388f892d08a0d98c9674db6fce036488c16fbb65ecaf56817116635fc5aa2a15

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Size

1.8MB
MD5

688c0e3d23febfde6cab403aca437060
SHA1

906aab0b04d43c212d098147c9e78ba09d87c6e2
SHA256

388f892d08a0d98c9674db6fce036488c16fbb65ecaf56817116635fc5aa2a15
SHA512

14c2efe9b37297eb78be37347051da17cb68e3a207dd4da3057b3966d707c9ebefa40ff0d324b328ef0be45d6cf8015ea8550c54d90e3bcd6920403a11261a30
SSDEEP

49152:xE19+ApwXk1QE1RzsEQPaxHN865RjUV2Vo:i93wXmoKE65tUV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3008	alg.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2292	fxssvc.exe
3372	elevation_service.exe
3748	elevation_service.exe
5104	maintenanceservice.exe
1112	msdtc.exe
3248	OSE.EXE
4784	PerceptionSimulationService.exe
2540	perfhost.exe
4060	locator.exe
4052	SensorDataService.exe
4316	snmptrap.exe
2720	spectrum.exe
512	ssh-agent.exe
652	TieringEngineService.exe
4980	AgentService.exe
4392	vds.exe
4508	vssvc.exe
3524	wbengine.exe
4892	WmiApSrv.exe
3140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bbfa3b62b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afb75f22adacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b32f921adacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5440c22adacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1600b23adacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000407e4522adacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d27e2622adacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008446ed21adacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd083022adacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f68ec01badacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe
2520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeAuditPrivilege	2292	fxssvc.exe
Token: SeRestorePrivilege	652	TieringEngineService.exe
Token: SeManageVolumePrivilege	652	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4980	AgentService.exe
Token: SeBackupPrivilege	4508	vssvc.exe
Token: SeRestorePrivilege	4508	vssvc.exe
Token: SeAuditPrivilege	4508	vssvc.exe
Token: SeBackupPrivilege	3524	wbengine.exe
Token: SeRestorePrivilege	3524	wbengine.exe
Token: SeSecurityPrivilege	3524	wbengine.exe
Token: 33	3140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeDebugPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeDebugPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeDebugPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeDebugPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeDebugPrivilege	1552	688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
Token: SeDebugPrivilege	2520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3140 wrote to memory of 1916	3140	SearchIndexer.exe	SearchProtocolHost.exe
PID 3140 wrote to memory of 1916	3140	SearchIndexer.exe	SearchProtocolHost.exe
PID 3140 wrote to memory of 4936	3140	SearchIndexer.exe	SearchFilterHost.exe
PID 3140 wrote to memory of 4936	3140	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\688c0e3d23febfde6cab403aca437060_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4976

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1916

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7d32012f2a4045aef2694955cda507c4

SHA1
403ca03eb6329fd01080b791ad5d2e17f7dcecb0

SHA256
0d346e008fd05c0a066f32c29b14a32336d918621a861f41887db978905b6be7

SHA512
a4b9c5845cac671ba46128ecfaf8e7b5eed17d56904e3e945894725d96131306ef0cc0b00ef839b3128a99bccdda48dee55226ab873a2f668d7db84613783c01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
27043c5b2aa747179bf8db4b9fb1159d

SHA1
2872ee4829f1bcfb9da5534db10e3a413da8208e

SHA256
cf9784b314d24749552bd7ea5b9cf81829e1f8c8a6972b58469be5b33fdb454a

SHA512
d0e6f613e58b80d50144ce346567f60f82913441d86d7e6fa6a33cddeecbc22289f51a0d656a1dd8e5b79b76a404e734e9b3bd3a74021a258602bc474d9167d0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
613f741a8a039c058a3d90afa4ae34b1

SHA1
e7722e7539519cf5102f1a7ac6816995886b9ede

SHA256
670db8babfa0a603ca289ea78b0f5c20f01dedcc943dc12e5d9b4aadcee4cb64

SHA512
0c30d130c0e7cb9de1f9a9c2606f28aadf8fec52f3aabd3b20a715285a92cbda2d279a8b57b9ae5da4e1ba5eca4b237448b9468220e782aec18e6ba12ee6f42e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b5051c476963fd021368ab8f25e6e1fe

SHA1
bf2e57d03889515b1820b5fef0253d140a23ca4e

SHA256
42cc43669cf4590848fcf0613fba08c3e6fb46d6aee6207f3bcd20c0878ea8e0

SHA512
d84a85a76e0d7e754cb998b709dc1e4943ca8ac5c49eda26ad224506df8f8b99053ed673150e3d383a9a24e7c261e64d15f3a95e4ef8de0501fe8f13e95a59ea

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f439f8466cb7ccbba709df13ab27a965

SHA1
17566297e9fd0b5d988ce53bc6db4b974568096f

SHA256
01b2a2a6bbaa5750a4844efa2318bf05c8a334b5a9c4d748e3aadd7b3bc67181

SHA512
54726f7c430ec8fcb9b07ab2e8378ebd693bd08744d118454d7beb7e3c8e5028d759ed7d7c80720b50f9578f6a29570eaddddb528c9d8c27725cb02d84585dac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4fdf056223d83f242b3b82340829e2b1

SHA1
0ecc1c660f76954f154b4d3b0cd2498c688735f5

SHA256
b167c5c8e4276454bcfe7f89fb6a63fc92dea59fd0b544fc6b93287748d0f2a3

SHA512
3901f2bdb0b0e7f13fe235f83ce3d4cb8596305a32add6321d5cb52555b637d79b58c28a8702315517414c62ddf640ce38b8a0e4a57b39f706ed6c1e3f935fc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
af6be367599874d7c9c3157a4be0304d

SHA1
9f34fe2b6a1d9badfd310b9687b3b533cf308f32

SHA256
8a6f29e668decd80ef0837f947afe6763b2dac8795d80388c0b5ed444095aa32

SHA512
0871701cb33ec0cc770470af0ed69d35bad0be50f506c1333ee117fbd00a0a55e1a4f50eccbd484b707234462d8d6e1c47694b5bfdb0851ffd42cc88a28f551e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dbebaeb3cc8320e927788f297095ce5a

SHA1
cd4bf9ab06c63d303119815cf03f798417d8060c

SHA256
bb5f46a65fdadb5de2a971113fe36335a52fe88e286e422aa0b6da3ef1049bca

SHA512
476045742a38a997f8b8a9698ae6d0b2fa7e431d8df9af929394d6f84d1750c611fea4065f72d6d63d1e8bbd66f1ccf5fd54f2f18e1e99b11800156154f0c37a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4415ffb4d11c8af100af619b46326f4c

SHA1
0e3b25eacd72914dd7bd9f661fe92c93a9c31406

SHA256
81ae1cb8b64f34ca7669c6b6964486d46fe6c84ec4d8e905b3fa56b21c66cdcf

SHA512
d1dd44b36033cc4c09dfebbda556d6dedb0199b90e466348ec4752f0fe14b7c100674fc73d1da2517bd77d96c40242267cd6641148065f98cbb27e67c88a78b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc261964d102f899069b4de4eac38e3a

SHA1
834cebdfa669edba692efe174e7276c36076071e

SHA256
a30b6383dcdccdc56cdd42d47ec61c1e24445d2a8e3c4230c73be4d7fb633c1b

SHA512
3f26154b5cc5666551b4093024a5706ccdefc31f65aed5751248228e14eb406c6215a9facdbeeac7f098aece0b0937f35b4d4c0c143fce7bc0945b085d7a3522

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
850b6d596ce3a6e25d30fde220835bbb

SHA1
3aee8b0e6be9a19fe65b8094452ac55c6ac0e8a5

SHA256
748bfc377f9368cb3b470b91c45b65d77daa0658a6a4cfc5d6322dec29efaad2

SHA512
b4e039d211936718183a966ae7f24ac8f200e96374e50fc23049dba14149dbf9bbecfdf464f139febd9d7451683449cda7d63a6507a30c0f07d6a448dfac96c2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
421718e2e54a39ba46ca44cb1fcda93f

SHA1
49f2d0686894182aaecf023d65e8a3a868843359

SHA256
d3132600fb11514860bc5dde1131b0dc2921bfc54887b00c38a2bdc23f2e622e

SHA512
cadccfbfae988e5012f9b0ec55a780bd68ed7400d6b7a6e586dd0369aa35f1e59f6fd2a6eb7c18434a99dc1671ad5f497f5067b34fcc027f07e4d3ae7c2bfaed

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d811a4b45b2ac54b6fdf5395ac53c40e

SHA1
9855722075fdb461d5c487e1b5711466df99933c

SHA256
9c3a335ac15949e555f99d9273e30dd083d3237fbaa306e906fd66360654d4f6

SHA512
ad52eecbe0087ebffda61303c5a23de427e0a276299874fad84b28053806db8781e62657643a0fb56dba80aa878a56f00b2bf55a2cd6e55ef7206d32edacc3bc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2d7a860e5adb314d4e22f7fc06aa1afe

SHA1
a86173bb760766c0822ff2da4cf54f2a92a01d15

SHA256
aa0b8e0743d3ff1abe01b3118bdbc0169a3e96e6c55b8c411019acc4106d0d50

SHA512
f46c8fc3ca22d675627a5c5b69ad07efd275358758b384bca0628d32faff245f4c22c342e4279e79a39d351b0ddf0ef2c8505be1a4e1cd853ebfc61ff31cc8c6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ad26324b9b8d33490ef35720a5cf4029

SHA1
1cd49bc5047d44eaa84bcca99705d5f731882213

SHA256
cc2d3a8722a26fb37df4efb63db6da2de0493c7742e6a784df9c717fcdecd2b9

SHA512
8cb42a498f9a06dc15918c2061af5d1a424001914b2314f4a59ffa197c4364952e08623b823d99f2f619f957cf6d999f7e82bcb4df6bc552593b3ea9ccfd1bf9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d2c6300990667387aa27dd5e5d4c5266

SHA1
5f2ce2c06ca9cbd2849822a159056fd60f41c7cf

SHA256
f77b181b0c75b567b488f42ab11291851ce30e484a83937090c6cdf0a517c25e

SHA512
4cf8f578a5a69289fa7ee09efc21e0230375c5ada4ffef7345cae11ee518ffedd3689cff9f5b3de5a0961ea07f477f363f520b3abe1445c0928cd586c90892f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0f2bd5ffdde13d10952ab28b02d5a12e

SHA1
f1cd911c9a5406c83a5cb772f03b7349b9476cc7

SHA256
bf25a8e03c8d5101deed3b83cbb0cadf4d5e258cf266f775df007ee4f2d8c184

SHA512
ce280bebb2a91e0346cf81c0155ddd8b7d961e61a11d90f4b8a8594c1b21d47158d89528c2182a973aa587906b22c8fb37fa7b7ca1c00701e8e4ecae1f95fc76

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a076b6942909073e7dfc93fb4fb67307

SHA1
977cecb218719b892bdf3990a0a3f3f087d13563

SHA256
9b812c84330e27cb27879c1581eaa99030c85b9b2fa774b26d448903c9de6ee6

SHA512
a5da86ce312686ca4384184b2c4ea736d1d36b511700545fec44e2f87210b56c3c4d48c2eeb18f49dfa47209ba4cdfc067b4ec7d729a3d4997d692e88997d41e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f6f10e1aeade366d72a0f971fa82d1e3

SHA1
3c8c95322478c57e29fc0b4add66be10da81f60c

SHA256
57969ba697d046573c5be97badc2f260d567b64e938ea4156010ebebf3019671

SHA512
12c15747645b9b22cac1c8111b87e5b07c0417f4b6ef7698d3c136dfefec145a38bdc7a8b34914fe39ee54b363a9ea2f70f9b5f9cc85a9d0361b5a8bdcd0efcf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2a4443152477d8457fdffd1c3eb88743

SHA1
5e46dccda6f0e993da72a258b3929b69840bab1c

SHA256
d62570e7967145ee85c58036e7c0b3475115431408231c9779b2a6607e76190d

SHA512
af8d032c96ca648932433a7c131c9f365b7e6c27b69d5a5484a0816641cd6cb7384fa95aafe2f4e774e9aafa7ff93bb1053019adf12b15eacbd51bd73101088a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c79b2f568d7217d39c26084f34a47eb5

SHA1
9ff67ab8e4c722630f070e98a2610c7e71feee29

SHA256
1ee59849efafa0aa9dd48b6d7bc7486b0f90df1651cb38343c0c16c53c7e15d7

SHA512
31c559f1727a57dbffbed5fbfab20bd4d538e01c3948d32cc31728b7a204e39a812ac5e6f2bdb90dc2a457c8c526644e0bf508e08b0d91f7be65614b1253684b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
05873d9dfde3969da95c09b85fd3ba20

SHA1
53ac0fd14806816f72a8709226812c6392e2da2a

SHA256
cd15240aa95f1b859700af74b9ac642ffdda53311ada1cdfef04fa0923296c2f

SHA512
97602a64d0f31197f80d1dbf308a0eef3be7b4b80b1e7c734a18bae71f81b90a18d8572c8075f0deddb05e38f1b6a0120c69713b09289928ddc2e6c7b5935140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4b818969b78ed317ba60788df9afb8c2

SHA1
2ca786daf9e7beaa7246522aa840cdd79ecab1ef

SHA256
2830339273646525e812b2d883ad231f52deb10e3d1f23e0f29a6406be006c84

SHA512
8f99e1001c9c58db981a76669cd0e015f6193e58637d57b852570c75e024838e3c6ab77e7fc659cee9d366ba967ad5eb6cb6f87b8a6e8ff0a29d0f81d8ed5041

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
59a2d4e62973292ac6eb6178147217b8

SHA1
439e76cb498c1fc75e179f628ae62bc9636214d4

SHA256
3d948471790389ac2641feb16bb553cf0a23f76cbcc1d7359ac8149df1344f90

SHA512
16617db27410c9a6cd9d727b4f96527bf805257fb96b885bf3311deee5379169999e0614e69cc8e30f47d97f41a8c918fe405ebd60f4980c778d77713dd33388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c4ee1a6117095fd0a05ecc1ed35f2666

SHA1
b20e5c33dac971ef21404ac644c5d0a3a19ac0ea

SHA256
7123752a24ca9697b3b23bc3afed1ca30d56c5755cbab7ea319221cf99b00d3d

SHA512
180ae3c0569d41ed9187139c0be53f643d17b06ee1a01af2df96ed5e07cafc82756126c18abc79fea1cf285c44d2230f935aba37311a41a8019aed87731ef283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3ed44c06ea71ce012556d867a402bfda

SHA1
7393ab7396d71e5134759a8de282f4cc0ffdc81a

SHA256
a36c2c2e83a6b1c640c9ac9becc38816f89acce3733e5deed4d6a117d0b56c27

SHA512
53ccc4a9aea4b3ff57c610597ff3cbf2833d4fcf0a9225d0f98e8c40aad013766acd0de6585062ad698e376f128d574cb52c643a6445a5a3f78ce3964f344efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0b6f7cc368d36e05fe91521548f9a9af

SHA1
a95d3e923954d765e6a737847180f71b990d70da

SHA256
5876440e8fc3f5569586b7594c27a43bb2e18ac3d5a7eac24e0c959a5d974e37

SHA512
3939991823fd7f7f0709b6a13da77a4294c54b538d6ab165c8dc1dc73450ea68c471ab263ed28336815c39166bee449f32a1c84e98f94eea881bceb2d95db9d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b7305c0bc5d7e6def1ff6c5a9d68e837

SHA1
545ec04e3e3adeb4dae0197b91d3fb3970b0b07f

SHA256
7c271787fa34f8db76f3a40fbe68b17fc369257f9ab285560bc717de455086bf

SHA512
15d45c675e3e592baceca7c39df21404337692c57c86d11e4d7e4c77193083a82a5d12b0f42df0a3bd644d3928c87369a437615aebeac43a3b1a9baaedd99294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fb2909697259c23ae477f64fd4802356

SHA1
0415d23783908ec66f1a1c6191480668501ce91d

SHA256
c5bad2b628253dc43901e7d8fa4ab921ed413a121a591e3174cd3550c8267415

SHA512
4b80e3678b3f0216cc75a9475928aa8738b976d71385a6942f1c519801525627caa053ea28dcdc961e642e233cbe6d04298f11e3463b447561898d0597fe894d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7bc75b2af2a2cccb91d964ca21d2af74

SHA1
fd724ca35003e01714bf49c433bfb8afee7398da

SHA256
5acabfe1956df41a3d489c9039fddc544fd46b363cd5a967b89f8038deec18f0

SHA512
6c2ace8405c78bb9a050a29affb90d87f8b01483ebc08d9f27db6a962f01dc9df88291a482223a5e64c8b6753c281187aa00f356c58ebb2b364c9f83e3407043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c00022d3d5e486a1b564cd150bf51f44

SHA1
facc5263c8ae14a6b7918b09918609dffc839843

SHA256
d919a5282c2f578aee4c67a02641ecea37528cc7ff9a20addd37d264b1ad5bf7

SHA512
3642a8bc7c54cd3ccf34d4bf3eeda2c8d911ef040b9e1b4767be5ea0149047e24649efeba8177ab4fe66b764a67e1db44310a5acae8712365c210465b31715b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3b1b23825434e3ee101d859c4b6ee7b9

SHA1
1626344290dce04cc81c9321b9203620bb6a6085

SHA256
f84fde0901a9213858384c6d7d29f042e7059d9b0a44567fd37fe3442759e967

SHA512
5f6e364042de850ced9fa7edb2777bc8a57e898e7013a4aad9a1524fdb3756758c071e2b4e911de0aca4d5d3ae91c3acafecdbb35cf855853e68e8d29bbba5cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e186f045aff9e59f493f84444d7aea15

SHA1
f7208a09d28dae8beec91084a75bb039a4acb521

SHA256
ad1b2c7abbb43cab2226522be2c49ccc0cc1c0f76ab52e982a602eee68ab4d12

SHA512
038f3c7d9bacb4329a5230287da61256826a7367bf3979ef57c8b955de0c61bef57d6c827d702d42bb2352547813d36f2a920c51c78772ed1e8db010551584c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9533a04ba4e442c04c2b35f4903ed8fe

SHA1
aa90ae5cb512daf2a643d4495dfe14a6173a7864

SHA256
6d0cbb221fab8a1d00d036827d7c980d2663c2292dd308ca4582789e938f0e12

SHA512
6114cd67271a6ad8214324515a0ca723bdb6dc6c482e3aaf7b8c9ca7e9100b12f0cd9a7ec47106d2b83894c33da0429677acb5c3cff2d67ef707bde87d3c240c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b2ff3c3a0f0d7bb011e0add9cf038bae

SHA1
6095ae6b7784d68700b17d82520c10f6fca50725

SHA256
1dc46b3a6e362c191e8684f984ce870f67d704df7b9e1487444c8cbb1bb83f78

SHA512
57e4905f52c766dbe94af77f78448219b3a202420619d0117af43789bfce35eac6522e6fda58202efedc9e2ab554ee9114a5271b939b9fc8c5fcb51b8b3fd2d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e06f084340f801b464c8cc2ec090fcd6

SHA1
a5086b83cfc2e17b334b678b94d6192570224b7b

SHA256
6c22ed19ef8ebd4803c6647de6ed1bc5911edad87c358105d9f9af5112db044d

SHA512
1ea133b549a07fc624f11cdda7e58b5394c5dcd936eb96c818ffcf702b0618047995fedcc6b4fb7af40f28b44639b1f957386ee788c4c7f2ce7e5f20e23cc0aa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dedcd710093a56cac541937a0db8b7f6

SHA1
d900cc81c045e42d425b50289d92cb2e3393ffc1

SHA256
9595faacacf7258708c8a1b7e9a57fd0d1f41a8a9da90d7519a2763011069add

SHA512
0fa9797e39563a18ad64fad492addff7cf4e7d4921261d42ec6bfae02b09afaf5741714a2ca279552fac3b6b24c3d8bb498582d61eb1bceca6ca53edc06227d3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bccf4542e327f077b689d4016fc9052c

SHA1
a9b464829feee52d02f734dc05939d1175c28331

SHA256
866c0b5a6665109c5ce472409c61cd86723e6622ab50544f4432a47fc3cabf0e

SHA512
fee76ed630105e1881babcc93b910fb88273a8205469d998d5402444f5ec5d0974b9a79a7f1052cc507146a168fc0c614040cc47cdb1b5086ae028e82a359696

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
215e56cdd3fe87a6343b5a26a96b96f9

SHA1
f4deeeeec23a4dff0e31164b2f039fd9b16d415b

SHA256
e687c02043b231224160e60005f773ed2fede9dfc343d1d71162b637f06f120c

SHA512
8e43477ff31b95e4952e7929f3c41b0b4ad6bcb36572bd04442ea64e3242dad56930a263980665e036b5736e117c50f77d156d74b0a3bd91fa01098039113694

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e7a0ac39dfa1f5a59b709c8254f564b5

SHA1
e2f3e35a8e4ce224b1785070b6f9c0b327021978

SHA256
04f11ebe336086d6bbb8e71ef0e7c99f7a5ddd70465661f77226bc3ee062dd20

SHA512
108b3758cf3187ff996423a26d22c7e96c4bc0504fb7a6326f5b88bd0273dd7532f97f1820d16a846567db5adfff93bba0e66a460f2b8c81445d6f5d822085d6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5abe3f208855f13b3602ef4e3a132c23

SHA1
01cfd25f3280ced0ece44938051bf00b180caef0

SHA256
335285e814eebaf288bd489e48e5fdaeca3225cec604aef844945b3cdec5d68a

SHA512
d8af5af2fc7e2cc52d0107037c56f5a447d7cd5c4d76df98ecbfbec34801c58b97eb50c5d8aa4570c21c71bc441e1936f73e3f3c56eb9a915f04f9b412efb085

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5cba959a3af5da82a09a1e81e96be418

SHA1
53768cbec31fab9e56b54a0d196d5203b64391cf

SHA256
b0a064f7904ffc217d577e572c1074cec5d7e9e18ab150c76562354bacf65b54

SHA512
c8d90c034d2875f4d6a6c11cb0e938fd0d12c3b2c1a4ff344a3a9ae0684fb7279c4b408cf0087085a005f413f01cf86097169bae896eae2b54fe88df6ebbae79

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
453d94fbd3fc7bb55891d9b50c87f2e4

SHA1
93e81a07eaeaa3ac24bcebb8e84c9b5c655f4128

SHA256
5a64fc2affb9244d0b887d8266ecabaf9bae710ef165a3f90b1d35560ae696fb

SHA512
3f29a752141d7bf56dc3e2b972bff4a0f2e6ff2cb5634f59cd484463e379b71dee485f63ccef638d47126ef1fa4c3fddad90ad9174daafb79ba7667279683db9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
625b5372a63116785c9a619132981435

SHA1
10f80e8e19230f22f01d6b2182d04748b4e6e973

SHA256
6a53c719883e170f09d2689e4db7367ff391edcddb4715d949c459ebfe98b071

SHA512
53d6678fc0988d78ac08bbec8b0f71205602d1f264759ebf728635189987f4aab486abc7ceb7776d2f892c04c3d930170e8705f71ac4025870d1f0f2d2e9b73e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b2a0f132e3436aeed705d717282721cf

SHA1
e697f356656629ba1c5cad790c5491bb84714e92

SHA256
d5fc23110aadb0a08641ba62ecc4fe30f7e5349a0403b958e7798a2b5f0a5e4b

SHA512
90579ff2c139ec2eca318b77bef97ec6dec75d933f1f0b9192b8dc1d33c8dd70a687dd07796a6031802ba80573a8219556b41028d2b9cbcdc842f2de103e918f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e9e5b60b9f84f49b483e70193f531fc7

SHA1
40ca47b799d79a36cc3252c6c258308a9ee81395

SHA256
3ec7154d7aae6db251601b9ca1ac01392b6966eefc9e24d4a72f9cc70ddd5a0b

SHA512
a977f1f5e668b81ce986e2e2b5a265c7b53b7cdc4eed453026707cfe9be9ec0cd12b637a3aee333e5fa770f726a2d7451622951635d8c31e76e4e2ec259e55ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fedb42eacf688bd6527ae4c98729f91c

SHA1
0c4611289cf9f24a66571b8db755c42856eb4df8

SHA256
67d4e7e269398ff4325aaaf5119cd359260c78ac700a970c03adf4609e7dcb31

SHA512
3b99ec3d4b6527b4f975c01e67b77969176a09d931163c9365e1ac4762a0e581c60843cc9ecf972a6da5fbfe0dcd8bdaf48cd00410974fd8c91b0a4cf31e1972

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b79ac63ac8cac355b67917275f517ba8

SHA1
2c26d68ee7a4f18e5e75d56895aad684d04ed514

SHA256
527ce36a5f71b5648c6b06d7a727dd0afc532c22cc835d91fcdccc695b5bfd27

SHA512
f2a9cc982e78a0a17cb3cc9e70c99473fe939263df122653f68d5ebe31cdbac04432ca99e1a842af86aba70b2416b634319c7ea0948aa8ef87e653bbbce4be43

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
444e15f9c0878957a0fc80853025631b

SHA1
b49002b4565fd1f379d2236bee76d65d395a6dc6

SHA256
574bdf0425c11eca46b62975af536456359dac2b98826dcab1a5c5ae1754532d

SHA512
83ef0fc17099aa32399f1082459264081882468da972408b1ae35a771237947f31e567323324916fd001412ec3b720e6378b97bdab52e1ef9cf7222024558dfa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
768de5903c3a6766f5d51905a0ee4788

SHA1
f64f3e9907445846e4fccac12dbd8cd98f72b48c

SHA256
abe54b3aab244a5d22d18f8e857b49134232bb31e537aa7a13012c00004ab8ed

SHA512
0a7f2f24cf60e97cfc3bd99f11d3eb0bfeefe379683f11a31e56a33f508ae2de486928f434b35f343899b526e476dbd3965771ea3a55d1a4bbe88e9850015070

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
35e13f8cbd610dbf17c1acc63357e6ce

SHA1
238ec10dd2da9ad73d7b4cb805151c775efef888

SHA256
f76602465b8edca4a70878a6919d2390b2fef24bcf3f6c8b0e423aa1e3fe53cd

SHA512
97a8f259a87b8a0c3a9e109b25b9916dffcb3d2cf31977d00a89d7fce197420cf067d4a57969b6cb54ea3823a29bd741b56c4b94b0e2e5ecea9e52d6877b5260

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8ed1e266cd5a5e3fb6229db1203677cb

SHA1
96cf04153d99239e0f04399becb6c795190ba865

SHA256
ee49da9a544d5a404b528059f230826c50d989dcaa95809e75c99473c35949b7

SHA512
974cc66289086f5a144cb5586b10fab71223bd42616371c79bbc0d601d8fc6cc20033d2d10a4fc5740c4bb685cd68c73d0ad031cb826fb33e221808a0a62390d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
10c9a081a2fea805b82424f197dbf122

SHA1
dd9b58d0fa762424cf708253dacae2113a8a118d

SHA256
29ceed7ac68d405e9b6e50538926658ca21e6a0e8fe989c31c21c24f827f6299

SHA512
82ed9f6b7fd2f83a195953eb7e07fc158151ade2714d0ba9f780016a62241234ac1566311b746e49ed597206700a9f2088fd718bb1181bb90c0e0f964941f822

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6059be75b964d47b7b95d972c0bfa425

SHA1
b2db2888f081884ccfeb507861a9c479986d3da9

SHA256
d37fb1835ac538ce1fec03312ae78ba777f9273a4e733fbac6e0dd425a5a5811

SHA512
d6307bdfdd28c0b76a8de81f659a88a55f7c2cff6e0654d38ccee03c3ffa8c609fa910abf54820c1b6a0cae7fda828c7d6e9e6e847dfe029bb241619bad46dfc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b9ad6db222ce238942c2810a4efaa7f7

SHA1
07de83a0d4f20dba36d6348ca8b53b31e2b29649

SHA256
7a79ed4a7453e0abd2f85d2ff4b5d5e0c18e5811e0f3e44286e278b9bf7f75d6

SHA512
b8950d30148b12b37e8fb9baf4bb6c6b750425c7b42172c7b4c224439ee580476fd9922a08759880e118a88fe8866b12c22f65cff993a7fb06f7a1e39480d73f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3e29a53d6c2ae761fc766f93a5f2a2a0

SHA1
0fdfc56ff59a6fc22a4997dd2129bc0188b78026

SHA256
7390cc385016f069f1d1e07478dbefe23f3e6f5a028901def7f4cc1eb270aa3a

SHA512
d7c93b08abd9d4e050d9831333c6cd585de00ad86ab94fb861475160767955213bb7dc1c9b54c57c44edb49be9e171abb7e5320a96e219517e4a522406c34df8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2010624efa58a28f1a98a93454116c70

SHA1
e6dba9e93c8e92d974db0b06eadbf9345c009523

SHA256
d51250ffccfdc07ede6eea6b6d88b830ec98000e5fb68569fac044966921b76a

SHA512
98036b7dfe6193f41d95e263b10691a39683bfcb291165f46676e478691d3756ca550bc4d5185e949fe08c1796f0ad98c15a45cc30853dd0f4a352ab2f4a4aac

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d6372582715ffd87066c6515e68622ad

SHA1
a9294732247e11b1524f32c106d4d554e355f1ef

SHA256
dd7092f2b359103b4cbdc7b73e4160a8f751d5721745f5869c629e52ff10e968

SHA512
1db3d0c01547cf037aebfb173baee0da26c3b91470ca55ed067f94afd5429a6e4230f440e13bb70339faae92d8964c623f05f2d1a6d342a099c0a44ef87f0d68

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b3e7ed71eec80fb11d51f7e6b6427f3a

SHA1
f5f5ed86a8d9c06d43d9c8befc02e4d16b45245b

SHA256
25032c18f93199a04e69fb6385dad9080629a574edd923e1a0693eccc43f2748

SHA512
01f2c6935ab50b6a616b552cba57c86bb2be99d85b9c1ffc1dca52380e281e30704be7257ecd224c90ec03655118fa68ff498f09619116050f1a2122ff8d993a

Download Submit
memory/512-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/512-368-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/652-369-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/652-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1112-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1552-2-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/1552-8-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/1552-83-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1552-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2292-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2292-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2520-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2520-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2520-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2520-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2540-103-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2540-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2540-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2540-108-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2720-362-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2720-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3008-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3140-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3140-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3248-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3248-80-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3248-74-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3248-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3372-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-39-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3372-33-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3372-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3524-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3524-456-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3748-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3748-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3748-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3748-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4052-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-367-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4316-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4316-326-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4392-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4392-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4508-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4508-453-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4784-98-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4784-95-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4784-89-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4892-457-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4892-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4980-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4980-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5104-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-62-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5104-66-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/5104-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-56-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download