1bbb7f2bcc9324615dcbbec57604959cfbce716bbf4d8a7fd5861bff110590bf

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Size

1.3MB
MD5

b5bac3ad7f835120fc5a1af43b6b5b60
SHA1

5b7a603ca49f0b99c87d10bf49e5394476b13f9b
SHA256

1bbb7f2bcc9324615dcbbec57604959cfbce716bbf4d8a7fd5861bff110590bf
SHA512

9168151eb036da34fce0987929b904f890359af7fd846a27ae89057fa107d545fad1975927c5eefea563ed93a8ccb3b7f96a47e024a364a414afacfa6c64ff64
SSDEEP

24576:KfGxypdYaHsK+fM2jEaNZBqoeW7V6tGLfHtqls+0:kGApdYksDM2jh3BqS7YtGL/Als

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
624	alg.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1512	fxssvc.exe
4384	elevation_service.exe
4528	elevation_service.exe
1876	maintenanceservice.exe
4900	msdtc.exe
3960	OSE.EXE
3532	PerceptionSimulationService.exe
4016	perfhost.exe
1612	locator.exe
3208	SensorDataService.exe
4176	snmptrap.exe
4060	spectrum.exe
3920	ssh-agent.exe
3568	TieringEngineService.exe
2076	AgentService.exe
696	vds.exe
4456	vssvc.exe
4448	wbengine.exe
3988	WmiApSrv.exe
640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\22fd2a7dc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f47574c21daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be665ec01daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff8c2ac21daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f37b7c21daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000861372c21daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b52a28c21daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000962b63c01daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000beda38c21daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeAuditPrivilege	1512	fxssvc.exe
Token: SeRestorePrivilege	3568	TieringEngineService.exe
Token: SeManageVolumePrivilege	3568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2076	AgentService.exe
Token: SeBackupPrivilege	4456	vssvc.exe
Token: SeRestorePrivilege	4456	vssvc.exe
Token: SeAuditPrivilege	4456	vssvc.exe
Token: SeBackupPrivilege	4448	wbengine.exe
Token: SeRestorePrivilege	4448	wbengine.exe
Token: SeSecurityPrivilege	4448	wbengine.exe
Token: 33	640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	640	SearchIndexer.exe
Token: SeDebugPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	2920	b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
Token: SeDebugPrivilege	1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 640 wrote to memory of 2888	640	SearchIndexer.exe	SearchProtocolHost.exe
PID 640 wrote to memory of 2888	640	SearchIndexer.exe	SearchProtocolHost.exe
PID 640 wrote to memory of 2032	640	SearchIndexer.exe	SearchFilterHost.exe
PID 640 wrote to memory of 2032	640	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b5bac3ad7f835120fc5a1af43b6b5b60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4060

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2888

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
462148c3dc9168010fcb2fa0837740f3

SHA1
4af38e8a8a6e10067d3e0d8448d48f31815b0c69

SHA256
661768c0fbaede50dc997a70ae93385fdf4e72c1ca733ce09343e5704db73ef6

SHA512
5d8bd65ef6625189efee12f70fac19e9449fd6bbdcf12007a34418a2ab5bcac39086dc7d5e29ff7a3d0d95bd793cd0cab8deeb3ba55b781cc90f19b318b06de3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
822d7609af8d996fc4a0cb9d07038124

SHA1
d0e17c428f2ff54b3ee6121c8803d26e29d74632

SHA256
8dc3e798855781040f9daf40a5aeff73780452abc9f6051b848ea467962b9e93

SHA512
8846033b0d9a4394a5b1fe997e99209987530a521f1bd563187a029d1051d57f94e5214d3c8d120f99a23f1941dde16118eb3cbb80e88919f5868e15e60dc351

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
3becc33353eb6b83c021cc9a5d8a599d

SHA1
926f5217cf7de25a6a480ec2e13cd5dbecc4912d

SHA256
b2d94994988f0e1725a09add0cf2f14d05120e7007182f44407fabde70f8cc65

SHA512
cf29a3e114da2840d186287248558498119d050ee6c7d33426fc65f0de38aecb02c3795a4d67df9d6872e3b0eb1f2ebe02720a4f13143b07a21cb67e8687efdc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4cdffb55f12c03445c41d27a9ac76491

SHA1
b4d77197bc131b9d8f9c0dffe09bae8df936b8d1

SHA256
bf2378c486f177112cccd04d84b5070c816c14d824002047aa4cd6893a187cce

SHA512
d40711065596f0badbdf53f01dd56527c31e8d380fb58d2f541b8ebf6bc85672c42e27a091126303c6f8bc1bc3f4f2793df0ebecdfefc2d58387cc0598a1d0a4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e32324ec4c7547f06ed647dd20f1746e

SHA1
3ba356853e4e365436335de59b726a8ebba7c39f

SHA256
6de19622b1d606bb34eef67338b95400cd28fec43eb0de6d0d20f2a6a0e9a95b

SHA512
d75c3587074d84fa97e78c8aedb8438cb4cda01b81f6de0af40f4bb0612c08d2c9a6472d1e407327a8054815850bf465ddb6c006c5c98b9ce729cffd12ae8525

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
a3b84819502f786b740a1cbb00d84367

SHA1
734be3fa914167ee03c1f67be290b1b28e3fdec7

SHA256
9bae6bd246bc535c414bd27e621f305c6c21896e02faa01fd464116e106ac5db

SHA512
577fc6646eaab569d50c16bf049ee7089ab3865aceda80c2dc8c9d89ca276c7475b271b0a4860a2653f7d0bcccab0005a5ec1cc7ee30623262336be850e90bf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
1736830d39d45384ddc2d80dfa928054

SHA1
b16efff7803df963b548ade8933ca459323ab352

SHA256
8c8ee70b8de96bac1a3e5ef5d7707c426d28b9cbb88cf497032ea38bbfc4b189

SHA512
ca7886043eddba90459289cd4c019d10023d94d80e6d45e20e876f35f95ebec6e82c102aa4cd1a03ddd004cdb2b7139494e78b52351188b165d54fb320c05235

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
396db43695b110c9a7284fab16c6ae10

SHA1
a11d090a879d59a3004e92d0b0da7c8a696b6f96

SHA256
185d84477eb42420a9c0c0c5ceba853f03b8a669c6f7a50d94e522f08ace2d49

SHA512
366f510470bcdd3e4d1b97f24d2f258865ce4ebcb885540361053f0a641d360865004e1f9a6c9f3a2977bd3f1b773a5d1a9aefcfdc321176f029309dd8f030ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
ebf282c54b37e1519912882591c6ee01

SHA1
e417bd225b64272d91de8ef40e61ac951661366c

SHA256
2332518a01b7c3e9787b8ebdf5b4378a09f60cef53435886cee7830f66236df5

SHA512
88093746887a43852b9746646a38962a748b9e5dbe54f50ba17449ce2b28c0542c437c54634f8286fcbd2e9b1d2ed7f9fa744530b0537dcdefa0b08b62c75b03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a219f772aa2abb04aac7555aee7fa097

SHA1
223bc8f31151f31df88572278eb0a62fffd580b6

SHA256
bf4bd7845aa7766d3f4cbbf9851090f088972598143c8b155288d399bbe42554

SHA512
00eb6360bd359a712eec504961ca279fd2f7610abc4c821f9778b8ae999396d9b3009c393078a56f416030ab1e5a5a249fb615111a86f6dbf4692901a8dd6708

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8d24e4333f9800040984c0d903fb4cb4

SHA1
17a728372e881c067c61fc33b7e2e8be71d40353

SHA256
a54869244159b17f0097a900b6ca6b568339e5e720adf4dbc873e10d8404a3fe

SHA512
1dca439f1d335fe0ff06a9db7702653a2520a476523109d2e5a837afe60d7c065c8931539591fa09759610e6bdf1ea4064ec7febd58ccab7fec4a339675f4494

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2bb356e68383b50470e3389ce1ad62d2

SHA1
395f922309b2d8b660f543b0ec5e5b0ee3236ade

SHA256
685b4b12e2adef1bb05950988b30bc4cc49c6394c2eec34d72a5e1aaccc59e06

SHA512
82b432a80f5bf5e85116ac2760a760fa681522cb837c25a93f01a61113c15a47175c3e1901bb330b46fbda11eb4be5a4321d0246a5100a73bdef16e1f4a91018

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
c01fd8e9589b8af1f20dbf3f4cb520e8

SHA1
8dc501b5b4ea9efde1254b0596257b4bf8e82315

SHA256
8ea4fc15a6a2cbed7867889e4c470a1c37db39b69eebeb6ec0f467c032d338ec

SHA512
26fbdddd4c19d0622f686f73e37552d7d315f03572aa5e6ec5e8c0fa15e538f378d37331fe965ef1ed6f3de97e9b6c329c37a9f86b32cb2295d0de4cd0d9cec3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
e9a7d532b5a95652e4a350af90f91608

SHA1
94e04e1aad1c21f0af4729edd096f24661347553

SHA256
2a142ff4c0d95eaa79102d8994f47988884e7d4aead0691160e438e595097af5

SHA512
a3948a8ab36e2005badb24ce557969efcdf8ff9b569b961930839ee5a19834a4a953cbf7bb22eb00f5d85774fc981efb0a36339d61fd02b64560678d191e73de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
691978152030a76e20367444ed07cd30

SHA1
714bd5e09c2f19f95626fa09f6ef1f071f27561e

SHA256
562dad1a48fc8d5450bd78b89d94b4095c37f8d73a86f314165651172d35c0ee

SHA512
4588077b6a7251aad340062c41fec0c47a29ca2602002cf68611910f5f84d73151c8822fe95c025837675120ac8683e5d79939d24ab05e5a4898b43e2789381a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
e993a2ce715f6acc4762022c1b020de8

SHA1
61747e62001e8d5efc95b9fa7c355892feecaa4b

SHA256
37865d1f39867e2f8249aeb068dd37d9105434ca8acb0306cf7dfded8a5053c8

SHA512
194ddbb0e509a5ca5fea36a02455f24e55c9afefe27750bf87a3be6b65f2d376df3101fe23e3accb5746b203ce0398ed7151d6ff321b2436cf5ce3fc303315bc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4d0ce555de6907db1c918781e7955acc

SHA1
6e7c5c980443d30917da654ca71ab444bf9f0966

SHA256
a7719b6207f117beb8ece830f2d7e0ae5a239b010b413c189e301e68c93f3d6c

SHA512
85da8b4be7a9766cb3f16826fd89d1cea8ff0f516b0da19e1165f1ffb9b429680e53fe7d2a8706532a37d5b727a1809a373072ef66739f9a5abcff3a4c59b106

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
34a6d48f915a57dad1127d3a47e4812a

SHA1
a02c713ee0c95ef676323b0218eb59c61745234b

SHA256
248e9e877376bca85dad58b8a0088b1106afde6f11c81e21e4da7b88415fe008

SHA512
2d509742f3b9714a2c36136b2b865a093a5fb01bc7017df23902a24a04cfaf7579d4a71156b4c0b795389522dab3e9296fead117f5ae46c05785fbc19aa1a16b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
2c020cc35cff4a468c80c6aeecee2bb5

SHA1
9d2c4f1071ee86801cfb27ee56edc0b26cab0e29

SHA256
ff03776a7d3ce66888c108522143e92f664648b0ce7381054c531b98b38d47ee

SHA512
9579f910e219b926d25ff6b96bda2b40ee0cb064dcd3149142d677f2eb2ec528d574888d7a4f77fe11bf38976a210ee230be6239b5b5d4982e5d7b4c3c7de87a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
af5533f172dbb850a309af5187d25eae

SHA1
095553063a238b10ac0c86d861f6a45c1884e129

SHA256
235851c191dc8f705a30c69b614040f5aff17bd34f3702bd1f93a97c6dcc162d

SHA512
950903f7c89c667c425164d31878f48c15d2e6fb97c378cf9837c06a7714f2d45fde6c61bee95772e3c5a25829364525bc5927653c64c336005fd30730881e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
bf0858c168b0cd44f2c3bb95da87f239

SHA1
8e85cfc9de03c1359ece8edef258ec1d6b4d2110

SHA256
e6f63bf31f8108c2825179a0fff80679647053923e590a7be119ad8d00c7c753

SHA512
805f06ec43be5d948ab6a426541ce1f602513e7833cee332ee93e94c4081007279dd9c0dad20c780fef59d003cb6cf0dcc754a1a8e8ba787b7cdae6076f5c8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
642fafefae1175aad9323d3839d8acbc

SHA1
fa25a5fb36e11ee22a172dbea20a00d72d7d3d8c

SHA256
f0f78b4ed2687ce2eb1d06faca7a5c561b4c6fa0769698b804e3bad59e736531

SHA512
10fb493a427f2ea70a28c43f4b8609f96010c5f1c5e859d0d16181b194f97b791f39555e02a9200d4aead6c0484abf3dcb0328549122700bd90385f0c9f15d05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
e93cb5307c9ad9ee68504247426c0e62

SHA1
bad5d0fbdcd53838e2fccad34a6d0267281eff66

SHA256
74d063891e7ec5afb2cc3b723780db3a8dcda8017e2c760e48835e0cc6567253

SHA512
f154cde9a26388883048677d9e17b9bc35b20042e35b923368eca49f8b1a028c131d52b3a2c7438fca9a1d9252e79eb8b407ae5a069dbdad72fda0342eeb490c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
b694815c8e9781de10c36cfa60083f82

SHA1
b817ccef101f0d324c39553cf2a3c884f7ce4198

SHA256
d5f74f609587b1b8817ca46305a74b52b2136a3d1ee66dfc03b5ee9c0f828d15

SHA512
ce7eda6958af0f09a976f5795009e7066c6547d28f45d3c7ce931288284349482d862f24c851369ba29c24b4ab3710e2f3493109273089f86ab117bd701868c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
09fc7a4c9a9c7049271f9082de9ce5d1

SHA1
bb86e6cc42557bea9c6d7446763003bf6c3504f3

SHA256
57e8ebeb1d1ef118024a70a449ebabd5c23e0c236ed55f9db5a562f3e01778f8

SHA512
26c0da6467b6c7ec41517fdd660396a6238f978d4ed335d775d0911def323bb8f3b55fda8482528ccdba501fcf73be86076c4d7d02fafef19c2c4e22a6003bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
cabcc6bf10076baf7e5fa438d9f3adef

SHA1
142e1c089269151f75d2fdbd72fc4c2b48d350f8

SHA256
359937c4c12db96cf4c68f2ccbfcc0dbef5a10ed5594c8d825ff11e9ae5f12a7

SHA512
9bf5b3d1b53844be7727e4f509a03b448a8332950621e4b8934579c2fd36aed2b86e00a820c269815d23c88c2330085ff8effa7ab75441bc97384f7aa3fb98f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
6bdde7e7e0a14da58868f06aa5c22128

SHA1
fcfe678fc22bc21d4bea8294b68a1783eeadb38a

SHA256
3e0a9834d2cf2a182be13ce82dc4a6576d861bb3b830c76fe3be60770f1e248b

SHA512
8317c004b829a60650a70a52d53c98a7bd246bb488f36c7fc893a3cb832e2479a57803cf48a548bf5bfea6f987841c62e32fcf94244cbe426061f7b45d856b49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
6aef753a4bc14c6c36bd8d0f54e2e3db

SHA1
44a51487a2dcfd44f270ee7cde6716621f5468d2

SHA256
e6d409d3011d1336c85e63a024a66be7a88c03403dc1620479bbd598d6c66507

SHA512
db63cdaed568ca65bbabaa0e463ac3f27bf7da6ff046511e2d17ea5a2568e186eae8232555045a4692b14c933c9f0df4d50bd92910eb2bdef767339430810f78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
d73e2dd1856e3e8c4b5b326725de0bec

SHA1
060ebf1ce49b5a4f9e1c9752a823576549e67f10

SHA256
fb32e3c5b1291f30af4bf7c13d74496b1d98cc185a3f0355a36cd6d178c9bf96

SHA512
8889d245d6116c2c2ab79848e8f10014c9c66fddec270914690408a77ad95565c465a5967bca8b4c8d9c44391aacb2b7bd3dc8b667dc2a65e6a2499e09e9b401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
e3fe9184d3460b816a70365ed05d1fed

SHA1
5ecf0b636cd4788b9f740622a35c7b38ea9d371a

SHA256
1d59fa3d3aa1bae15298dc77fb935a8541c3ead25a3d55c7eb7e854970eda07b

SHA512
36dca65dac2af348615415b03a86d05311a8f850a4f0ced1c0cd4a87a40c14cc93d9f8c0f68968f79ec417f084a2e845acc82b75c994f3e9bb564c1b2288fc3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
9115784ee67901902a1a039f7992a685

SHA1
8aecb5789c3fda3be1a1dc438ec9d335d2ca4d65

SHA256
2f9c2017db1f614c34e606dd436d1016260d63bbf795de0267c946721a1849a2

SHA512
5f5b4b42d2e60d714a68f9e6bcd7c9a1bd64cefd44513d03e614cb64a5bb76160c9875d1537b77b782b4a8c09f34183aa6a11ba47d1fe38561c8081c79a87173

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
cb18075bf73acbdaa16ffa7222739ec2

SHA1
2b617bc474aad06cbc323d375924da1901da9407

SHA256
4b5009d33cf27004dd7d10c84c076293c5a99f052020cffbdd5a927de797f893

SHA512
8f3cce78243e0a35c4e020294c7de2c4af3268098223b9a569f3ca57a391ce94d9482d61c896752053199452f086c5833125e5977314ba2b46295382ee3456d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
98f97a12f3ae19ee4ecb4434974e2d8e

SHA1
434a3a10e4e1281cf169548dcff976e8d8df69d7

SHA256
56450d42a13077389b803a74d0a7ab2fc7a9b0825eade6ca3544009a756bea43

SHA512
0b413fe75f64a2f63623dbfb7cb680b7fc0fe9c440069e101371015fc92889aede385bf8aa6c5d99ea91c3405c0cf2ad03ec1076f17959f203657ee104e48438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
71c8e3424164470d71573906cb150907

SHA1
d82ea4852c37a54e14a32199abb4cff0a727fd4a

SHA256
f04b848df5af71d3339860d68e70868fa51b90979b92460cddb4df442402beef

SHA512
f43efa9674cd7134629e1db8f3a9b178e6cef4cb130f0917a6a33a36c9184bab303372ce65461acb48a85df951385d08ba439bdd3caa9f8af3bd48be28393ea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
f9e1169f37763611f6d0fa3d1148dccf

SHA1
9bc696e9a13ccce695a69b6b8c92fb91b6401b8c

SHA256
5b251e309ad9152388fb0d268267ed8331daf31bb0b2f4ffb9f9d67d242a98bc

SHA512
85d3e6c75bc31160dc291d73d105f53c10920de92cc2cfc1cb71e3f5e8815fb9940dc027304edee6f8ac0aa6324806ae924d973dbf560850825c585b0ae04d6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
0a544b44178e42252d8ab6f3efeb23cf

SHA1
bfc10a96f10f85fa842338b034f336857d42ac39

SHA256
9434422b3488d760f803a1af48124dd451ea16c28c7ff3493e01fb42e7200518

SHA512
c6480a521f76b27049103c1dd5300284b6de8c8ed22543d69eeeb25963e36860d566dbff3211a0b3feec21cbf4b2ece8b2158cccec9a3dd934e78cabe5092160

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
cf637f44e508ad13438d580329d7061c

SHA1
cfae8f3605fd86ccb3c0bcc52d312e38908c9468

SHA256
2a9b1973a25d2e9c57f90cd8cc349fde76d56cda5ef10c58df1171f20d7459e5

SHA512
d5b6014f304f843147fea1cc234d3f8ce271e56156bb6f168baf13427b805904370c5a0d90c86966d22a93a6a86045e3fd2f9d4f06679bc88071ca5002123d9a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
10555c8618f65a0f5ab5b8ddee1def0b

SHA1
1cc02793e2bced49f606e3d5a4a5a6ea993222ed

SHA256
850d9949fb2d485ca9fdaeb9c5a44b6fcaa65bfd077b369160ae28c1bbe1423e

SHA512
8f0740e4bb1a89e490426cd2739b26be082766e9e89b000b0de7de20fe8f71cb804954441d9b8a2918c08c39e4152c41b4610b6ade22f2415ffe9599342d1af2

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
1d2da564eb015bf9d35cc82654f1af01

SHA1
79aaf235bc9961cf13d329cb89eefda249346cad

SHA256
a1835f5583eee465f01f0903346bfbd43951a88e89680f929a8034fb9342d160

SHA512
ed33ceee9fdebf44cdaf8f74a8e92b59de17417ce1fb1f7c7d761cac5a9959249574cc2aefec132848adee1ddd78a716ca7d7805fa5578e40d7497beaf797896

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
318df5686adc8196388ddf23336f53a7

SHA1
fa5dd763248222f9a96ce954242ea17e09b0643d

SHA256
19f4767ac83b80024dc55898a5ab1356c7db9b7845edebade3c6a1d0483c3346

SHA512
6b8724350aaa700f47cb1ad2a90585768f32c0bcbd2dbe42a28452f0700a91b7a09e05134a129dca702219b7fb108e67b456d0abcf6f5ef04b1d7d26e0c50e8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
f15c346fd01a6f5cfb84171f36ba947d

SHA1
b8638a8b2312164260835088e8e9d57b52005661

SHA256
9c22f641b3436f7f2aef3183dc0a5df6c0dfbd129a2196033627d0ee10e54b9e

SHA512
bd373bfdbb51f19ef80ae0a444e2afced71e13e1d9f3beb063c0796eb554767b841ab2689a62a1c0a7a628df29e794fd661a60d3e15c8e7afb972e2f6e0761d3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
215c52fdeaca731d77bc9c9e378de145

SHA1
9137b808176fcd5f4d0fa4c4f776d4167aaf3cc3

SHA256
1f66f6aad9586e4c27898fc0e9d9856da3a72c59c2a17edc434041496096dbb6

SHA512
487034e2c97426b0f4cd2760157a639898c998a99ed31200bbe583be3b3785906dbe4c3887d927d9ff870a8345fc8c69e4701e88445d026f4cc450145155774d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
3a0f2eb38ccd3c3830d28f34ed75e091

SHA1
b784f4eaef406a6410214eaba1c31fd5d804cd9a

SHA256
26570a173f0693c828e9b2174c6c063611515cb03073eb716d44f02262bfcddf

SHA512
14b6199cd47700ff7fe5f2d707ab965555a7b01b796de5a46a98300a7eb742f4731890d20c003a3db60e971ed25f34d1d20b550bee31097e22e876d4979275c8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
41478d0d27cc64993f8f1df3c222d9e1

SHA1
ab6fc3f7436a6313a9503ba597cf59159090a2bd

SHA256
5241a5009e7823461ba93aabffb302e1f7a47069070db913fa46df2f9d5b52b8

SHA512
0f41aa13d7c2fae074f65a9c532fc045d24a6382c2d2ae8dff3dce24054992b55a904e994ab0e2cec3620e0c8d9f8585db92bc313748be5ccfbe82931f2e570c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
cf8b87055a8afa371f4c3bdc9843366e

SHA1
30326e1466f93f03bb410729de4624f4645c9a1a

SHA256
ea656480cadb783ed2ca01babfeee89e17921a1f12823ecdbaa112a7cf1fd829

SHA512
e7c46a89cf8987ddc0d00580d5dce47f06e734eb32499c84ab8275d5f0a57a5173ea800da64f0eb06f95ef01fa2209b3aef7fd7c3141f9eb507273f67222f9b6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
11a6ad8aa8e8ae3369e4ffe30925f613

SHA1
a514cc5c3c5ac5a6db7c23bbda0c872e1abc4cfb

SHA256
a9f0813ac757524a13696944a061ba8e58a5654af4f6347cf2bfd62c9ab167e5

SHA512
429c9d6bfebe0e798a65fed17e173db4136d9420cc82c076bb210cbf5a84daa2681fa6790aebddd773426bd69965d4fc2581888fff66ebc81e46ddb4fd14752d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5c0877209dafcf2f603a7aba6d047258

SHA1
309ed771dd8fd8f243b72747e06e1dcb145dbc90

SHA256
204ab2303bcdf8a92c9001685a73846ab79bdea8cda567e9e0db3e6d75e8974e

SHA512
6521efb38b07fe6cfcecd00caa7bd444b917e18a2cd0cdb3d2f73253ae80427f7f34f61dace206b42ae55c167783902627b4d6b59b8020d5c49681410de58af4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bbdb5a57a7effada7bc2c0d6e0e5672e

SHA1
536f097c597d8ceb566d3b8d9e1fb6ab296a1860

SHA256
9022052888eb7f7c5bfb8b8714ddf9479cc78b67d642d232bb8f7b87f15daf38

SHA512
80153b7850a22761c4d053d3b2729a661b9ce8913ba4509c116b750b62e09100d45500301e814e9867939798a83f8502e7ee73b834568bf6bfd663108d8a5159

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
6e425c5b050f346f8b02cc7b6f9dfc9d

SHA1
e29508a1143b2cf18625a6f75162629fe0df8986

SHA256
14dfb7f3ccf3fe5a77453e1c73bdb5c7bbb1337fcfde8b471ceb568610e07be6

SHA512
3ef661fb9b19a3be6309670a652d6ee348d8f35f1a20dee32c907930b424c39d06aaae1edd834b3fb4663ee5d1568d84c640b96bc7ceeb090d19f62f2f71d200

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
4f8a1779dde272bb1d94b1b9ab90e86e

SHA1
4b28c0f487761d98e3f1b26465ff64bb60506a2e

SHA256
80e18b78c6e70df9625a6276e1fca9e5957e5ada6e843500ae42b72fe997f2cc

SHA512
fce73383e7f81b88fbcae7e38975499996dfd2915e2950294f723ef0ed744be38525e702fc3f468452d60ac7cf3290bdc2d28db9fdc8ac542da92d4b0ddc0753

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
c385b4e2ab2581f0786befc01b93d53e

SHA1
1dfdd97fccb9f94860c99ab37a1f768f4a1e39e6

SHA256
aa299d60bfdc5d2895fd1ba32caf643f97e0f09b792f6cb3a8399586ab9da810

SHA512
e1f91180777a2569906dba26ceab51a6c6f778201dff60a81f55611c2e10beed7805b35a1af72b7ba807851302bb9ca985c4c1b0a30dd60f3d1a73293bb1a004

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
f9f0b7dbf2a8e00e85fa31db33a00c14

SHA1
3a5daf544b868d139790c88ce5eae7472c9fa49b

SHA256
7e47b435ed3de502d32f981ecdb6053501667c0645bd3aafe01b81f23ab11f0f

SHA512
ccd748bb263ec381bc304217cbfc0fb8c1755593c1889da6590c20c456b4903d151f5b5f36837e716935fb81c41898b1bfbfa8b95029f7ee70926faacca67334

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
4e176d638c592c8e0b68f0f621c611b5

SHA1
0b3edcf04c1e291889c605ac0dfae76f27121919

SHA256
9baf72d9d268add62c0238b2dbe236e2d15cd2791ec97f70c65796da7127d0dc

SHA512
9eeab90d18b55c6f3be5ccbb944fd1713693c94211213a3981892f87d96c2659d242bd689ffbd9125b2f61c2638cf5be1b6956fd35b6ff704eec1adb9578fdd7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0de8f9dc4f235953eb7f082506d798db

SHA1
68d24f1965010510d33687e4d8caad8c11a3176b

SHA256
95284d44fdde08dc4bc1dbb6113d0908d4b28d672d7ef21071108ade3357c48f

SHA512
9d3db226afe9255dcf3d1c29572999df1a13ab2819356711ce63f83ff327907e2e1151d310008827030551b7aee9b49bd0ce7ddc4f6da91c6743dd9e70d60293

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
57b94bd2d1e5ae20f2ce86a672597570

SHA1
8f2594bd8750abf8ae310912ed7fe8cc842719c7

SHA256
4415273d1e9278d4979c2eb7a5c30bcc833fbbbabc5a3e96334219ad0ec0b001

SHA512
993f9c7ac7958e9ad92962fde07b0b9a5a38e7b164d42b3b6f999abbbf53ad14862f8dd6fed8fd097f7f30061f77d94a181dda1c133dd9b106170b7e5b48de1b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
e8c28e7b04dd47b455f172c1f00e961e

SHA1
1878383c7f41dcca34ebf1ecd49c390e035bee35

SHA256
7ecb45c0d675f86ca261ab8742ad2ecc6b5ab18aa8271bd834537a2c90b9db95

SHA512
0f810fb0df1444061c7033b57da6acfd4afaf3387c4e4ec851df8ea71f720c93ae2c7eda777ab27a930e169cc9e3d4b7119b90d22a9261feb43b2037ce818937

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7608486847c33161277c1bb2231c6372

SHA1
d95fb69cb22b442d71db61e34f94aa565e1b2291

SHA256
92646d509f77f45a08c77e96905d2d431f3fa3995a9724dbaaef41bbf9f4b5f6

SHA512
9dbbd9111628733f489d2231274e4f1377de3e0422f9021a888685d67d3f8e18727e9b9da8790d59d11d2f97851d076ecda261202f062da3f08288154018bb0c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
4e10fabea13895c8d348e678719857a6

SHA1
8c229fb06540107bd83fe509b9cfd70315b45e52

SHA256
dcf65bb93111252f2bfb50a29a226469d5746e04748484c3135cab4fc7d781c8

SHA512
a3e7050ba299b876aaa30289e29ae1adc4601c5a9426a519c0cf82d0656b968f05a066e7d717348a10c3b5033d29d95a4a6b0bbc5c271b456e0a4b4b2c2e73ec

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
f84e8e47c160bfaebad1243cdf45dfe0

SHA1
53dd15d9e129316eeb29f42d01bb5f829414be87

SHA256
f7707965278fec395e8c6d28f469d206ed4cefa7a1c1d42b4d4bbde75af73f86

SHA512
7625fd2e128dcfc3b1e7d40de4e042cb1df29dde4d15c9e5b577e48acf8cfb7956273c024d5e7a2f576a8da1fc059b7081fce8452679e67eb99596dc929100b0

Download Submit
memory/624-110-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/624-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/640-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/640-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/696-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1512-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1536-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1536-25-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1536-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1612-111-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1876-54-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1876-60-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1876-62-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1876-66-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1876-69-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2076-143-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2920-1-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/2920-6-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/2920-8-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/2920-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2920-93-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3208-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-407-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-508-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3532-90-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3532-84-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3532-102-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3568-161-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/3920-160-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/3960-82-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3960-73-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3960-79-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3960-507-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3988-514-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/3988-198-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4016-95-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/4016-509-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4016-103-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4016-100-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/4060-159-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-158-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4384-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4384-317-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4384-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4384-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4448-197-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4456-195-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-368-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4900-68-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download