b09982f459ab37f10813274c4f6d4500c6cccf00d45f5d82de3bd8f8ded3c1a9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
Size

3.1MB
MD5

cadc97b40cacb5a00636a3b807d36380
SHA1

b84090d2ff717ffaf63038bfd84184f15d03573b
SHA256

b09982f459ab37f10813274c4f6d4500c6cccf00d45f5d82de3bd8f8ded3c1a9
SHA512

19a9307a48dc23c7a032f1884f400a9f6f280b4bdae8f1c6564c540cd359848ec39f2a46e830ee925c0abdf673c3186c0ba069e7e385905698d9b7b63a171562
SSDEEP

98304:kHgNDfXQ1veFPk5FaoCRrgGUDx3XvYCp3nyG:VDfgZeVmCJWl3Tp3n

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
3540	alg.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
932	fxssvc.exe
1380	elevation_service.exe
4996	elevation_service.exe
4060	maintenanceservice.exe
4816	msdtc.exe
2480	OSE.EXE
2364	PerceptionSimulationService.exe
1504	perfhost.exe
4368	locator.exe
4216	SensorDataService.exe
3488	snmptrap.exe
3100	spectrum.exe
2372	ssh-agent.exe
4988	TieringEngineService.exe
552	AgentService.exe
1280	vds.exe
3996	vssvc.exe
1968	wbengine.exe
856	WmiApSrv.exe
3396	SearchIndexer.exe
1464	VCREDI~1.EXE
2108	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
5324	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\10dec6b9e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57aa3a.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80ESP.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906101.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906116.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906132.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906101.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906069.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906163.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143905741.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906132.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
File created	C:\Windows\Installer\e57aa3a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906116.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906163.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905647.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905679.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906179.0\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906069.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905679.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.manifest	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A49F249F-0C91-497F-86DF-B2585E8E76B7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC1E.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905679.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905679.0\msvcm80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906116.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905647.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905679.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906069.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906132.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906163.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906179.0\8.0.50727.42.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143905679.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADB6.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905647.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80JPN.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905741.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.manifest	msiexec.exe
File created	C:\Windows\Installer\e57aa3e.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143905929.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80FRA.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143905647.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906101.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240514143906179.0	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143905929.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240514143906069.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4fe4c800ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2b9657f0ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000100a367f0ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0cf3a7f0ca6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0e1f3800ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8e5f07e0ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dabf57e0ca6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a200b7f0ca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B	msiexec.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2108	msiexec.exe
2108	msiexec.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
3544	DiagnosticsHub.StandardCollector.Service.exe
1380	elevation_service.exe
1380	elevation_service.exe
1380	elevation_service.exe
1380	elevation_service.exe
1380	elevation_service.exe
1380	elevation_service.exe
1380	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
Token: SeAuditPrivilege	932	fxssvc.exe
Token: SeRestorePrivilege	4988	TieringEngineService.exe
Token: SeManageVolumePrivilege	4988	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	552	AgentService.exe
Token: SeBackupPrivilege	3996	vssvc.exe
Token: SeRestorePrivilege	3996	vssvc.exe
Token: SeAuditPrivilege	3996	vssvc.exe
Token: SeBackupPrivilege	1968	wbengine.exe
Token: SeRestorePrivilege	1968	wbengine.exe
Token: SeSecurityPrivilege	1968	wbengine.exe
Token: 33	3396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3396	SearchIndexer.exe
Token: SeShutdownPrivilege	1300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1300	msiexec.exe
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeCreateTokenPrivilege	1300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1300	msiexec.exe
Token: SeLockMemoryPrivilege	1300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1300	msiexec.exe
Token: SeMachineAccountPrivilege	1300	msiexec.exe
Token: SeTcbPrivilege	1300	msiexec.exe
Token: SeSecurityPrivilege	1300	msiexec.exe
Token: SeTakeOwnershipPrivilege	1300	msiexec.exe
Token: SeLoadDriverPrivilege	1300	msiexec.exe
Token: SeSystemProfilePrivilege	1300	msiexec.exe
Token: SeSystemtimePrivilege	1300	msiexec.exe
Token: SeProfSingleProcessPrivilege	1300	msiexec.exe
Token: SeIncBasePriorityPrivilege	1300	msiexec.exe
Token: SeCreatePagefilePrivilege	1300	msiexec.exe
Token: SeCreatePermanentPrivilege	1300	msiexec.exe
Token: SeBackupPrivilege	1300	msiexec.exe
Token: SeRestorePrivilege	1300	msiexec.exe
Token: SeShutdownPrivilege	1300	msiexec.exe
Token: SeDebugPrivilege	1300	msiexec.exe
Token: SeAuditPrivilege	1300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1300	msiexec.exe
Token: SeChangeNotifyPrivilege	1300	msiexec.exe
Token: SeRemoteShutdownPrivilege	1300	msiexec.exe
Token: SeUndockPrivilege	1300	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1300	msiexec.exe
1300	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 5032	3396	SearchIndexer.exe	114
PID 3396 wrote to memory of 5032	3396	SearchIndexer.exe	114
PID 3396 wrote to memory of 1040	3396	SearchIndexer.exe	115
PID 3396 wrote to memory of 1040	3396	SearchIndexer.exe	115
PID 224 wrote to memory of 1464	224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe	118
PID 224 wrote to memory of 1464	224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe	118
PID 224 wrote to memory of 1464	224	cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe	118
PID 1464 wrote to memory of 1300	1464	VCREDI~1.EXE	119
PID 1464 wrote to memory of 1300	1464	VCREDI~1.EXE	119
PID 1464 wrote to memory of 1300	1464	VCREDI~1.EXE	119
PID 2108 wrote to memory of 6084	2108	msiexec.exe	129
PID 2108 wrote to memory of 6084	2108	msiexec.exe	129
PID 2108 wrote to memory of 5324	2108	msiexec.exe	131
PID 2108 wrote to memory of 5324	2108	msiexec.exe	131
PID 2108 wrote to memory of 5324	2108	msiexec.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cadc97b40cacb5a00636a3b807d36380_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4816

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A1CCBA3DC7C7B2821A5CDFAFAE68864
  2⤵
  - Loads dropped DLL
  PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57aa3d.rbs

Filesize
27KB

MD5
750a83e99327f5bd7bca76dc560c59cc

SHA1
2630f6c5a361d375789344fa90e1a893c065d05c

SHA256
2a49d74b92d8bd95127482aa6ba821f4bfa0b0f52af6713e718c470d6623ee73

SHA512
d787b06f900e95bebdc8ebd982c7744a6ba7b25dd919e01ca349e567f2824618e8c4aa4f22bb26dfc633ba9c111ba77d2205da5bfa06974f0479f529641aea8a

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b14c9de00b0094aab71675f146de67b7

SHA1
eea66caad61af2e70174f40d59b6d52549a0f89a

SHA256
7cc4a9cfe30f0b97461549e43bff79b5c1f3c98463e33375cdc7c8eee5a35ab7

SHA512
431bf1a651c56e9a995bcc4dfe4ab329e3d7a44b7f394bf12dc72023b720643db2c9962cdbdfa6e9c9ab67c90f45607559d52b08ea1351da88111156fd771e72

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6a35a143b3d338b0d0312332cf721916

SHA1
ea86cb4eef840c18c2c583eeb0f9a1aaef5e2388

SHA256
c8fa1b831349a542a1e91a7831d67a17f2ecf3c60ddfdc7e31dbdfbc205b45a7

SHA512
c9960cfd234c6a6ee47a3eba85800abc4cf5af140bde641d0bee1d065735328fd8726291c7ffbe6a78fc43f3c06d1c62f124163503145b6f648d1c30106a8866

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
096dac106580bf9af58b963e6ead0504

SHA1
485fd5c5095b539289820b4e1373c49ae32b756a

SHA256
f8b3b94feca90bfba2714b302f47ce76412c910de0252ec851f94c5cfce44429

SHA512
67bacdfa2109244a13a9164b8f4f7a7f4de2ef93b4d3c535c7a2f9eecdab8961a2551351541035d8b809f76e54677a4796b8fd3e2ce76454ffe13e112e77b802

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
15fecbb8e6a3e0df84f46b5537b7f3ab

SHA1
e30d790f089b92dee341a1ab0540a49244358acb

SHA256
aeb6663df08fccee9bb6fd374e559a73befba5832add485db91f3eba605204b3

SHA512
e80680743193b26e62a3f6d382373612168773949e3e79fab030926fbd654b7dde0b26971b76b2e596223bf47512dffd0c9c73ec35565003ef0b0257a59cff94

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa89cd69684d476366849974d0ad4acf

SHA1
221b379e923566162c2b78585223d8237b9bc316

SHA256
53cd303d450cf4137c25b830a14710167ed8c0a30c561c4fa1f5eb385d21081b

SHA512
ba28a47b7b2961b1f35c11b9db5ce41c12824ab323fabcdefdae6bc52f59dce9563addc703538fd863f12a97678b1f329d9ba73ed44ba05f09d80920cf1e00c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7c13bb974c7f016c0c25e8cc4956a92e

SHA1
47e00c2f811283fca039813798f06c7053fc0583

SHA256
af74ef4528bc67eeee3c19c6541dfc16ef9835e4c877325dcddf454a712decd6

SHA512
83cf7b17e9f6e03b9c31a1c94c87949ae31967a2da1a8be270fe7e670dbb6c73d22f7b30c2668b1238d91cf14c6a9c2b4d9c86f9d11f5618567e61b380555af8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4760cf8ad8c4858fbbe32d1f03402636

SHA1
adca2bb5502b0d65ff821e38eccd91ab3bcf973e

SHA256
e60ccf5f7b34de83b209735960eb6e3ea51b0e5f076695c34ace94a57922c799

SHA512
8bf996047b7aad775c8465dd28a01bf8166c5d72d57ceb8f7860bd0b761ee8d85d0b90a74a8baea4d9483bf60a587528fee99feceb57679c6c8f02c92a860221

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
41ddc24c7b0e055c7522c0bf266e1ed6

SHA1
bf89f4b85fa3fd1bd7a3e269ef2e5537f797ac1d

SHA256
e06de40e07fff7b257af0b0c1c815b3d43c74a98b391aea1646216fea6a13915

SHA512
c372febcf3ada7f4b8ac167b81b10659ce812243a09567d406b9fa2fafd4e34cb0dbf81f459044c40d7a1f1d2d56244351b5e2df38ab7c192a9dd2d5dce5a253

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f9c750e4beb8e98576f6216149981055

SHA1
b4fa5d13b5615162e50aa81884c73a1cd9b53bc5

SHA256
499f2b0cadff31ed30fd2a5de0d6b94e945e1b3a3923cb3e08cd38683a127376

SHA512
f4040aebed05f71969db93dd403a367d148d8db7d75f8f444fc967e0af6a6a1dfaa25d6555e1d6b6be3a2f330a4abb631ee32f58396c544dea33eabb71a9d4f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d926b7ea33e25eab6a27bfd5870b7096

SHA1
1a65deba7886d74a15aa15c4fb039ea8ef9852f5

SHA256
65b8003604b7333d6cc1c260de19df16d109e98c5b45c8cb2a249ec75455dce3

SHA512
7382f9881c64f9e88daf540137de49c1d00151fed5c2e2afdd471b0d9d254b01e0ef04cf74a00b40cb0b7d71cd61855ff6cec282e9915266e1bb4ed0d523af33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34e8724651edeb75e7ace4c4c3de3519

SHA1
a41a19829e2f43398662eee41a5f710f39d340e6

SHA256
964de8fbd2e2e4ed8626b0fd7b070febea8c20d1e696dcea19351080dd3ca366

SHA512
61c09661d753c0774394aace5b0b6fc62f6a8e1f6dba261823b8fbcab8a2f551b43c9568ac4629d37f2f5eeda6d409f12aaaa362d4740b161f4a2b774902685f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3c556fbf755998fdb579ff56f1e76088

SHA1
52321c47daebcec2cdec18cc20b0c8c74ae21540

SHA256
ae7d20fcf232a070315b6e4194d66ef8707cf8009eafe8b012dd58d756155b2c

SHA512
83b313bef10876d7348599fb743dd60764b938295c7577f608c48b1618925c89c5490cd096be8838671c0560864f0396d885362b142f063aeb15ffe23744701b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9d07e0d88306556fd183699c7138a382

SHA1
b5459471f8e75d0ba6ffb130b7f2f2e3e994676c

SHA256
6ce979629250870f9721c3a58f7905a1e88046c19ca874d28f5b566ecaa42077

SHA512
6cb05ff6aecb79cda0b38c47c07020e03af9dbac9489abdd03f854156cba6af20d2477d36183236afcca4340a898f0fdeb18fdb46a5ca01e6b62787c52de6275

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
838cfeccdeb4c3f889bea6e324436d3b

SHA1
26d070d2197b4f2ff097887c15eb563d2f309102

SHA256
1aa1e02ed0b2b82232b23689ab880785f9e67872c4266fb9df903c2205d7d64b

SHA512
ea9005753ad6b493b3ebb1f7a22b6316b2ffa40a95a250138db07eda7c461b59ea5719a273c09cf007326233b94fd7f72a67f9dc60af700b700bfd0510cff21b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9227323af69ff0a1f1d3fbdc8c7863dc

SHA1
f5aa8bffb7cdcefdef29f34a00e47edb86f47a32

SHA256
061d75375619d2c10d02e8cfa97f212ef686c689f52b73f24ab5e229a5585ecb

SHA512
ff9713049ca8afda0c31230e129f4bf75416b3257fb975b3ebde2b2481807d16dbeb07478ffcee103ccd27899e028ec7a1ed3a5c2e2178e703b45cfc62341d70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
69fcb6bbaf36324b3d507c82c76d37b4

SHA1
3fd978e6c3e958780d4ed73ca3a1dc439badafd6

SHA256
5d8d3182f92456d5b06a326fafb5086aeffa481b6248a29ae77cb8667a1a5258

SHA512
f4c502510a5986ae598c5d85eb8216d7b237a242f8a338f656a660a6da3ea868b9572c8e3f08c7894897614400876084dbdb9a10a54a68ebcf6e7e385ae7c21f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
21e221d871b43bd12f80bd6bb1e56583

SHA1
c54c7e614576e2305842a7a3a31afe3b4f562820

SHA256
730768d75617c33fc5f330ef6abc843285305f0a1710b24dd2b26129bd0825f7

SHA512
2abc273a7cd7ebceb862eb4361dc84edfcbbce8ee72cc632c26b69e84ccd3632a089620800d1b5a79513ac8edd930ef2a4e5504a1a3a09206330e0602e582ec9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b9c56d068679e3076fc7efd547e849f5

SHA1
e2b611814ab5533195ec4deee01ea911e3951961

SHA256
9fa9db63f129971e7aad13246ca38852b045d8a228530ac339b811b519170a03

SHA512
a8ea4382f064eb0354a660841322521a296cd3cc7f3877345f4e8e3b325d310cb88400b38c25e8cd60f9b69a1ef8c801b65a31cb66f8b690b58c02457cced095

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d279c6250c048be7d0770cb45301d084

SHA1
9049794e32111bbba9a5f9bae00c43cae8629d54

SHA256
c33d749bf27eeca9e052b8ea9f92adca64bcc7ce1aede7f03ff6df250d81a2db

SHA512
6283cde37f50766239e27bb12e71ffd0de4595ed2182e49cbe3e53fbf7121b2d39b0844ab6d0bf1eba085c6babd2c260c818b312d3bc76e59acf8067ac413e2d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b07578c39b8fb02a71211d894c6703eb

SHA1
7fe6564d726347b043d39eed122de63bbe8cce9b

SHA256
651df2c89d979c21fce35fbe065079f360fcfe5877ea3047f9225fde7662afb9

SHA512
01d8b2bfa97d73c83d6fb6fc8d6208b7c5495fefce60d8189146782ccb350b635482cd5168e983062be0e37f58ce78ac67d91670e4ccffaf1e3fa074a512414b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
26ff828bdb5a9fd72174ad9c729995cf

SHA1
955241c14b9b898e1c51aa97b2a24e008cba2b3a

SHA256
772a7886a39ae4c7080bcd9862055d88448d97ab7bb56821a6a7948b89984c11

SHA512
fdaf5550e49f4ca1775d8c87026e92970c64242ca6c75b7619ce2dae8e609c02b4eb3239f76954b97145fcea8094c0d141ecdbab693637813dd0ced46ca387e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b661fe8b0dc68d78294bd53d7a793983

SHA1
9945621f1d8d4545607a1846f4104ee53d51b18c

SHA256
b1dea9dd64310baab783cd613fb2767dd50e3477c8e123a6c1b0957dd08b9db9

SHA512
a5842a0284272ff7747f51b9e34fc040399bb253e26c63e3fd1e6f83669131e2c1a3f0a2ceedafcfad3ff282eb928e5a16666199ad659d92ebc34e97650859b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d11a9f3bc02512b849cf3086f0fe6c96

SHA1
f19b5600deb463b6a05c81e54f5670b64843e60b

SHA256
74625bf1f0502a21378b8001a97aed065bdcce5168004f4cdae9fbaa28bc9bd2

SHA512
1155d42138d1516a539f14341c06a1095bf9e614d1e7547330fc930fe92c2e2840b25c11872e6b371cac2d963c51d96fc795cff3756206c5d343bc01ee3b26ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d00589baf240e7dbe8415490e5bdab3e

SHA1
19e190e01182f3b179442a9291541b8f7375ede9

SHA256
7281786f2d6e0d49d496e633982f2e5e73be70fc7c6cc580b84017dd075e630d

SHA512
8bb34652f097a6658306fd8d45eee6d9fc4ec2381fbdf5a67e5a8d424982dcad8d296675b6608208670c02368d40c142698147fc1dcc5530df88ab664cc8bf7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cf78b8f719eebac3cb748b8733661790

SHA1
7f2b14813f841a955b433712e032b04b7d725169

SHA256
7178923a095e8bf2d8a6e4755445cc8df68718c1cc8c98eaa96079d3e36e3d7d

SHA512
ec518abfcdf10eebe2d7abe2755ce8236ba4e37837f4c22a1df731bfd4661584233e17aff873385c41615f3544433f46251717c6cb9ad7808be9b298e1127b93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4e459b53130ad6fc14f798a8651256ad

SHA1
db4a7ad0f8ca80003cbfac3ddf4f19ecd1dc1ca9

SHA256
4d0c4a22c34b82d8e55b6509015e0db664f65b68434f2b261ef533f833633215

SHA512
03bf9a76e6a2995222af1a7f4d99ef6640e57a5e693a390e238697529092fb305895ff3e106cd6663f8adcbf3b398ac1e41370545dffa419504be1659df5c94d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
dab354dae1b84a2e91a2e1b3879573dc

SHA1
b2c090598a96b841ab944ef37c3c9ac5fe7ae705

SHA256
4047593e3af3e2d9d591e7f0019a27e0c7c3b80e16db7ca0e5209c95e88437db

SHA512
4a879b7495435e193520c69742ca7d5f2321ca221bc0087207a656b115943144ff7eeae6e2f66bbdaf308bda28b5d8b642badda66e350c7992ed788c79d57082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0cd4cbf8306964e940a9954fffd1db3c

SHA1
b25f8fe17fb34015d19fd059e24c261257a5d4b3

SHA256
afb7ca90304ba84d85f7e7074c993856cb324a1a5d4a8dc32d4a7c8b49562bb1

SHA512
b3f550727dbe12fa3c4ee25844d642df16ee7a83e5a6476d30045ac0d7c8273e30979db7f5333579c0e5af6165401dccef752c6d5858254c8701c655533a5055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2a7959d07beba6296ab5d94928337824

SHA1
c8c27c764a697afb3a87ae7e60c01609eb286fac

SHA256
379ca9178567b1e7e1c6e30da99af4d16a739d775de5a829995a835a495e6ed2

SHA512
850150a40b3fbd25e3b6e3a33bf01c88f955f7cc716d39f6da47ca8cb7222f08909e54fb67ade9daafff950e0237652b1261a11f23ce8829ffe2a8d2ac169be0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
84c415d59b2255b8bc967bf4d0a581d6

SHA1
a231ea74c5e8ffd7cf535f1438aee23ebf47373c

SHA256
535e55c0a1ef0f225a9413323f1f09e8a69c51657c8a4aba6739734e295c0ad7

SHA512
1a5d9a1dd26e71ec75c4d9fd19b489f103d243910fa2aae6b43c77e6185ab6d7c47159276932a2a03f3178135c82a08db12a858f2dcd4205e62f1fb6e15ad2f7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f8b17b0493dc01c5dd5610117e7598ca

SHA1
9bee0e39cbefa9b509acf7d15e70a4f6214776cf

SHA256
7b64b60876616988693e1d51601098a9710d5b634b1ee348313f8a56e348dbce

SHA512
29d139743ad8ffe5d35ac07da867db5db9cf55c0f97870238ca5bf0bd328d7c266473840068d4ddef244813ab565d0a934b4f63eaab475ef00fc684e61bbc6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE

Filesize
2.5MB

MD5
f031c0d2b460209b47b91c46a3d202fe

SHA1
95040f80b0d203e1abaec4e06e0ec0e01c507d03

SHA256
492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b

SHA512
18840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

Filesize
245KB

MD5
00d3bf1c1e82eee48fdf3361dd860e19

SHA1
b2f45cd2791ce178b45b06a95e7f58f298512d6d

SHA256
f2ce7873a39f7f8a2a2cd888a6b2f0a25f62bb3c475ee73cfe54988982ef65de

SHA512
cf5c06c4052b103d0a339d5535db2d8a9f069e928ee8c985f03e321b7e1977ff2f2200ad15671d6e93b9c706bea7586cd3df11fdbaaaf8c63a0ea4291431bca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

Filesize
2.4MB

MD5
b31b234cb0f534069ba32aaaeacd7b2d

SHA1
d6f90459f8bdbf7e75cc85affe9b137dc5e304e2

SHA256
b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0

SHA512
138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea

Download Submit
C:\Windows\Installer\MSIAC1E.tmp

Filesize
24KB

MD5
7bfa56d222ecc4267e10c01462c6d0d9

SHA1
9b3236a45673ff3bb89df3e690784b673ae02038

SHA256
6eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6

SHA512
10cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
185e037fa9f4e21becf107262d5c287b

SHA1
9e574c8fa164ca41f6a46d5b95c884d50cbee60c

SHA256
981f3de5edc96b26471c7ec383861cdf427c47c1520c5e5c063fe5b96c1e998a

SHA512
986de740b41c9e7a946d08bb5495689700b30cc3b6458ab5932b3c3b137606d9cfab833beee134e8f1aab49b86b396ca0b843b5a783b1e8dde88dc3e41b0fc6a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f070328490730f5ac5bf827fa1515dae

SHA1
3b3abe58374207f37c77f356c200fa08c8a068a4

SHA256
3b4f48df4e0e4cd901f2fe73bd1ec49d9f8406fbe98fbb9b2c8cb530f11f8ff3

SHA512
706f83bfe85c4c0fa8fd47a0db89a696395358a256bf601df81749e8ab8e30dc6b0cf24b31f312e65e2ded2f8ecc5e13e833a98de70efd3d3973d95c581f5500

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4b08c54e457924dfe3dc00212f135014

SHA1
5147f6b889bd931c98904929d12213931088997d

SHA256
aa6f9a62b5ba3b7cf37a1000128ddd0ff9a23eb910acad5dffff95b65e14b4d3

SHA512
0cae52934d007b858f828fe6e03488484d09daa445bd10ff0bc432dbec5a8a28b0319fdb8bd147cfbf5b8a20d5a9f7b96a7a621b2f3b3c846fb0d919675fbcd2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7407474e50d6e19b3499eacb16bdb8ac

SHA1
8079c658b3b2d69e0fb40b8e1ccf8b52b5741de1

SHA256
58a41a7cf1b44fe8eced454329e59769f72f661f8ea3e76996dd7ba2f7ad6eb4

SHA512
58dfad00b00e376c72962f44eabf3cac29596a484b1332cf6a7a3b784163a9fe0463876114f9777500d55281b87a5165fa4a342ab57f9102a17a9d7306a7d0d1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cdca65e89edb2affd65aab73edc0aed9

SHA1
58deab66cf323852c45936dbe84c3430f338cbfc

SHA256
725ed3461d087ee631945b643056055b9ecbc34b6c86dda867edffb72c0c1f12

SHA512
76e692a03649baf588b4e522d9c05e35cdf68ac48eca8176788ec349216c82a290f712001f064d792a52ad3c13367ac20fadc6573b5daa31df5f8e736ddf3add

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
18be75689009aae0e6712b9e4ff4c06f

SHA1
423e646938e6c58c4b2a38f31f4042f9eefaec61

SHA256
6d9aab64bb5aeed40ba0b259b515613c26c8e9a575dae5e6f29848601359ad50

SHA512
5733b0e118c524c152023f72ba0fa97d67c04e7dd5e7ad7dbfe7c81bf1e4876629b12e5aed16641a5a7cdd7a224a4f31eaf193d56532ae0da176baa1dc76fefa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ed46a831bfc75ca7345955daeb0bcb1e

SHA1
bca750d8d89d95372a45db2818be1f8e0ce7a0b7

SHA256
10c03402672f246a403e4b6ae841c84b051dc30e82e4e404775193e6134febe0

SHA512
ec301aa7153c76f0239c5eb6765e775880c8faedf7b1a2589af8e9b87c08d07b3c4c167b6d1fa56ca5af1ee0c9ff231c0f6317edd28286ae2ce42896c282a8f7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe1e8797ec0eef258ba49ee88fe3fe03

SHA1
0d4cb87f315a4c746664d38436790c93d0d769a4

SHA256
46010fa87deb4d9b90af2586dc9aee0be660c1357838418bdfd13643a2765022

SHA512
084b391b004f4f7cddd0652ec6e05fda7c474e27bbc02e7d3ca67bcd8506dc9d7a95f60359305905230090c08135a6962bf74caa77ad5ea4a71cc46575f00901

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c395ba93f3fe9d02179dccc17b8782b4

SHA1
e357784f0324308a7a777582f4778d4f695e62a1

SHA256
123f50a3b55101fe23dae0f505d2d91413fa09a9c27c62c2682dad6f35fe6cb7

SHA512
78922d1c3e10cb5bbdf3abb737e247b4898e3e9bf3731733ce7faab9d28fcee647625f4288d2e55b65255ba88f5529d8c695e0835a2aeffc33859a953bd537e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
50952cf6d334bd25ceecf4925a2a9557

SHA1
2ecaa6eac1b7813ac382e04a93aa61d190b51beb

SHA256
bc315f2e67ef58c1269459c7f52bb31207bbf9cf3bf1ebdd33cb4c34b28f6ded

SHA512
1709866123f41a7c5ec2eeddb30b775ff3c86f754d16ae9224fb0f1dccaf8f81d27e4eb003979b4254c70de9aee58d22c14a23ee23255b1e31f65cd0f05f7820

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3a07c4c6c036a599c1428b933f8fecb1

SHA1
ae9fff5e22357622871775cb90b328c0ffda1e9f

SHA256
f7f8edb4818ac8b290833853c8b9f9423cea40fe82dd17e1cae71652a6aec6ed

SHA512
368091d938a0e5581678be55844bd8bb781d78a8ecb6ae3aa445ada37b59946d70e65c0143f6a4cd576667106712ca9587b46a7dbd3e8b2fdb7c833ddc1687b9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
235f232d648b69c964e22f750977a605

SHA1
76031d67650743359368f3c30e983627dc202a2b

SHA256
a376a5077f6f0d6a557369c581a5e593545108d14871cf98dd2a0835a07ef062

SHA512
abfe66fce317c0833c7fe34d0f4ea3ea44e6359faea7501e9f9c203a3c0ddc22cce37fa7412c78b38a8c3c327e1a8b2ffda21a9f7c1155dffa61828389df1815

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f25bb894ac356e17095c59b436be114b

SHA1
5a29dca362e9467723b546926f3a5a2484621c65

SHA256
6a0c761bf8c3cf669774c45157ae67bcf7aec492a637d0cea00ab3825ca1b69b

SHA512
d6f8fa0d2504111647fb0817f54104ab1872beb87c4eea10e4e21b87233757eb410eb8759dc62101d93ed21b2e38b7d11771e3bb42bd82a164d2d9de78bbace3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7596851d8f39488ae33b0d557cdb6488

SHA1
a55f3a2d2fe574122993a71a44ac1143cdf8c788

SHA256
376b3759dd2a2a8e215500a91a538870f21e4a8dcf3683d9533fcd5f9083a624

SHA512
1995634299f350b1f0ed78714653d182eeee8cf6d8ad757579fc0cf44e3930499815e627266b9b1e0239c3bf5b2e05fc59c4350cbd145cf7409997d0980e99f0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6a090e1d85f2b1a4f0dad5abee048fbb

SHA1
e19430ebf60395601dd72ff171285fed897ee351

SHA256
4783e72bc7bece6a4d2fea4c329b0538c6086c5c820525fae006a75797c8ada2

SHA512
a603a93195c6cecd492b218a2a6cddacda47fcde461938d25bfa6ec91b192da3478aa4935c876dfb5f90c735161a4fa614387b671ccbf65e18132684d3334988

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a6611fbe0be20906ff3fc44594bf3941

SHA1
e21aa51147ee2ad358eaeb7db434371b47fffa91

SHA256
12f8cb67e7db07ecd30fca843a6ae14160dbb966f89e1d703dd710aa49ec417c

SHA512
185bdc2068aad08715cd2f96b9972455ab8fcb5c123ff9fdd2d026bb370e9fe76ab8180160504593fdc0d83c8ae74190298056ee9ec118534fa0377c1e4af494

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
df6e63cc68f634d9ab6dae683f186dfb

SHA1
40cbf648892a7f09ad07585b2751550685bfec6e

SHA256
9a8d55ec283d25c6689f2b7b8636f0dfb8986916a08236dc50e2ecf54d2e7297

SHA512
3cf7f97d35f64408b2f18421466022922421110ae7de88bcf458e076d624a38310d929e788e81f27823b2dab54f1ade2fe47fc75ea896fb60d813cf44272b6a4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3698a0694c26b53f17ea8b0f54c057c5

SHA1
1c381b9c92d53a7e24b8e78ad24cea2237b26c62

SHA256
25d6adb32006cca1a7be2d0293cc5f35df4d3ac567dc520461d684eca7d595f7

SHA512
5335e90e11b29fe526bb88523baae690cd056c1be1f253cd2523ed36dabfb8dfc3e80d76d5c1bd80c94c1d86bc80c5569e781bc3f57fcd6302c791beff96ae41

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
583ceb912bc14c5a3cf5c56d5aa2264a

SHA1
1293953786bbd4593a520fe34aa6f359d6f277f3

SHA256
0dac6fbf192f631be797ac70f6b3c922fd49a87380dee8428057c56db267646b

SHA512
ded474ec42da32d720e88d27c02af565812a79e517ceacaea36867d7d87f79e019903901df0987a3028c4c7fe3e7af0008b9510fc4f1ce61aea05b42e1ed75b4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
cab330ac81a7e760d3831d5520343417

SHA1
2db80d3fe50508c98adcd629394e7b8d09985825

SHA256
3fff00040d939cca9f4fafdd9182c987aaaf63ab06efce1bcdcf926eb1c640b4

SHA512
2369a4cbd721340f23a4c1d80bb96961ce71c889c74f6e34dbcad6f7165b948ad97d8b6d281101603f96cd9b1a28573de378d37204b44bbb02a3364f65af9d78

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
daaffb3fa8a6b48f52b17bfcfc72e398

SHA1
4e55c927fccd0ff2d5cf725639ff595b4838387b

SHA256
998b49001743a9f4bede63e0dad138e59e493522144e694727d881ee0e673ba5

SHA512
b936b0164aba34938205580b462c09f5e7347b54d4b9e37685698bb4837dfc8420cc578c0dec448bf8ed307d664968af88829479fdfdbb2a23fad6744e07d7af

Download Submit
memory/224-0-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/224-98-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/224-1-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/224-6-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/224-506-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download
memory/552-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/856-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/856-445-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/932-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1280-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1280-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1380-30-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1380-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1380-36-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1380-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1504-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1504-105-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1504-104-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1504-99-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/1968-448-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1968-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2108-338-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/2108-535-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/2364-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2364-94-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2364-88-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2364-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2372-381-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2372-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2480-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2480-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2480-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2480-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-377-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3100-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3396-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3396-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3488-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3488-372-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3540-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3540-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3544-23-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3544-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3544-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3544-15-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3544-22-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3996-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3996-390-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4060-65-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4060-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4060-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4060-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4060-54-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4216-376-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4216-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4216-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4368-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4816-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4988-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4988-382-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4996-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4996-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4996-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download