ae26e2ec86e6f6584485aee63c71f3b66cc7d513d6f94c01e75af4a05108464377687432c57931fce5ca25e7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
cabebae1bfeab444a99e6fd24d46f7e1

SHA1
38b9a624ed1c575598a823cef038f4cb649295e4

SHA256
fb16d603e45dbbac3e3403e2adc2f7726af442f2802c4d7b663c9327a00edbf5

SHA512
e336612c2bbe3627fd9c1ed3f71122d158fed508b240ee0d4039f22fd89288e714801c06f8646235521cbcb29af2b3b2b5ae1048be0f22bdea83044f02bd5c22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
fbe621160cd4e4957a4f45b4a30e5561

SHA1
062b9c2a0ee6a05c471f335f51844e6f4047b81f

SHA256
3d619f12eebaaeb8bb3b5f8356a1e318f4ffa9e2bd325dd17fc4c6b66ca722e5

SHA512
6fe5e17d672763c295a5eddf4d2ffc38f9c2f2d03f586ba906372988980ea6088d4d2ea76789e3ceff724d334cd1ffa7d2fe8891c51860d8a4303994b97c5aef

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
41e04cc7cde8cf21b64cc15f15f31200

SHA1
5f0ca886a48c610f189b20628c138e0448af4b72

SHA256
9501ab2974880264b6aa6ea755dc088375a47e53afd73b0adccd46616b873e9b

SHA512
451dc29bf49d9a8a0cdf683a54b6ccc075ecbcecacd0b7e0b568fbaf52d32af618a1d66bcc7a5b4285d56e9128e5431132405ee6972dde2b966c37fcd307be17

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
b94616910fef144b8b667cab6d652b20

SHA1
7a0badc38be583b21dd9e8cab62cd84c2e104e47

SHA256
6dff61d258ab9201a75bb1192003c7d8de869bfc13f2ee537e2421a8722d8654

SHA512
cf75122231a5be8d15f6090b9fe23b83ce46ad5d1e0ebb66f7a07d654ca0d69a09fb0b23ed4ba5e3f0c9445eb69f297682963681ae2cd7649a6d329cde583dab

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
76ec9ee6a758839a1a3357a90dc8da1a

SHA1
702675a35cdbdbaf4c63cdb105891ce051d3762c

SHA256
2505454ba6a426a145707c796f94c13f53c806ae6d4c4bb1bba282d4d35aa9ee

SHA512
0d9f223540b71df2ee2800902d6a47bb9afed8db3c383caa6a001105447975bc1482881e30bba174a02378aee9558a3b1be0a5d2cfb3bb99fb7df5fc63088841

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
27182ba017d1d77e328fe5fee69e1732

SHA1
b264f11d90512ece58f667736121a22064efc15c

SHA256
43eb7d8af93573b4ee2be96252c944f2051eb31d1c5bccbe24c723f8a4c6a970

SHA512
fbebf353fa35d511ce640a1aafee1783d4c57f23f30b3b6de43608bfcee05bfb73a4204bea6e74a3c9924df69231e213c4b8c6abe3cf2442bac72a856d872d65

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
0fc93d7871bff36a9d35fdcea102c0f0

SHA1
ab7ac2e6fd1c1a0cf93ffecc2bff6706c6bbcab5

SHA256
2f94bbe4ef008e49eb583fc784e3a2ba17a22ea01a8769b463ed840cad793959

SHA512
a66303503214a22d76ab320eec6f750e80405926470f205d21e9bc87b13ab824ba916b725dfd08a04d28a0689b7ef59ce1dd194b63e80c04ba3d3f9de10c083a

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4bb2a9a10079fb0e041e73df721c49d5

SHA1
1d12128e0913f04b6a54b39a34dd6a006ae92966

SHA256
a5eb1aeb67c162c9965d647fc385365392b980421176fc41251b105020aa646b

SHA512
abbc74fe2268fd073110cc5a0bce0a2a44f134cc0c60852efa379d093009e48b214a39c6fe813e826a7baff3c7957b25d5bf57ac85e6c2515e27d4a67f2dd8eb

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
7572ef1a23401527d8639a89806c6076

SHA1
f367113cadcd0a2536df804b67d134c175e054da

SHA256
04ecb284df1ea54a652f01d32d19c45077acca336966f83ecc3a046a3fc140c4

SHA512
5469c8ad879feabe3ba44c31d35ca89a2aa6f331ed7de4f3fb081a0f95fc2077100999f103dc8b93112c096d1ea1b0b22a6cbceb3fcc9967a60f256f3505b448

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
398c41f8f7cae42f3a1c1726223d6659

SHA1
b6826153be6f0527260fcc82ffe88f4330881dbd

SHA256
f454cb10581e708d2e8b39f56200ee15c864d5aa38124b0e719549ea35c456d7

SHA512
55622fd8b9f4f55b220c90519b1484df10305cc567b9b370b8c26f438251ad304d14643916b4f08e1b65f1e77ed2fdb469735487a5a6386e4a7c1bedd1e40bc7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
dff4c69fe4cca629fa73f61aab616b22

SHA1
c1c1f6d27467085709e5b30c03cefdfd096ca0b6

SHA256
d235218b17da069b8b31fe171c0b6ac6ac5b0124736c7decd85325f05e3be10d

SHA512
7b491754a271a4cef69e7869f72688b6112606f73650f37bdb07e8b8307b5cb2ff0c5cb99a4d34cc1c59cee22eb25528273b5a732fb60328c6d64d1ad1919be2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e0ffbe10301263cffe56d6897935f29e

SHA1
94d8b58d2efcda847d25233ae4115b27f736daaa

SHA256
0197acd6d0ecee19cc5acc0bd4d7bda2498f8fb3afc4d42ff3549f3442bcca5d

SHA512
4452f83cafe11272a1d56ef5f72fd01e76430d0f46164b47bed3cc71d8b864e3671044f4d721787128b5da43d2c6ec769be490239b4ec502b183b5e83dc4a70b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
61922884a208d10baf128dcfdff3a3b5

SHA1
1c2ccacedeb2e5506f96118093e0f359a57a639f

SHA256
c89c0fee65136e858d3b4aed9e5f1319760f5b3dd25d617e9328069a0fabea99

SHA512
946af6b055452dfb820eba6a93aaf663d5bf4daf78d1f6df46dba3b108d742006f6a15eaf705128549d60eb257b9e2fa7734b5987b7bfa506c470bd4be7c050e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0aa538da8211f4268870478a380a7d70

SHA1
6d05475e1417a1bc6ff06aefac075b45c1bcf971

SHA256
03b2b2aeb03df65dd1ecd99e071e4ed468f2f7162bd4661d09b57bb194de9a00

SHA512
a4a338dc47b5ca22210ab80354bde3d359385d4c476695a0611150512eb21c9d15a652b904c9393ad63af6f7759d7a8535067db954ec1459e682bed0099df31d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
72c7ae3ebbb20ee7ca131d2a6a024e3f

SHA1
4c7554e6d7bba74072d39136284a454c2ba0b4cd

SHA256
380203bb3d617844394ed2634e545fb708fd1c65ae29a8a4e8d8566bf69ff0c5

SHA512
24212eb0d2cd4ca65c6cdc731d27d375e5101878a33ce1f675073243a5d7e1cf167d83925f6406e4077fcc401f1ecd1e6a857e9b6cd92748fc7c8e696a50fc38

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
16e9b9ef28a6a11d46f1e27bdf369cca

SHA1
2644d7f255cb7d3b5e859e25b6e2b1f3a7966314

SHA256
5df722ddc0b660de93ea8780b93cef717c28a83ab570e0019f2ebfcf4b61343e

SHA512
f09facae70d1f2b34a02b69dc328ec7bb40c0d38081d286ca26ac53c17a48a974823575931c040bf7417b2001fbec2222998230f48604d5bdf7515394959caa9

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
e03d4dfb144a0b7a65468fb98f084ce0

SHA1
d20793d16b7d31b6b6ea212e9b8c00d7d80e2d8f

SHA256
8c1c9668440e6076b58cfab11ca47fab59bf0a5a23f2f4f3df036551d931ed5b

SHA512
38b95f1e8c0d8239bd73c25b4497973eca7768d6cf7ce25dcd00ec65c2c82c2bc176596b9ed06dee874b121fe12f517bbe067ec470d58fca14463c923be7baf2

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
441b6362cf47e08324dfbae2815883a6

SHA1
796cb4996dd4d5463adcf6e4c72f609eb629a515

SHA256
7696d6b37d639b8e8eeccb7f2e152933e20e4a7f1ee0ac45c23f1295c631ca75

SHA512
a322678ddbc4583fcd9d786a0ee267c11ef8790bc18b338ff8f523aeff21edd507ef19cd586bb0f8925815e803a27f7b0793624b7fa6fcb06ebd0f1f28755a4f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
7a2cca95d17d914aa58fd2f132591197

SHA1
37fd2994ce416778fa5d8e1671ed8bf115a5c8b2

SHA256
a03dd9fa2909e518c39c6e4af768a1f487be997cae55994187113b81298328db

SHA512
7912aac3596592a658dd23819853393d19c73beec27cda8b07b218a7d1321f1f2645934a75d7d3ed928a2d1354208b2c93cce99f461845f7ee56def6ffa9e637

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a43cea584f14641cddd2aac8b730e8d2

SHA1
a191b64fc490b7a053e173d6334258011c43fdd3

SHA256
e5f8b1f5f06f47893a2a77daecd3dc0787f296daa24275c19d3bc996fff9d4e1

SHA512
9fa00b4bc81f822282fa2995ef7cc1d8ed0ade5bd35c1bb8f3318cc8bdb18f467fee91ab67fc1a15d19c6b7ecc70aeb2dcf390c4c9b8a6a9594ae3b3a5c3426b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
89e6d1dbbfedfc3c9fa042b2048660eb

SHA1
5da2ddad35b1223789df26c7a40230d9344e5291

SHA256
3f78766946d926f55caa8888e703bc4a34e3f1c36ac26519574bff7ce5ad6b95

SHA512
73cbdbfde9fa2b0f98d4c5398fc15f3222594c007fc83a35ca5c2bd6fb03e67ca8cd6b8223e0f811df5f2d462e0d32a3f5ab6d3a3bcea683469b1feccb4b9b35

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7c2fdf7f0a594570d12c6a2feff0df0b

SHA1
b4d8a0070eee4ecb78adf337073c16eb855984a3

SHA256
609688dc05e6f258fcbfcb62708b66c86f2caa25d758de9c9477a9fd8de14526

SHA512
f042ef9d96676e697c5e9e32a224fbd639190eeb2bee1f95554e111de3a2c9e257766b80850e86874748552e7dc8fa9a8964cc2533a46a4b8bc784f17f3fc492

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6a1de467d486ef5b79c17db5e715c1cb

SHA1
eb38c23109a9dd1465d0fc201c417b9919948070

SHA256
2039d5c7de97022e72d3be7c74e59f48ff332d5d68de19e3fd6fe6ad082681f8

SHA512
7e55e17e66f385610bc4ae312a845ede7da3474b5a6fae6d05551e89bbef60d4d7cb87d1371a08c6158d7012e42e5a4e6250cf1528d583a733916feec46b5b02

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
daaa432aa8f7240e75e45151146a1046

SHA1
ecd7b11839ce128eeb056c10528d0dd1a096b25d

SHA256
83954e44eec5bcb9e06e99639c63ff54ae5e801f5189c019ae7ff65915073536

SHA512
9f9a5922ab028abcb9835dbb1db3c23c66203fa1aac4c80c38d840ac42bb31a5cebcbf0e07cbbaba6bbbfac22d4a224a16b39fabcd0879f694840ec5cf68971f

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
e2e0cafc2d269ffcb3bbcbf43b897e6b

SHA1
f6dd24b9a5e5e4ec40e9fe7987faae022718ca14

SHA256
2328d2767cbd6158e8588b92e1871352bff999382edecf91a1051f33d2f10c18

SHA512
1d1442118f9aee77e25015a43a9fbe1a784c98a78332b92fbe9ef2fbfc72ad4a5785f477c53c20eb452491f4861d63651bbbea840215f89ba995b4dcf0c9dbd9

Download Submit
memory/468-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/468-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1316-510-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1316-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1328-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1328-619-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1392-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1492-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1492-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1944-534-0x0000000030000000-0x0000000030135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-6-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/1944-1-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/1944-72-0x0000000030000000-0x0000000030135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-0-0x0000000030000000-0x0000000030135000-memory.dmp

Filesize
1.2MB

Download
memory/2072-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2072-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2252-80-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/2252-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2252-74-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/2252-84-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/2252-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2388-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2388-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2388-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2440-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2440-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-620-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2640-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3080-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3080-61-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3080-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3404-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3404-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3764-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3764-614-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3824-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3824-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4112-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4112-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4112-57-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4112-50-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4132-607-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4132-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4140-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4140-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4144-45-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4144-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4144-37-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4144-43-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4144-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4456-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4456-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4696-18-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4696-11-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4696-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4696-20-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4696-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4708-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4708-613-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5016-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5016-32-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5016-26-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/5016-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download