3ac9ecd58040e118a22aef26a9f5c6107e2b720cf5a37f7057025ba3fb565be3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Size

1.8MB
MD5

bfaf4624265d65557f4f250e0b6b9ed0
SHA1

b03a63108c0d9ba5dfa3a0ddc4a1d42860afd93b
SHA256

3ac9ecd58040e118a22aef26a9f5c6107e2b720cf5a37f7057025ba3fb565be3
SHA512

0007c0a1841252ebb86aed9d995e8e0c6bb0be24fd3d352e3dfd04373ee621613aa00023e4cca1bbecae69fd96115d9e906f0f66a217924b4bfe70cbc9292cd9
SSDEEP

49152:fEtnrICSooGSTs5xbX022fjBxrj3ZXvYMLprznyDSga9:qrICSbGSsH8JXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1408	alg.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
3284	fxssvc.exe
3612	elevation_service.exe
1452	elevation_service.exe
3972	maintenanceservice.exe
5036	msdtc.exe
5104	OSE.EXE
1540	PerceptionSimulationService.exe
1584	perfhost.exe
4404	locator.exe
2920	SensorDataService.exe
2336	snmptrap.exe
1348	spectrum.exe
3216	ssh-agent.exe
4376	TieringEngineService.exe
920	AgentService.exe
1588	vds.exe
1404	vssvc.exe
3284	wbengine.exe
2952	WmiApSrv.exe
3848	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8064cb6293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007574aa765aa5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d0bbc755aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ea3bc775aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f4b3b755aa5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000393747755aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1f4e6755aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f706fa755aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9b267765aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe
2480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3284	fxssvc.exe
Token: SeRestorePrivilege	4376	TieringEngineService.exe
Token: SeManageVolumePrivilege	4376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	920	AgentService.exe
Token: SeBackupPrivilege	1404	vssvc.exe
Token: SeRestorePrivilege	1404	vssvc.exe
Token: SeAuditPrivilege	1404	vssvc.exe
Token: SeBackupPrivilege	3284	wbengine.exe
Token: SeRestorePrivilege	3284	wbengine.exe
Token: SeSecurityPrivilege	3284	wbengine.exe
Token: 33	3848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeDebugPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	212	bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1504	3848	SearchIndexer.exe	114
PID 3848 wrote to memory of 1504	3848	SearchIndexer.exe	114
PID 3848 wrote to memory of 5080	3848	SearchIndexer.exe	115
PID 3848 wrote to memory of 5080	3848	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bfaf4624265d65557f4f250e0b6b9ed0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:844

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1348

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
59f4a912d0d81eed98e2baf9682e32e6

SHA1
83ec670a4aa2f9188239cadea1000323edd3fc6f

SHA256
79bebb8e55bfa972b7bf952c3362e43ebe9138b930d765396a8d1a08100eb3af

SHA512
0aeca1950ae38239eab74023b572e6740ebec85916f3f6554dd03ecf5bf86edbae5e477732367567fed93c37cd4cd22410c8f937086a98be7e0fbfe1daa31abf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c947ff7ce527b66c8551dfb5fb017b7c

SHA1
3cc3f7d90f2af39a9ec1ebb9b018294648891db0

SHA256
c6822dc9dff2e1283d092ca091172330bb0ce312278bfaf315eb2dc85b233c0b

SHA512
65c2b7f90788f4a548d757f3f196f10d7d4cce923e9978de23224d4399ca977a598baee26fe76f5c346e8c44abc1fc7c48d0e13b529be6f850b63e2b61f5d0b5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c53ffce735efbe92707262c06e7229bb

SHA1
28cb44ad5791184d9b57d09975cee1e6b0404da2

SHA256
8d8fecc6679c37774199da1f59a672de1fb4eaca94b01b11e5766253b91eee6e

SHA512
3bbe4ed53275fa2c096c74890077f405ab44183d5abfa4423d03c3e0afe560789dbb123c23dcc23dafc26a045a3d33849f02776d0a1029b9f52c1a4d21c63930

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af40ba537b639600adf11288507d5f09

SHA1
2607d232be8f96b09f565553b309fff060e845b5

SHA256
b357425d01f134e119e94b7123c613f7f97a5afdd4fb68ed98b7521c4fc9753b

SHA512
77687b7ae1344d46ebaf3f7544aca470d0cb8137254bc16226bd2872f32e6cbc70417699f6fe2e4484a6cdf2e1aece6be1eefa8124d8032b5f4a2946ff55c4ff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
90824075dfad57b822cff633eba46e8a

SHA1
92f0aaf6e4d829849579762c4cfa3c2816a34af8

SHA256
76abe32bc64af15deddfc354021541f61b488da587d641d12a2874e57bab791c

SHA512
884ab5477a0224fa9d7327730bc12fc1691657fd8ca45d53960e190077139a5bf2e2108fe7a44016ea932c03ff5a0770fde343776fe6feb3fb9aeea544293201

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9cb792fc6f2fee2e59af191f661214eb

SHA1
a292d1743b7d2aacb6c89d5071f96f585fafd783

SHA256
e05f0173c4f24193babf920802cbe040ebe7555372cd17222f7e3d567486f52e

SHA512
5cb9e2f74002fae2fd4474ab6c5eadee5c9c58490e0889567b2c67dc471eba8cfd429899cd716d94391da7fa46e9d779f8449f8fb54e3de76329024476b3e8a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1d1e9267869ce9731ceb99acea05f43f

SHA1
af5d1629021dcd2b344b8fb059f31b0c02fe9e12

SHA256
a9bc4d12dab301f7ed41d10dd3887e7e09bb90e58cc167939c21e1d7b0f4308d

SHA512
fe9609b94e8046d6fd83af4f5a383bf3ee510da7d8b630751727827dcb8ce8e50eaeeb67bf9de059399a28de925cf89df185e8616ab4fda9615c95bd07a9a8d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7e80dba6c94031a9d7af1d507d25c1be

SHA1
ea3b04ae6b6f07acca080af9de94b98f58104df5

SHA256
63fea8699c2db92d434be63556da2ff414da060fa2d8e831dddd7f23760a107a

SHA512
adb4dff861ddac04c22870fcddc02256da9cee5be72c14ca6cd384217a75a7d07f22e1313700afc301142c59b790c767da45013fea2bfaa37c654e29023a7579

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
67f34a8fe4e95f98b6de41b46aaf006f

SHA1
aafc2bf995027f2088cc1cbd5f4f0bfa2a0ef4fa

SHA256
e8f8eafe64f9d7e30442fa732ed35c02a102b713fb56eb2b1bac3ac9e231ea3b

SHA512
2fed85b7a18c06b84ce08f3037cffc28cbb6ff9758295188fb1109caff30b82d8b45ed0eb4ff9bf6ff74ddb969a23862c4a66235f192e5b8c0871a198d1e33f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
24f44196e3687d6d054268ad53d23921

SHA1
84557fe7d9b686cc1d8be87e971d31d232ce6d44

SHA256
7d38b8ac176deb82be03ff815570131780b0df84d6829d4ce8f0833384b85def

SHA512
4ec3da6ba13918494aea4bf4a7d835b7ee37a8bd0e4643571680bb6987276d565aa6e0e44791e02e0a20a7200d2817f9bc9f0441d114931cf703d41d6546098e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
de1128e7342b76659b1f6ae328e96365

SHA1
c1e674ff38dd061b7cc7b050c0510156f5e8b1f2

SHA256
de718cb39d30b071fca523e2c80abdae1b744bb42a37a45346da6106df7a3893

SHA512
edc9f153bc45b4137adf624660e262e93f781a297891a4793d2e8f0a20e6ac9a8ce549c4eb40fa6f5bc5fe3f034211937d1f118674f83abb5b68dabebad0de1e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7d1483ed965efea71b06e0a6d8d952ac

SHA1
c957dd484a5768a59a6f3e123509ba6b60ebfc8b

SHA256
a7add8a0fdabdf752886a3ea3031abe712aeb445decb70ad0e6a48a4016d6ec9

SHA512
dd8d0e627ef419f2e5720693604d67316931ae60d81df1df6e6b0be2580c4152a3892b67cd55996ea6f61223782a53d6b6a7ab14b8a9ec62d893c052819e9028

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c2d7c9013d16e50eed39f42c32c5e0ae

SHA1
66d8eff433cbe6b612bde64a9b97e267000f1e00

SHA256
1a82464f43c0a56d10da5c145337289f205193ea79d29e25b1d5306ff5370028

SHA512
b4c888f4e6cd464497318cba4895644c33f178038ff12cd23e2d9c3f55361a7a0577dcd92a5900016d517aba650e3d8f6fe1c59262deb83c138bd4e563851d8a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
468b7f8379f1771ad48f29e7a36cd161

SHA1
c90112bc4d99e16420b932a05bd16d8277e4174a

SHA256
548a4d684cded1abe587a55ccdaec3450ae576bdf2043de6d0eb88a544a6f175

SHA512
8c41bfe9f8cf63a276d81cd35e6859d639a87246cf5f4798270eb1b619ee8279be9d59f68ca63ae7619f79d547bf0633b8d6d18c783c08ebbdc97699e65b53de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
52418cba856d3626b0ba179908a7d0da

SHA1
67e4f1366ab78e2c1ee2588d0cfe22d91c1e6f2b

SHA256
24ee670767bdd75eafcb6b9efc9dbe0a8a5ef617d4e589b4a5fc345eba51b233

SHA512
e36546d0547eacb3853effcc7a25d675dd4f847a06c074a3977d559f348c0648981b991120e258a100cd4e077b94354c292d5d37aa13104c684c0f464715c607

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8e7aff7a2a57c6f4b4ee545763e77e36

SHA1
b570ba2d11fb9a7dc69ed976f10e1bfedcf13b63

SHA256
25c3b74ade08539a3fb18b26e193f3691fe9c3d1dfa8e0efb7a9550293c441a9

SHA512
c41553f5fe04006ec9fd583f9105b47206e129f4c4e5f31d0455b0ad4f03d1f0e91ba46da3643a581deab94b99a347b362c6d9b08f5c7533f72d03dbd35207a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d10b17b814190ef7b9b96f5919486252

SHA1
cac97dac3b2918fcb2ce5bd1e5c0d00be3653cb4

SHA256
feb5026be7af6ec9ef6bca09390febbcf74a21c8bc1d6c03b5c5bc22478c1deb

SHA512
1935fc547693b360805ba0acdc0e4833fa085e805a7d19ca9a2893c2e8f011ddc0818e7e98619f36b6b731df8e31388c2d0664e2e1865d78065f7513ae980576

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f4070ce416628df4a19e5f50faf0db5c

SHA1
5582a2cba9e4c4da268fc64ae1c0b1ab173d977c

SHA256
7c8dd96d3d32802b4ee63a7d1144e2526f407ed8b086a9f2f2ee9fa7f3925fd6

SHA512
f860f61476d0728152419158527a5bdf601eaac654fa25df9202e731ec2261925c81c932d48097a7d36cd8d54d1fac9858c93678d871f8ad5bf240ecd9946db6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b772162aebb4f24c6a4b89c66595b2b0

SHA1
98382d0fa9c7b43af51a4787ade9e78efe3c3f27

SHA256
b9b4933961f2d0d10145625168fa69ecaacc6a79ba1458674b48ce20476eb48c

SHA512
71314c49e1addc9ebb3d0493dd4605de557986c277749e39d19c68fae287a340472aae06f87b77bd483bdf459b0546dccd228c00d6a1bb46ec3573e015ae119a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
996d8f355e93187a95e59f4d190bcf19

SHA1
19157775bea432a9f3707b9b1b06f9446297efff

SHA256
bce965bf14733c45f004a323baaa2746e8656efc2b36c1a0db69a3954f98201c

SHA512
1bb347cf819ac6d7c1076ac0a2b73cb63717a783bcb8a66076df1684cbf05bb0a9d7a3f8917e3ea51f5aaa1801fcc103211d4c25a55908b879598cd009ae7c30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8b7c002b4fa6e40dee93cf99a67cf867

SHA1
e122334b356c46fb8048a857f53378dc3da55ac4

SHA256
e6b1d8644461780d5dac2f39872c66c41dfb1b50f64af3ec8764ef0990d090f9

SHA512
bf626f8547a397e7958de2fb403897975d98cc81af95c699aef92ce51003be3e253c97fc99d73d74f317658dc9e329a787c2817c78203ca7bb333264288427a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0b53bc15d4d359596d47236d24f79bca

SHA1
81870aa5352bf1bb4c071a1c663b923c7063172d

SHA256
3b5c99be9d28f6d486057098f5b9f83afab7c3443e8478e1b0e6b3f51794ad0b

SHA512
696a0ddd2c12458046d93b8bd0a096fa7debb37852129ee60730350ff672b3d1bce5a2d9f8d020c727147dc5a8d2bae4c8b6d2a4dfa8b22fc794f0cbbf5a099c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
aa651d4f1b6d725982de83a4c733d0cd

SHA1
6118d05dda30a1defd71f361b5eee440868241ac

SHA256
a9d0115aac14ff6e1b57d0274e146fe6edea8fcc4a94938b19372b6ba0377452

SHA512
3a2db3b0a16b93e40705fba5573bdfc13e8e298407f5017182424b79227c363a26263ac28f3494cb1b97d29904b19fb2bdfa70603396d1ec1ad8c5340a688da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7f954df48b3e06db79db97dfe68f3274

SHA1
af3f7009eaeb06e971620039e5c23c8d907ad2c1

SHA256
a295a63dc9c33c6999dfa6320b05d8195c5862d2e221ca95335c9e767f8b1c57

SHA512
db173e97652c6774c9155c7069b06885c9a44ab928269c534343d6b39e0b91edbf790fe5bbbadff5791eba4a3b4a94a4d20bc5959a254c37587b1f83e9ef91f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
21d2da41afc7aff396047dc66a7957fa

SHA1
acbe9c72f587861c45d28ffc8520af29e3fb5eba

SHA256
311f4484c47195679640182ffa05c8fc504e99436e7ab0ceb1e14cd5655e32e6

SHA512
1440b46b516a7faf3664a1990dc898f7eaaaeaacdc74e4631639c95e5e235b81d369bb229ec24f9aa0c490df369750870e6340d070a72afe26e4db90de69b84c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
94a756cb85a66d4f80df845e7572d7a9

SHA1
d805bcde68d1d43c838b08e3f3d19d17dc92c2b0

SHA256
48d828364f2895a8fb6dc8b251cf2ec9752ce5a2a5bc5790673bbb2c49e7f6c2

SHA512
5828663558b06ffaaba7cc7e66149ad0737769e903e89936c2642d1e9020777ddcce5776f7795e3f5795775822d9f26dd9f23222c2a06e273e3250876f3c1622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
002b80a06b2717e0d5052e53e3d14461

SHA1
c226e9f971d3347db66061ef423a72162809072a

SHA256
fac73c26df7280fc78550c788a0c76526ae6d84d38e3af1705abd9f638771242

SHA512
e5cc72e37002ae469570b382b5e29c3b6e5aaab2989a895b7a0cb1c5847e493d50c976219acba08e812d28f41c26fa509aecdf0068c853251406b0317d09e03a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
85a32f7138197e14f01dc92de8fb8a2f

SHA1
e948bd4d18a1452a87f9e4c750c5bedb1da503ba

SHA256
5478c3d036149a6a57957e896e1dc62f7f6925deb81e9ffda3c8f2b3b9c1546f

SHA512
6fe8eca146b8b5c8596b2b3a8ccfa228e11558749c09364827d6b9b23a879e3db875c6795cdada9ec5b7a7680a9453d526419927418586a31e63120dac6d91d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c1b574e207ad1a65183d322fad8add81

SHA1
949f35371f1385f9a33c818677ff014a09e0a0e4

SHA256
a125f5eefa29370dcb697f90f950ab34b0e27e1f6bc4978ab0f401aa53df8320

SHA512
cf90577f1ab95a99578efbc4218350ad1c8ad7c226e44d60722c12cd1b15fe76837c5a063d455cd25d2f243dfd54d88eccade4d6c1a0c314deadb8f7d56facf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9e054a33601b0f2cf73f0bc91a8221f1

SHA1
dedb9954390ae2fadcc6fd2287d1cbbd1eed24a0

SHA256
a49b72a067ccd7d2d3d944f98c88a33a47566101ad52b8d3c3d1081896ef20ce

SHA512
8bb6681c8e38a57199fe7e8071b52d71673e8ea8f112a5faaa4a7d169dfb9bc641bcd9a32fc57657820e61ec5d9684391e162bffcc416e5232b928aaf7edb2b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5869a587dba26815c4f5edfa9dd06537

SHA1
7a03f8e023ca2cec5a714f7b6a7e4e3cba415f45

SHA256
77f6ff68d6c9b506c2c14a8f790f59cb24be9cfa402b9640408cd382a29bd520

SHA512
3ed57c0f8bcb0b1414f4e29003df8db45ff2a86aecae7c962c02db6bcc444cfbd844d95f6ecd0f74efe1e843c174c6a0e65ae5c1682f70e5d961254f0a0aa462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0c4b656fe02f73eb9b4175f0be7feac4

SHA1
cce97e3a3b80f698ca383ee09fa76ec661abf42a

SHA256
de761ef5782effa8f4faeeea4dee6848a63d3e76015abc9fdc26c479422d94c3

SHA512
ed28907df9d18bb0baede1424ae520bc1480e9cc018634e6e535511ca0dc7b534756d56866596ffca0af7212c2cb3cda7ae2b7707d6e6a73a22d83b681953aff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
73b3b4dd83f92fc0252dab4aeb1b6a51

SHA1
0b33843577566821759cbc450566dd2b89cb6a8f

SHA256
dd87bda2ddc2b9db170369829ca0e22fdcf05bd6311d6ab32724952ff06caa49

SHA512
30066d820b9b73e9a00f9f4db039c376014bc6e8b2eb4284b96554051bba362d02c00432fa8964599670bba57d0255db217cb700f6bbee8528d427b1fc0373c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8688482d16c00cf3fd9da3bd54f45ab4

SHA1
ff36bc3d68b182a32113d7d89abd95b42443661c

SHA256
bd31806e45828d957c14d5e19b7a8adb621d99a6de4e8224beef2ea28ca60942

SHA512
31162b0f2c36ea5eb6c1f05fff38accdb373c5bca51310c5c14733e970a4ae63ca148690d07ff8728100357705b88bca41ce831e08b0fc3293659016d177248d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
cd0398940e6d8fb189158a89ee8622ac

SHA1
97e50e721717c478eadf77cd4bff17acda9ff2e6

SHA256
1e85c6d3c27c806b3c8982ad8d00289b88062f5f874928982174b981a422d9e4

SHA512
7229bcde3857ba2e925a945d41c2c2ab9885d1e4c561d802815bba7f300437b62abbf377fb0697c9ee60ea7127d6ef4517d40060eb8ead5cdb118020decfc5ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9fce1a1d3e1af8861f9293e8d45de026

SHA1
8f567bb5c5c17350989582c606f7008673c94091

SHA256
4ecd0c2328d181f79b02db913f266421d85372330000a299a7f3a5f2f2eaa69e

SHA512
b0e360cbeb2772b985c129b4b7a5b9f49118b58cc156e712e6e0640cb3d4c82cbd3265d5bd6c2004c94568403fea907caee8fcd9f99d4eaf6849ea2052e782c4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0b0db3986c62c1079113e4e3f40fa38b

SHA1
91c98ffceee7bb715a36502e5b56e9449335c894

SHA256
2e66ec9e02e3b58a322764081e26d756eff89de659743f7e23731803ed80a83e

SHA512
5d79bdb5891e86110225f8af055a71fea072caf4cc4dce02eb3c534d3f8b627509d1fad94780e905573cee7548915f49bfe6f16ab7909442459ebeae0a3543b8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1585ee770d46e757fbdaa302f44e3c82

SHA1
db29f9069bebf934bf3434b49b0f45399bc095b1

SHA256
1d08b91710eb0a3ab2d25b58baff5797d780c7ebf52b28fe09447b7af9039bd7

SHA512
a05f4bb2a00f70c137ff3c72164e145710ebac781f52c669029054ac75f895ca5e9deb9915a7b8229c50c9df955144c517cc1aad5e22d77ffe05c6639a9fba44

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5670c72170b7d79677c15673a6521ff3

SHA1
5173cf631d573ba64a540c7d55db578a34ee1a1c

SHA256
d1ee5939a06b6025e0364fa4429424323eca8073c2eda93392854eef2868121b

SHA512
6d168e787beb7bb61f27e6e7e94673538109095080fd1621fd125dcf20110d42f1969830e4ed4f2f9f9d8d4a0aea468a03677ee8c653434bce1add157b545836

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
905923c81ea552c1266855cb5a1cd8b8

SHA1
235470b48a32d1aef38f218c29a94a1fd3fc94d4

SHA256
1c2d15733aef41079edf9b09f2d244a7950fd8cc4cebb266b28d72fe9741fa48

SHA512
9ecef207635bc797ad64f701fb2d6a868128e4fdf971772797fa8901b696e3130771ed55c294399c3402f1812b7b6a2c9d9ec77cd0fc8d2fa7e2324c600b1778

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1dceaca7276373058160254cf576c6d7

SHA1
aa7ffedbc2b4e7a771e3dab39047aa6ad9799edc

SHA256
788014e2e8d7c438801a6baa19ba989d4574c0bc774a6d156b97e4fb8eb63ccf

SHA512
601a6bf0bea7d2a98e57e2725589da6b85fb77fa1128713175039515def1770dd8ff1cfa0a59e0c5f734d59927aa8a094de542ead46d920f8eed84df0c100178

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9a89534d3c9b0c705680cbb327cc57b2

SHA1
9a1b98240fbf2847eb81cc634d8d0589dea9f951

SHA256
7c43de55539a50d45d98554f74cb025d2049398330eb0689cf4d283bc2b5811f

SHA512
4d67d56a44bdfc6d9a6ffe983d5d387b04966fb52370b3fdbb708e8aa13cd266f3efba39b42e0bb7c1510d5bd8af400ef1bea5edff1e6402e7141b7256ef5ec3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
06c7b63d40d173923681bfefc8e23682

SHA1
ca89172857db8ce7420f5f352e21f7ab1709f54b

SHA256
e59e0858ae40be59ce7725ab7095ed2a13f428ba704f2abfa75256509ec79a53

SHA512
5311830482f816ea7cb99b2ac8226300b664a1249534bd81e3f6d60f3bec153cd89247807aa12a5c04dd858ac5c913a52547cab3b3dca080ffc14f550bf45dce

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
744c50ab580d2c4e56b6b2475346de68

SHA1
76c4670504c8d74d798d494c0b210062a50dbbed

SHA256
5c016f7c70d1ef1d7247ab00a71fc628252c7c6f55c4f82d732b9a310712ce73

SHA512
a28cc61b1bc014db804110bbaff29bbf87093c6ada72f5e92887f4d3d8944e45810b3b13088163845bbff43f97ab8d6278bb2bec61b8c144b04d5ebb2103f566

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ffbd26873622652c21b3b5dafcb47b21

SHA1
242306202ec9ec4247506a7a38d1a8ba2f80f762

SHA256
98cecd416c24e0e6d99bd7ceeb2f6671bb18722be947e70baece9d7a6bbb3263

SHA512
e402a0680a40566e4a99c1c4f6a2ccb43f83e3e4b4a1868b1f2d15506d78ea6859aec786d673af146f30702aa3efecb29187823cc37bf9fe78fd11e21e0ca617

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06068cf5e92ad52490863f9bea925c22

SHA1
37590e3eb2eba524b50e06fffc2e8c4e684ebe05

SHA256
ff3bf684646d373dcaa34913a90145c79dda21e953994255dd2e68708a15750f

SHA512
60802d08b756fc9cdf25ae8db706ec1e0508c307eaa214faa33707a881b95d362f2dfec2a6b84b27e31a22993285736c3818ac3dd86218884e9ef41e59609eb3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d7f44c4742434066e76b9931aa073834

SHA1
28b7344a4c6847bb7497d11e11b7ae51dc33862c

SHA256
68b151a0e6dbfb11cd25a75f9e9f833c297992bfc88e9f279df1230ab77c4c15

SHA512
63d5473b4d72a9f56bdb4359fc3846ea7ea097d25d09a2f82ea2ef52ebd3e78083b005f8edb44886b856fde2cfe071fc9efc6d4ad7f9eae740dc78368ce6b7b2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6180ee5681bd77cba48f0fcc8e78d47b

SHA1
4a074a9f7e733578390abd275e0cb4dde3b3900e

SHA256
ee5522d35a52e9239a281258b9b2ac96acfa2cfdec00aa581dd78d40649a1a2a

SHA512
5c39be30884dc0625c9c1653ec10e3767096d62a7460b3e3918faae66a64bfe8e353cdcf14e75cee832c3cb6a00d64fadd626cb85089dd2fe91787f02b01dffe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ee24d72c44f8c4db465cb358a5ed00fe

SHA1
4d103994effa9ab391ffa26c063a641d04d94736

SHA256
23b7563410f8ebfce0544b60e148c3e756bc5d4718ec59e54bc353b184a55952

SHA512
e5a5e4946e2403748b580ad8df06e0727c55d1ba01807e2795f147ce8f573b0c7aac22cefc320a8bfc077b8d3de83de875a756f9d171fa3d02596a6977dee642

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
048484983932d1abc0ec33a7042c26a5

SHA1
2d4bea84b649a338af15521f88b6c35a46927c2d

SHA256
08ef6e504cf554dd8ed250f55c0a71531e1d4d9cd3467e5d5c0df7530c832e42

SHA512
a659f5e32ec68d420f41d907e630b3f57af33161d49c7a84423241ce120605366fa0fe944c11024f4b6e6731b671f05e7b41ebe528a49e71d0a789ae039d3f97

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bca0a07aab6ad0959550c480542fb487

SHA1
1a465c55c65d9795a47c5c15a7a0e3b7c02979ab

SHA256
4b53882ef4c948897247f79773eee3ced50c1de514160f89d6c4095e09ae7470

SHA512
bfe379762db95411a3d1d52cc41ae0bf0a75ad3a5efcd3e3e26a87ac169f0466a56d0b00f4a25b6c11f12e62b6710411bb85838dfe49450ebba9dade5d120c3c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d2015b6bc1fa8a11c86be8e8220ab091

SHA1
932bb2ec0d29fe394da4343511df6d9845744e59

SHA256
bfe950330d09fc31b5d4e248ac492f465a15238e13e4aeb794321645011e6030

SHA512
3cd105070dd03348e24181b89ef37036a1554b7e4f28ea95b69ce6dd079dee8f13bed001f12fa187b646cdb0cdeeb094c791850e2d112d8159175de459b77e3e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d6dd42953df27a1179e095a42e6a43bb

SHA1
f09d9b762a445120ec260f68c3c2e3d801112dfb

SHA256
39a86e59f4c3d4b17006aa5718b0875a2e4080ae9fb69517409e5c8f1e35b9fb

SHA512
51b8826f7787142193c929419601db5fa247fb6750f8c3b58953961c1bedb17a24465221d6e82ea98a09f04eef3d42a2650c255e0c803fc88512766d44bb33bc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c1f4e68af18d50e2431d14ea4372ecb6

SHA1
5cf97f187190905781736885cb693a90da77f7aa

SHA256
44a55567c56d89cc5a3f6d9eb2a9352a868d0bcec84314b479b8c8a308cabd7d

SHA512
3fd68e12da2c19c28ca20cec02305a29b6bcfc32f51037cfe2cf823c649001b93ec319bfbf3a488d9c4cc894353bb63f2b62fecc587bb457f1b83ab5ec5d8676

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
26cfb27c07ecd0eb159a0b8c7e92a07c

SHA1
3fd5f163b95024b7380cd06252f677e113790309

SHA256
39f922f97f4a0bc76b1378c6b0d9b1680088ace8ec0a242f1cdf6150368c038f

SHA512
0134c6fee6bc738457b2d27f1c6975076b78f009cd1fcb5f5accb56acfef02f60d599a52c23fc03f4a86e5c3e856c4deaa840a2b4d86aeb1d0da66615f9c076a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d3ee58cbee1ca9e51b8213559c944cef

SHA1
9a2868e416a4d68ba0b3555e98f87436369bd2a3

SHA256
8dadea2f9a2d60d95434265c1d97ff9bc112a4bfe61c1413c1713931a3793be6

SHA512
ca5b6b0cfabefe1c4cb5fe7cbc82fb972848b834ae9e56c86e6fa0d6e65f07c337df6d378b0cc295686dd755dc29660229e6f0af4b384f1a3e260424542858e8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1d5917f7f2bb274f65ee89e69cf4f00b

SHA1
8465623b237ddd84313318e0c80b2fb5c201f47f

SHA256
fbe8cf2d7ff9733d6e6950ec07da981bebf3eb8f64232c347aa42b21f67db28d

SHA512
29bf93af76d410762efd55b7f481924937983deb98a90c44029f33d6509177b862a7f28c673787076d7b414effe5af7ac47abc8cb536573fb478efd2144605fe

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
cab4ba7af4534decf74dfd79ca913936

SHA1
ee6b2c5e2d625cb5a1fb7a6b658c32bf189afc51

SHA256
c12303e77c3a720b845163ddf30c98bc506688f80517cb184d1d69b7b90f4e8f

SHA512
3e30b5d37fc8ffc026473ce45dc2d6ba72e039d4d69c4bb05f40bdded83a5ac24ca0e1b65327446c22daa5b6a989b342b390c48d6ed04fb6d46ec0da7b8307ba

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a25256a1b27ea18639970e12f5926f28

SHA1
ac41cd8461f044f4d00d27904d26b1a2de52d70d

SHA256
dcb9bc1a72c74aeb36343e0af798e7601ef4f803b185b9b5c2a9b627a0d85e4e

SHA512
fe99b2abe816357d89c335a73a89ababf65bfadf52cb0a740db50b2a29b81361a8e0ad6a421e84e3ee410ffd0da811f33e85859ac724c267118435a71488a2b1

Download Submit
memory/212-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/212-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/212-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/212-74-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/920-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1348-362-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1348-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1404-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1408-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1408-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1452-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1452-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1452-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1452-146-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1540-89-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1540-98-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1540-95-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1540-161-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1584-100-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1584-105-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1584-110-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1588-419-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1588-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2336-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2480-109-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2480-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2480-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2480-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2480-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2920-398-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2920-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2920-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-424-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2952-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3216-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3216-415-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3284-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3284-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3612-134-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3612-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3612-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3612-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3848-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3848-425-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3972-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3972-56-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3972-62-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3972-66-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3972-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4376-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4376-418-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4404-115-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5036-153-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5036-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5104-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5104-82-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5104-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download