1902f98c8656e273d8599937f01c94454f1cdd1eed70564a634b6616bc3bc6c3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Size

592KB
MD5

56ac9b30c41140f3e24ddcfb6df5ae10
SHA1

b3daf56ffd0c59d8c2bcdd395a9475cfd7675c5e
SHA256

1902f98c8656e273d8599937f01c94454f1cdd1eed70564a634b6616bc3bc6c3
SHA512

50a135d645b2898254577e0d63967ddfd47d3e0e1966f66b152cec09e40033df0deebd52ec6d68880ae5fae16967e4a6e3891e60b4352587655eb3da72fb0251
SSDEEP

12288:yUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:a8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3692	alg.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
5000	fxssvc.exe
368	elevation_service.exe
4168	elevation_service.exe
4136	maintenanceservice.exe
1544	msdtc.exe
3456	OSE.EXE
1780	PerceptionSimulationService.exe
2044	perfhost.exe
2976	locator.exe
4520	SensorDataService.exe
4276	snmptrap.exe
4868	spectrum.exe
1356	ssh-agent.exe
4320	TieringEngineService.exe
2036	AgentService.exe
1044	vds.exe
624	vssvc.exe
4500	wbengine.exe
1600	WmiApSrv.exe
2628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b64f7df04a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f29a37941aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006345c17a41aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a32ae7a41aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091ef887941aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4fe697941aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f13ce7941aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeAuditPrivilege	5000	fxssvc.exe
Token: SeRestorePrivilege	4320	TieringEngineService.exe
Token: SeManageVolumePrivilege	4320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2036	AgentService.exe
Token: SeBackupPrivilege	624	vssvc.exe
Token: SeRestorePrivilege	624	vssvc.exe
Token: SeAuditPrivilege	624	vssvc.exe
Token: SeBackupPrivilege	4500	wbengine.exe
Token: SeRestorePrivilege	4500	wbengine.exe
Token: SeSecurityPrivilege	4500	wbengine.exe
Token: 33	2628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2628	SearchIndexer.exe
Token: SeDebugPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
Token: SeDebugPrivilege	2576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
1540	56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4004	2628	SearchIndexer.exe	113
PID 2628 wrote to memory of 4004	2628	SearchIndexer.exe	113
PID 2628 wrote to memory of 2392	2628	SearchIndexer.exe	116
PID 2628 wrote to memory of 2392	2628	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56ac9b30c41140f3e24ddcfb6df5ae10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4892

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4168

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3120

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a3dca879c6fa5cdb3baccee10814a56

SHA1
4fc8de8d4cbb26f4b65eff97f5b31539a2fd7b3b

SHA256
9cd1332cf80eeb33c9d311dbd4551361f765243536fa1b7c468114692596e1e4

SHA512
d276101b8a8e776adc13c97bfe0318c0925ecbeb29da495c151b864f2f9aa6b789aac9f96fedafcf472f2957a6fd389dbca41d1078d02cf47e4efce41dda2280

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7f905b8daaa1dd464d3f814386d8bf38

SHA1
03cc9152c636deec0da1d5f428ae5bd37317dec2

SHA256
4a64f12f81149e85332ab2c52af7857c966608e0a0eb8f8ef01f5bead9d93350

SHA512
c4565c7b3f456867568b230c8522f73062ad50039689e160376d653aa778777822a6d9a9ac3daaff1427fed67504526b1ba8e17c32b74cbf3033ea306c1891bb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
002f315346c08f139f7a523bdf427931

SHA1
01b5262c6437c4e2a2a5eee003db041fb9d5d6a3

SHA256
c49633e27b416316d2b4914ae1b489a2d63cb9688ea11e602d27a3bb4d5c0e5b

SHA512
7eb8a4d9d65e92608700e28651db26a6e5cda7bd0ed5a7ddee7c76dd2f15f3fa2191e1b7c38a64f53e8580c937283f878a24f54af5623e2a2a5961b6f208dd15

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4cda3353be9ae4976b403efba9110c74

SHA1
8d093b994c562edf2d64a7996c294ed4339bd900

SHA256
cb09d6455967cbd7b4cf068b4b99b84e04995ed69d7ba55e2a1fe5a3843ff11f

SHA512
4f57284c03277d48a866bb06e8cbc49cdbc659eea9975a331cb0538715888e1eb130c5bd7bd0336b0311fb707b93afd64cad93025b6b092ad39820c9eff245e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c9aeaa93fc58e6ba2cadaf2b7d84df7b

SHA1
9aa981588f01ceb1d16fd320ae0ea55af57cf2a9

SHA256
d400cd51e5fb8f3f7e90f1301a2812810b731995cc5a994293390d2808dba5c8

SHA512
8c05c1e2b42852196877680d2ea91411da9198c4d53b019a82c0f2811f83cc0bb7db51b2cc64cfa8f0cb3f7cae7b35470f83b3fd3b89c5e11234062afce88254

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
52eef37d1e95284fc6a0228a1f6d6d7b

SHA1
7fcdb0f8afb0791e624ea09e0cc2e2c871af1ef9

SHA256
a5adeff27bc6e416fbf300b4a62d36b7260fe4dd3eeccc64d32dafd8f7a05404

SHA512
46413af743494e9889db320d59c4188a5d61bc11931f2323fa835191ae41aa2dd63b8402ad929113944591c06b8b68a6d5e7c5ff4f68db55173711e050262178

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4557a6c135f2cf868c1a9cf40b4e3078

SHA1
828860eae39563cd82273467eb84d737224a4336

SHA256
1ce5fb3c700a6a3a781f7761ebda061e080fba5329c56af1c0b4de890edc452a

SHA512
ed7dc8d8fc9b4df3206f71b906aa3fd03283524970741fb14a2aaea33eec53cc1eade9bf1ec44ce99865a7a119a158f56b156ebf7b079f703dc06dce1c789ab1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e50ac6b22529326343839b0eb34a965b

SHA1
27a4c0cffaef7a81c88c9dba7f5716f9606fc3cb

SHA256
1d4caa642379e8877bda785075a2784001bd5adba8898b11dffa5de1943c41b4

SHA512
225a699baf4607c03828580986b2011812a1bb87d2be78ce065e86af935566814adb1c006e2a42d25cf40c6c366d9621ca9d437924dc0d953e45bbc52d39b7c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a7dc56d2f46d0fbfa866b866268ebd45

SHA1
83a9a06aac391c2528081c5e8564db34a12921fe

SHA256
31f26d03ee07460c4a3824807952e3dac534d2155a75ea1db56fe99bc22284b5

SHA512
81beedcca1823b0497c35e182569566ba929da7d8f0bbb7f1cc17258820eb1cb8677dc5c2a08bf25eec19b34f079e605160497837198a14da5293ccc90310c8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9973b23d81b635288a441f8a7d57d40a

SHA1
27ccd380461787e9a7dd85c4135c4823381608f4

SHA256
8a1edc59875ff823f88797052860f2254f05af319105a7f241e0e23c5f8d18fe

SHA512
4415adfdcef01ffb90cbe10784f83350bd5ad9b519d11fe0edf8d425a27068cf21db2fc339d2d57d40d898adc90658feeacecd19e9e1a2898c3f34aee9fe70cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a1ef5c94b733cc957e131ab325f6baa8

SHA1
eb6f2887a568ae7ee7b61f3bee93bbd92983363a

SHA256
ef3bb5dbb89e459d575ea38533f5ea5f40e8fd6800845499ae9188e0d0a3b037

SHA512
83a5b2e9670470bbd90b76a1f892009e53c0eb2d2d3a9f28d7be40df1a3df427d808fdb2808b346c052077c24bad7041d3795ce2fa3d3f8629b3d25348416815

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
84cd0e5d5dad38ae2cc30dcd68304ebb

SHA1
fd082a751c0810078dbed142a132ed2334c46e3f

SHA256
cce6b4b082c33cfda44d96ed3696f0668911a654bdda646e98cf94468f27fbbe

SHA512
30e4820eb0eae0280d7076fee43cd160533fe1344f7fa8c13933e4833d8adfffbf5677fa4140598e91648efab5e2bf1652f5937d30e04609c34d6127af0fd723

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ff96b0a351f59a92b35fb7f1928c9ab1

SHA1
96c4543cb1ec59294f454d81d039cf0a3f33cbea

SHA256
26f5eb0c61e710a75b779fb86c553d311508140923b3294f40d31c468d3028e8

SHA512
06d4d702c80e17c08ed8172771a0cdd8f257606a26b31945b7bd2ce1d96f59f02581116caa12a803521f84464c6bcd0bc68640ca041a68106bea0ff0ba30d7e6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cda326b9cc231d8d8bb8ae2adda2b935

SHA1
d48e9b79c066ea76dc38191bf6974e8f0d1b1d90

SHA256
a0ff9aca4c1bf664dee904af8b63329f7100e05b1f240ce7ee9bcee889eb89a5

SHA512
01807d085d20726ce0654730b5ca895549fb6a57dda351081373e9e15cdf04305a7e985cf68f1f1068ed0e7d9fd7d2ddd16cd76ec6660625113c787a637737ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d8a39963a25d07c2a37d84c10f312bfb

SHA1
dfd57bd8689779c97470f98a4c8e77467e83caa7

SHA256
8e1a4bc22971f41a7979c7a21c6900e3aa1c02d5093e231fb537988df54a2661

SHA512
0241ad1a64373045bcfb42b21b37ef2d615beeaf75ea7661b02caa5d5448940da4ae752fefae39a9b3bcd18e4202011d85538cb3728bb3d1bb79b1cf3d08882c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
32ea323bd255518a7805304aa3cebfbe

SHA1
1989df37449e9f091a9e9ef2b1875782d7cfbdf7

SHA256
2f35fdf70e80e70948a261dea410096f4dec1208cb8d3421a8e081c2bab0cdee

SHA512
9ccf16881b9e679067d753f1abf9af120be0f9e3a10e1eed4e74ce451ec623d34726bface4a439d286a99d352882e54b233d5f884928a6a38522c3c6f5603761

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
80885d8c7efe94bfa6218169a80647b0

SHA1
6c32a9494446c45d21900fcf1cc17a386461ea37

SHA256
97f51676bdc1a28786acb156e6dd747c9db43b929f4e843e39615dca2324e3ff

SHA512
8737ed830a9bd3feffdfb0cd63535c7a7fcfdea0e0af39f57d0a49da11b25ab5632fc1baeef0fa92a9afb76e8580e29386b89dee7f977be9f1fc9cad5ff6ae00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1b25a730fa4da11d1fb09b7d2eadafde

SHA1
32ee56d208e5c66b04ba3fd89e5fe0a2cb38720d

SHA256
530131496227a070e1aa91a69be67d34a44811ea2402f12a9da2a382a72a158a

SHA512
785b4023704bb612f38c18bcb8325498bf7ec5e6cafd85aae031260a975b83a331edd73f20a537a22747a7171c63dde2d45489284d0f645270741bf6b641bd8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
08b48b98ca21cd32c3a2da0474812987

SHA1
91e349253c358f8c1fcd4f92ffa3e03bbab8927c

SHA256
1a2d46778bc04a837b40b8fb0612b0f65aa965b3e70c929882b3ce21044037b1

SHA512
a288c16d27e14d5883f4aa4f19bf14a6c69d42beaad5d7b151adda84e8cecf4eae342e598ce93276e3c3f83cd847fd9d71f3350292e05c96da0102fa3135e8d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0bfa6f1e38c7b9ecfe55250292ea5114

SHA1
7e51ed7d29ca9d95d3f3da648942fa9de624b495

SHA256
a616fd530e7490e2c0494fda4db7b8a2ede1c1eadaac45aaeb3b1ab6780302c2

SHA512
a1fea620c7c53307805d97f4eb61fcf6ba6220b023388aac13220ba748cab49c9d8b5526e3750ca42afea14784bc56b236e121be9920753100f08828aec72890

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3e3f923d73aa4e3ac33978dc9e02766e

SHA1
d869cb3fcd5d7b01842228f8be5a5275dd559e05

SHA256
ddbd2840adf046c9ea171877eb6e58de8edc9ab4ae5109878923802b697ab902

SHA512
29637a4d10e7c8dacbfa306b72dfaa6b24a8a44c194dc9855d4f8da8b5c7a65f4ccaa4854f799baf5bcd1df88340544d8d2b575fef53f44ea1d838869534e09b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
21d701ea37d8df840abd2d76b7c835b3

SHA1
ada55a16dc76f2d84b8126f293e98cd873b5b9c3

SHA256
174ddeb1b2c578472e5c1667f10aa5ae5576395beecfdf745456334cde9f4aff

SHA512
3cfe31611d85c0eb3226444b7101b8472f1f440e700baa741fbf7a2719a3547fc5cde5158a00ab72fe292259c4d6f2b3d27508e9e956d993b091284eccdff574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
80640015d9a405c8dadbdc14c1a94100

SHA1
0a592250a504e0962e4217a72293720a75154c61

SHA256
a9dde13f3d702878737ceca51654503604b014925a0cc86199f9e3ae79e881c2

SHA512
f31651602893fe0cdff6858d0ce17e3ac3ad77bba055eae0054c2c5c0255f9a177b1593018770e67c6614c62638084dfa58b0289d140c36591fce36a666c1d01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d5f23fe16e2e1ce281a134c406bb7356

SHA1
2377dcdaf539ac83cee7fca6c67dd60d4ff7205d

SHA256
cc86649e374ee52a2092efba964ff574d769c2913c10de8221c03df71143ef18

SHA512
0dbbdcd338f2063460b0d18a20051352cb446bad6d1dac7dbe02325ad2682839bb223dada8bb72c0096e89165318d46ed11d80631218e84dd668d96b82ff7c7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8dbaddaef9d303b53bc16a746c827cb5

SHA1
5dbd6ccaf8b6e23fe92bc6014a1241b9612c10eb

SHA256
618bf983fa01ccbc3bf4a6158f50553eed126bd3df6c33a894eab1fcf14bd92f

SHA512
f42a285b6135d25ca8f0e5e19c00358e4dd5cd8877f2ddf1555bd5bbb799275fbb89086a15c06e18a1533ae7410c72913a50a53bf23e9d934ce0b4940fb15359

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0e407098956419fc6c049091ec6ad959

SHA1
fbbcb4c34155ce63b6ca6a60ba999f334b85950c

SHA256
5e9deaaa362576ae80cebc7018b531c179ebaeef760f708202b6daae9ebbcbe8

SHA512
1b2773f8d4d5f5eed9fd0a68f4376510e31ed40bf117b7713e3e053ac5e7e1cb3665a18af801a256449ba6b2c68768d271e29a9d67dfc6cb1c33d8963f35571e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a96385bf776ec0326132982d4720da78

SHA1
3d457b6bf7b973d344ea67e4737ee9d7e5b9ccf4

SHA256
7157c423291266ef2fab7f9d56d25af91313571d8dd9ae480d56a10b12c583d4

SHA512
c4488b121c254fd9330cc1c25ee95e93d67329f202220260460aaf83802c30e7998346385cd30fd1c52aabe7137dd6827001f0df64d8570157d1daa2cbf26bc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
27cdc0d59642c6ae2a9b76549889a1c3

SHA1
4f434229a7c966127a0a6d7712eae023b0beeabc

SHA256
53b17091275d559af890663acd831d9d54c5c3d0f6782118112468434e4a1748

SHA512
c7db96ed4daf7ef3658034c2fce175408474d61b1b6f5e982341d9f2f1206bb5673f38071539c402a30129349a05e8cd50778d83a8a0f1bb85397cd65e6cca67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4cdb496fc0e3f4a181e863638a39dc22

SHA1
a20c14b7a70a678e34aeae3f859120cc631002ea

SHA256
601cd4cdaa75c40929aee329f831635990ef447b7ed9c0258e3c1895c00a538e

SHA512
9f55cc64583339e58353eb0d64191880a7737e20eb5133d2184812843c7579dfab2768b6559e896ac1facf2ba05296ebb2a4f8d2039fbb24dd0ca10a5d208f17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
38329ed44e118c645ca8887dab1beb76

SHA1
7de79c728ec9324a76cae0663ee465a2895ee3a7

SHA256
e4ac9fd654f908c39e8942c640fca22d6bba3431751b63fc681f8ade0daf4d73

SHA512
c2abb37af9d73fe69df49011356a347664d7ee9ad43d4c3a37facc83d7416e706481abad56de10b78476c5bb1493e29af36c318ac9a49cc47ab37007d59653d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c2cb814d42f0189e3c54e48dd0eb9d9a

SHA1
2076bd12a07e42f0c60bf09944e23c001d37eef0

SHA256
cde3e587e432009b3f0e4be476448b4d70a9b2bdf04994decc489d8763217a33

SHA512
884b038d9f2894fe550b71f5028851c26e2f6e65677801a0832b1481a7eb35af569fada4f4f0399c8d2fcd1f7846ff2b9a13ca31101e8a6dd9356e15c213b9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
830a29b3dfdc86016baf795bd3ee2e96

SHA1
6764e44a597993bf4cf07a43eb1e6149a3341814

SHA256
e20d01cc75c385ce2725bc277dd3ee498a47f16702f7ce9a72eaf8b7c7e21ca1

SHA512
06010aa8206f1e59f8a849881bbce3bc70f2b3d801af1cf45be9c9f09663e753cc5adc3f733b21d78486f22592cecc93a721017e67e2f8511f01e3c2cf32bedd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
41403183ac58cfd5844da053d50bfe5c

SHA1
e22f24f5264a311c4e9e856659561a8c7df91130

SHA256
ef4d9b098c327a024d40a3587e7e0bdbd13824c50e3edccb2f0898ca0c8a9af9

SHA512
5b85182d7208e5411329ef35a5773c1ff55489c0a0c99abe3a4672cdfc868149bbca46025cfbaae1d002beb58d3423b01a2927cdd3c22c4c9510cb3b8bdcaf35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
da2c4540dc96be9aed84ee99bd03643f

SHA1
8800f1001b3952782a3f5cb9a209cfcff7065773

SHA256
7c900b07affe2c7451445000890bc5c9ce2b0872f9859b18e07b8ce5e931a896

SHA512
529297bb3587815e2e19fb551991ab36ef0b03c71564cb8ad1f9213a59c0b26813764e94c2a695cd7bf5a8395a208eb5fb02b0213cbeb44af026b7030ba0895b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
11f078352da6f16ab103e773ccda8b27

SHA1
acb5e99d30b44cb34ebb97ace333750fb940244c

SHA256
ceda3048abaa3960bf6274683c494cc8607b1fa123e50a5da14e3ebfa009a90a

SHA512
b0eb23b553bd0249502a26e1418a0fd2d3f7d4eb3ce6427d838d01d6a78122e41be8a3782d81c8505f5941da7caed0e6aa89714617e63e54a0b2d29ec3a2ae9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
1e3b00309259db30e8bef29b54b4cedf

SHA1
232d9afe82d062ec232cc05a2d491e7f9bd20005

SHA256
22ba8d76524fbb4fdf6b10070cb14b0ddf88c25aca1c84c5ef084a805b35a72c

SHA512
4f6a53d3f8e8f990e66e16be8f20d313b219e0516abd92bdc3f40fd98d6151547f998b01862504b258df1d88472d036d5cc0b1a4ec397e99c68ea91773057d2c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6b82f55378a64cee223827ac1b323f38

SHA1
75093f02e55f922f950af478692cd61ef699d92f

SHA256
0f76ab93b3ad087cb46866ad368e19e8546a6ba45ce0b9d7c85f772a316f62ea

SHA512
23157812e6840e9485d0ad2f4ea1ef995c9e853c702aa5261d861400fb6dd494ddfb703e110acbee4af14335d6320e9d96a3e46f417031cd275cbef0a333b2c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a2c2c26765339f9cee1e82d9aa79f6d2

SHA1
cf47da05c2e3b7f8d6f0924cb43a4eada1c7ac3e

SHA256
6bf35b8bf67eb8c8fcc9c3cb734f92dcd4d2577396fb8062c482fc4dfff43b49

SHA512
9f982ae94d064732c7919d1405e9fd334aa1ae36d3468c18b0d149810390e6b798f8f7187d2e62f6ef2794eba9002956e55a258ab2f4aad5d94097bc8df946a4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
931dc97683380e458dcccfc725860d41

SHA1
2d7406cef4c0b092155b370fec867d2c4e9eaf03

SHA256
34ec32c6b1e51a423737e9e3ca43c1f8d0236e734f9d6a4759da7b8e8edb5301

SHA512
d4c3b050916963efa404bf95b1710f1ff65074e540261e2b6eeeec2d0b1b3827adc3e0a93d9fa1a54e063d12baf3b06d15a229e6d4d391aef7a1c0c1fa5d6f3e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b7bd4215d601cd5e32c0c46cd9d4829a

SHA1
bf2a7391bf87f7db07155021df2bde7a49d1ebf5

SHA256
8174482c034fd1ca3d128213846261524d61c74e35d8ad1197d339aab37c84f0

SHA512
ccd1ad207196a39d3cb70e808110e02ff38a0f0fbae509ddd8376fdeccf4d49a3fb3556dd5f0769e295394d4cd6b4915f0dfd1c63a02b09e699b5bcb62d8f856

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
abe39f1a853321f6908ba8e287879ef1

SHA1
3210bb0ee2682904cdfa2f339012bb847babb697

SHA256
79d8f619a4524a92b646be8d9e97e3f2dc809a2cc471a02fd7c22f33a27ee4a0

SHA512
fd1b6aa95ef1eefe95e95db40952bb4fa311a81ec27f8dd7d036aec345e446fcb2f3b4b987478ca1bafffa8da5e8904dbcb513a55339b90fc5da1d2283445eb7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7ead10e20968df67004e003be6891d13

SHA1
1f2106378e65dc34cadf70fa1d379a1bcf3e46a6

SHA256
5c08d8831565f7270947843b29b015c1d74dd913e329fc8deffa5bbd4ac94957

SHA512
df2a967b2d1060c0797c485b8bed19d3349ede38a6c303b0b97d9cc6268b7f1f1854bc3c0633e432a4a18e66f82ff08799a575fb2c93c7205eda28a557f71078

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
73d0198067a9189837c420e6353c5cb4

SHA1
01ee7e27e81c98d3922ddbd496657795131e267f

SHA256
47b20bf068bc921479663666c7614fee3fb7ff2b3666fe4c36f1cd378565db3f

SHA512
f50ab432c3a1054e998b8d1c17acdb6d3777c64e1e5629d7cb38a294aeacda7e7434eac911e7ac1b9a078e07f5ed814ca2ac659d930f3ebeece1f14689f806e2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d9c9e8153d38e64deb68fe5519c00969

SHA1
6e1f5c8aba4d049b1a74b1d249f9ebbc3c0363cb

SHA256
fa4940f8c41f0b06defd9dd09b89e7c1514ff5bc6118c9e3bd9f01d942d5e82f

SHA512
b140f8f18a394095b4eac9100e3994681f232fe706b9f0c3cfc53746c57dacaa48b3ee6c3d3897e90fc13305e727ae12405219baa24371f0f7504b8f9a4bd905

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
da601a415384a4352098c23d206d7469

SHA1
2f36886c2ba1ca851eb04b922612e92b8ac3ad59

SHA256
d66560b70298c8674e8a2e337927f1bc4298f4b1f87640365b41c29c00daae83

SHA512
cf38d3b081dc715135af38b4be8ad978d46420e9e0d7476b9f2682f2c7edf29629109b8d77183061f118fc9cd81ed79fbd61b3a53a20cde1765b17d468b02663

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
26b2b9221b1977ae7f2e89ed0c7632a9

SHA1
e5bc60b489a73abe2759b513468e496769fb0354

SHA256
010f48a8ef7e174c1dc0f7638f4735815dd02c79a35b62f5e271891c8f61523e

SHA512
5a88a07eb4469e7ccea9cb01366e486d7e8b13914eb361c1045d751aec22958327b6221298f64c971704e4e4911c5b42b16536008b085673eff85ca7883388b4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
165e1dbeed249cccfe5ddbfb9b6e9b94

SHA1
f54dd1609942886ad38c86ed286d98bbfe2566c9

SHA256
d5b85c8cb060306ffc794213e632d925b3fb5ce617ff7413f725aef55b8a3639

SHA512
98c0cc7f4f4bfe42c72723b6b96c41c52728ef1648de95fb67eded835e8ab12b0935a74f09c0eb2b22ac43f43238eaac36ed8c07ad486648f629c2bed6c6e184

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e1f0f8acba6937a032534d41a0a28cf8

SHA1
0b4af92dd40d0d90a3f64ab09678ecc4f76b110b

SHA256
ba80f820f5479f699803bb6879159456f372e60526df2c2748aad0466baed6a1

SHA512
d5de20baab1b28d63f8eba298909b524bda16d385dd9c4fd4170f73d27056d931adf78416d54ea18555ea039e2963f9f325380d32f3cb886f91a1d2406d6538e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2eb41136d8976d0a91defe70007e29b2

SHA1
0b62cd698362e29c4b89be8a34c82fc68d90641d

SHA256
1df12afe46d32cc95f9d981d25ced48f1b4c06bf1ab42ca578f099930130213f

SHA512
162eb101c0c8fc9cb2d8a3e368215c30581a33800630c7aef9cd6022a55471c290ef67102e37ff61ffd6b11b898350b6652d0c9aa3367e8879e56d89efc947ff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5babe45e22409125a04c202475864a1f

SHA1
cd7ad7559866194bb68d292c6a8aebfa5dcce40c

SHA256
3c83c428370f3a354b277a27ac5b048dc3bdfea5d62748efaf003e1867510fdc

SHA512
71acd0b198f34249a1066277b1491f6a730b30b6716e0a39f09ac78796990e84ed390a34abd45712e8ef1e90c9e0e76d7fcac9b88b4a609a3f8dfebfdfc9b6f0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
95494a245ef0eae1155787c6ec7f6e66

SHA1
747c4faa094db667d52abdcf2f4115f0a577a433

SHA256
f222660603ce85bf372afb50ef4956e87729f626668eb604ef8791eaf7414472

SHA512
314cc0540a26d8c7dfbe5ee7ab45fe2a580a0312e4ff14ea0d2c9fc52a7602b1ae681decf4bc88cf20c6d33a702ae74f441aa9433e08eeca3e307cf539250ba4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dc8507894e32d8a6e42c9b9b7250fa33

SHA1
a0fcc20c4827ee3bd70c33e1f16b8c4bc9470471

SHA256
db1b8dc9290dab02cf2ddc5a836b6d9155c20a8e79961042eed0d10351022626

SHA512
a6a6037301762d36b4c5d1fde3ec8215aa89772e59ab9d3954a06c0282179917a35410d4d4db0b21e0e61743be4482e7aa76252eae368b084d3820a458911c5b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3a92459cd882514ba4ef4db489800d4b

SHA1
99f0b0d52d186b25f6151d25f677f13386a1c165

SHA256
1ee286678100b7ccbef5dcff711eea8ef351917fe0058c8ce9ac0f36bd28bbf3

SHA512
02c872c6c63ceb659d58527935e2c34adf6af358a0ea548ffc54f25531c6e0c112cbb6d9d340c495aaea62f28361e82f1295dbc8c6e30b014bb509a5a3c06c7a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b621c44f352f55821066897e93f30e43

SHA1
580080fbd3d72cbae84445759b0e7985ebdc6b19

SHA256
76175e8c66ccdd659d0d140293ce2681f375a216c49634cbdf7ca892728edad5

SHA512
c8e2a6086bcfab0d25b71400922ecb488fc05a722f11beeb603fe4a0aec347ff7ce55095363f4eaa40f48d3be046fa1f1488e091bd9c8aaa96424098949b9c62

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5381417afec89a931c4ab428f9389da7

SHA1
3a30c0d8f4eaf15655ba718552a2cef3f25c7b5b

SHA256
ca36d21b5348ed6779ef352316d031eaf1b73e3b54c634025fec22661bdf39fe

SHA512
2d43cf204a232dabaca0e26eff5c62686c0560d95257ea9c45b1362b155844ba451763f19d184439b70ddeb18b289afd9a4314f22405c013d49f5d3fe2a88240

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f25e89f8e2b87ca8b56a67df17287aa

SHA1
793f9e0bb47d8006fb733bc937e390a65fc4ab08

SHA256
2adbf616f414a3a22e448065f7d3b74e4d69222d3edb4583de051027c2924e4b

SHA512
580d4f6e906df3d9baee98863181faaca6903cd41bedded549806a68ef5e8ae3bac042ff97369d847e169991f5db2c58ca104f61a1fe26f3f94ab87cab85d580

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bff2403b2d90bc9ca8de40a0f5a03517

SHA1
ce79ae89b2bf88f6d7f3b3899cc7fe340c827a80

SHA256
e74a428c282c75947d7afab5fecae32c33c672c411783401f75cf87f9ea7a367

SHA512
85688b1ea8c1d00951563757bda6eab296fcefb0d579a720fdca877e02413732ffb00df6357451336bb84db7b38b2514f8a02f2672e2a199117a6d39906c1945

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
805f4f6163ebcda55b16a8c0f6b96db0

SHA1
83d3464908747ae80e34581ced05e1ce09ff281b

SHA256
240dd2d944636d58675af5868363d265e87728f6585c570c89ca0a9c6201d87b

SHA512
d3b26e7d551b0dc3fc529c7e4cc3a0511f04cc528a9bc4023925b6b1986dbf3dfcaec9450c3fe85f89ae8dbaa8f0bc26066de15c27de9cfe0b68920fc5937b3c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f1fda91603d27d84e2000b0e5d2615eb

SHA1
004b85917e689b87b76a909db86bf1b3a113b224

SHA256
d4d19984143472d7ba60399b324d0116a3f413c3a4b94bd8e863fe81c6c4c9ba

SHA512
0c0c4f59a25d1faade67842b1a26252960c651b3b650a4138975cb880cb95212e12d0032742a70b6bf623b9dc3036e0a57a4e1a3f9979467620f41eee431a151

Download Submit
memory/368-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/368-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/368-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/368-33-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/624-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1044-377-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1044-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1356-368-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1356-144-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1540-2-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/1540-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1540-82-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1540-6-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/1540-8-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/1544-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1600-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1600-459-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1780-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1780-87-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1780-93-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1780-86-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2036-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2036-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2044-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-108-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/2044-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-103-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/2576-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2576-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2576-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2576-101-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2628-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2628-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2976-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3456-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3456-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3456-80-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3456-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3692-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3692-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4136-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4136-62-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4136-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4136-66-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4136-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4168-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4168-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4168-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4168-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4276-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4276-341-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4320-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4320-370-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4500-457-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4500-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4520-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4520-369-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-364-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5000-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5000-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download