145fa06bf33c9b664aa5ab7415861421e5abff323b572a45b620a95b07a3d782

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Size

608KB
MD5

abbe50a6ae1ee84dd0ee1b7c6dff6cc0
SHA1

859adb54cbfb84cd8d619f33505fe33c1168eeb4
SHA256

145fa06bf33c9b664aa5ab7415861421e5abff323b572a45b620a95b07a3d782
SHA512

9f290bec5c1954422f4686c82eb990fabc460f3480484942b90666b3457cdad59b0a1a8f02abd3357fcdd9f6747597f952efb5d7cabb3d0a6de1d487e597f30f
SSDEEP

12288:GeeSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:pet/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
412	alg.exe
4156	DiagnosticsHub.StandardCollector.Service.exe
3784	fxssvc.exe
892	elevation_service.exe
1728	elevation_service.exe
3152	maintenanceservice.exe
2096	msdtc.exe
3128	OSE.EXE
4440	PerceptionSimulationService.exe
5108	perfhost.exe
1768	locator.exe
3968	SensorDataService.exe
4584	snmptrap.exe
4868	spectrum.exe
4092	ssh-agent.exe
1836	TieringEngineService.exe
3544	AgentService.exe
2340	vds.exe
1088	vssvc.exe
2268	wbengine.exe
4908	WmiApSrv.exe
1708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7eed3256b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeabbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exeabbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eec7d2d83acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ede482b83acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec0c202e83acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057a8772c83acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef97452c83acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aacc02583acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014ac4a3183acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

pid	process
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3784	fxssvc.exe
Token: SeRestorePrivilege	1836	TieringEngineService.exe
Token: SeManageVolumePrivilege	1836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeBackupPrivilege	2268	wbengine.exe
Token: SeRestorePrivilege	2268	wbengine.exe
Token: SeSecurityPrivilege	2268	wbengine.exe
Token: 33	1708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1708	SearchIndexer.exe
Token: SeDebugPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3696	abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

pid process

3696 abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
3696 abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1708 wrote to memory of 3544	1708	SearchIndexer.exe	SearchProtocolHost.exe
PID 1708 wrote to memory of 3544	1708	SearchIndexer.exe	SearchProtocolHost.exe
PID 1708 wrote to memory of 4128	1708	SearchIndexer.exe	SearchFilterHost.exe
PID 1708 wrote to memory of 4128	1708	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\abbe50a6ae1ee84dd0ee1b7c6dff6cc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2096

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3544

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
35f1a77854e0d10597ff1fc668ac5acf

SHA1
1ce5988267c4e281483d9eacd1ed9b961558f77e

SHA256
8c8404ecfd6f507b1263483e4bc5c5a1e7af1ed8e29cdbde05732ec5f224ed07

SHA512
19bd10be9197f56ac7e1ddb085ce2e59ecb5557bcd5b8a02cb2527973f64c433bdba8b14dcd6e40f98170fac84ee9d1604887a8a71f53775a47251fc0efc9832

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
c89f1d6c1bd43e34ca88c8be14c88107

SHA1
50668d3bc3b4d20219dc8177bfb45e03c8861838

SHA256
4c2cdb13d4f1ac7495141e8f042a41cf56bbaadc9e3e532df59e7564c6f86695

SHA512
1568e43fc85be000530d4e4366d9e72edb51e3a880c01a90397b4c9e4d5efb458351434df6959ee9f8b222300b776fd0f5e133061e7466e1d7e06324e2c81b65

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
974cb1032051b096a6876d2f127fea6c

SHA1
6d601624c4cd1dd6fd70e759d6aa3b933970e120

SHA256
12dcef25e2d340aeedc6614e34d685f23d44261d59ee061f4da62d82fac4f1a0

SHA512
18d29f58f03e7e342b1370298477717f21f59c161bc629d94408171d85ee056cd2f3ff146227db0ccbe2594c64ed6618f3ef8184bd907e3e1848fbc8609a9fd7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
27d0304f7db2bbae063355927d6bf2c4

SHA1
f414988826e09d42a4a4834f32678ea4b0861cd2

SHA256
b7d47da5ad00c7e4a1ce9586807e299881d0d70beebc8282a228662ff313498c

SHA512
0b61e623d43d0ed7481fb67f3ba2706d850b85cc3af05720eca8d185c8d88dfc1eae5a363c52d16609529b99c5c5fa2fd4ce090f9565e54e5661c22068b885a1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49fff27b5a2e8678a94b9f0dddf58a0b

SHA1
5c1cb2047fc70150afc1f561796209c145a73df2

SHA256
abf061090837e91be4f9adc617ef4fb21a009c96bb662c14edc92c6011ffdf47

SHA512
153c152c3f511c16cf78b248304048a44a27eff66076cb77c8b82ac5e87ed18d2749f973870eb45a8d457c09ba890d56c3b5f0ac28fcc9508726fd318936374d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2dffa710b62226609f8848e391cd575c

SHA1
f3b6e4e0eb00f80c4ba72b5221850df347ed3b41

SHA256
6ab176426fa793a7a01a4714dccf4c6c621afea0e396ddbe8a48274462f8f5c6

SHA512
678eb774939b53a46690b46189206628c8d16478457b5d15d31f7f63f83d3cf82fdba6c364de08cad5cc1d06006e1ba4dfaeb4bd15f0c7d7638bc46b72422ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b8c6465fb7f19984bd9c74e7a6a60366

SHA1
e6125119c28850f67e08291f9c60cc0dfe1c661e

SHA256
0d1b6466762930a419897954bf9523033ab4ce460b33823f046dda0c22cd1fd0

SHA512
8644091191076f19abb773f90e49a53f1b515f86cdd31f98a6d42ebbc6686a4421cafee9119209dca8e68cfa767b63362702754ade1c860ac9f57f0e8fb1898b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c4cf9c33218958ed8176fa654dd63b6a

SHA1
fb8257f4c12db990257d7b3501689d076b0a8afc

SHA256
b7046fd27755904e860d31f05791eb606f42207e7df4d4f385366cd3fa051124

SHA512
79b41eda40d70014f8e21c9482ca3a899b4cfb5acb706f608c146b342879c2e409d6ec7a881098c8b6c7dab0fee3632aebd5ec05166f491144693587dafa5996

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c454d38b171dc428d300cab951d86a6e

SHA1
2b694ebdd6858378ccb35ed0a16afd84dac22abe

SHA256
5c57baff08cd864e0b97134622c5cca5281c297d8170619e299cdfc777defe58

SHA512
da549b06d7f356a7760b558fd32b4e6b2a630d10dc04dff9ebf6d7c1f0231503caec07ff239298be0bb4a40b383ed73c20e6d02939931c41828cb64c545fb46c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a2cac12c2439ec82acf19dda18ab4bf

SHA1
c272bcd41040acb165e5c93f3c474e3ff814c203

SHA256
e34b8bb56502ac5c3cb6ba9b44a3de2f3766679c4130fe1a5da448b0bb74eccb

SHA512
387c4b80093536ca53f4283ff896b720d8575dcd1d7d7e80c06d2d216bd6479c0945f580efbd751a2472277968c45232700d8236e35e6e8ef2d3128f8068948e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f846ee9ad93e02c02334deaaec0e8571

SHA1
a680bc763244763a95ded22e1ecbf886e608ac24

SHA256
ff91190d876713c9463c1f6f4e80fe144d1997250cdf98321629bbccef0026d6

SHA512
79b5f386cdbcf74639997782c77cbffd4a2982aec47c5747726d9cf178e904d028966a26fe9d0f5539cc9370909fb04ac235c7a60e8ee383d12aa8042e84d7f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
49a764a29b9fd192de41b5145145819c

SHA1
f084820b71714fb1c95bc77c3a6aa5884a884a4f

SHA256
fe26bcba90170e3b345105bcd5d027f4403a1b859596b5036d63f6a852ebe7d2

SHA512
58c5925e0bd85465c0f29f1746d63b3e1a0837fc43b394c49d4e3d99473b9fa94da5aecc948929540bf8225e6cfbc9e15eb9a0b13f12f0db9ceaa4964c1d96a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
09ad5f9a9a61b7f88204232d6d3d45f7

SHA1
dae63f092707237a1e15d959b6724d7b7aef5e04

SHA256
f983dced979a38a41d76ea6d2b543c2369b9f4949ff88dc97b7794ff00776c5c

SHA512
253ccb57dcf245c95eb714980de252d0b9e0f3afa80d30bc1070130c4097492b6433b9bf590dbae1aca445d1e66775b838e59b92fec769408cb3e279b34658e8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9fbf739d539c375b0cd2dccc80fba4f3

SHA1
d568c764df53cff8b4d159a9f6f7e3edb9412269

SHA256
c5fb2b36e14a4b4c12036a32067a99657445ffbf6448af318d7e9de732d63475

SHA512
9b4eeb081af75170fccb91954ed02cf1e74365ce50f0c474dc5ebe793ca13fcc8a1ea5c358412de923995100f625a1398e04ac233801156e83cb4afef7fcf923

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5c68d1952fd8d989f9a4f5fbd9e4cec5

SHA1
06ba81e75184bd0c6ac5e89d63f83a45e5eaec47

SHA256
227d6b8822b7c40944a197a19ccad1536d141d6c6413b02b68cf7bc113b65db7

SHA512
a11b43955c4f10bf9c94ea8d8d717a84e82524284410f2277eb6b0f06eb20da007fe35822b5adad467d179944a89217659943ec6e361fdbed5d9682c3169d1b7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a7a4272853d316a22845f285d7755980

SHA1
9677606250e9cea8262dd87fc580689c3b2f72b8

SHA256
9bc124f785020e13d6efd32816770774d9f290e9aa683217f94f18b08d831116

SHA512
417a50b8fbf67e59f212eb9345a4434e0bce0efce172d38f63419a54b2123ccca605bd89b5ff2c2ec6ca81f191f26663b20be7c27cc90362dc33419f5d244480

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f4d638ac7818bcbb8d039aaf99631c19

SHA1
d3c44f3ca0feefae588f80f93144f0d9f07a5a52

SHA256
0f2a79e3158ed4d0b8c415b5088412f66d108a9c75094955464a6b7825dcae42

SHA512
ac96ac8072d69df6ea204ba4fc6e7cc52b4a177ae74e801fdc62345da76c830c52a2160952e824124cada6e8a26f628dd4d8ddf875aa1c8adfc071e3ba66da2c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
69243c514048a4d32443db555b28deec

SHA1
694ed1d5899d7a59ab7e2b7453b32bc5a4295c0f

SHA256
68b2b4060c0bc8f2369e920a5dd25babd3e3a8a965c3a83f92ff1cfc2a73a96a

SHA512
f72460f4fc8910b32d0c1f29149b99911e0a5da1c0dbccabc6f1a633938bac790b7a6a7348bd2632952f74f384d6dfa3cece18cb5d90a0d6257752ee51d42531

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
65a4d29ebc0faee3f40d8431856f276b

SHA1
29d88f249c48cfa4fd8859ef4d85727a7e6cbad8

SHA256
9921fe0f187931607b739634c5f555b33f7f7604e51a42a118e3a39e6b114625

SHA512
c8d1b671a8442ca5151a01503b6945db97225cfc255489e0cc1d2eae9e330cd716d5a68576e7c5aaeeedeb61b9ce174dea2ad4a71683e12e4f68f3db19d52445

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
97f4311668728b202cd59f4a5228b7e8

SHA1
c899c2a26040e47b6944f1af286326ee513a3946

SHA256
4c01d387e8268624793e60913c7d65b8395c18078c5d8fae42c7757a1b623ea8

SHA512
6f62b45d2d0e641a08ac28599d1a2d2fc54acb79578ac5048cb4c467c040ec087e26ac3588c60280867a40cb8d217c7ba9ed3b0947f32e9d7fe6850520d667e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f704dd194b17f4cd8df3fffa3d29eda7

SHA1
993c5d8e397626c3819302118c3833003770796e

SHA256
91110c95a1a96e0f34a4db1166cdd16d945cf56212271c3d4aab61446f18e923

SHA512
a10f11ed799b04496789b2388d0c812599d5960731c2a2d89351e7638a01d6a174c15ce49e2943592343ed720b8c9bc9493281506fa3b2876ab4195d7fcded46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f080d66698ce12fd42dec0cea68ae01f

SHA1
f4ba447cf72d8ee057a718b227c86425bce88a39

SHA256
9ac5b45a799ca652497af9219671e119cc2e609b4d20f520dbdbbb33f7487663

SHA512
e92652c22a4160f62c3c6aabfe223c26f82dc8460fe39be215463c136739fa82d2ce316dda02fab287da4c32ea4210aa586a813e8521decf15eff3e87cc2861f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
238f47562f4cc3379a3d2ec9ecb5e8b7

SHA1
e379e5fea6f998a4acdb00c6e6c6c5266ced4837

SHA256
2ce3a61d352e53bfac132f0a9bc7bd55eed0dceaa12236c088d2605a49935b5b

SHA512
3c5000345c813a767b4f71b3cd2b49af64664d31ec2ecc6120ddbdfab542f0eb3839688f6ca4a8485337a8493070e213c56c67051ea8f96337d6faa9747c7ed0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d287a4ee5e56de0832c405ba38ef5b4f

SHA1
1ba81835eee503a39e5876adf8a96e1aa5c18fe9

SHA256
52ccdd05ce37aca9c5d1a8eaf04b428b896d66b0e8de51b503e4e9891a7bcb86

SHA512
7247f9b085f91d4054e2f904e16972e7d0baaa9a4ee0dbdc54b13fe464bf574a6b781fbe1f8d18b8cc27832710e17d299c21f10aedde12a34b198b9b0eed8631

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b3eac2c85258b04487caa4f28033deee

SHA1
f73d052109094def9c665a74b1d54b27cbffa773

SHA256
37a831a23b7f5722cf86fe0577d0ab9fc93a04361e3d935c6bad5f51ea26eab4

SHA512
650d5aece0eb047e803d64df0ce235f46d6d6452c1f1b879ac353f093f597fbc36c12c954f5cc020b76f35678a7f80cd9b7fa9c108faa0d87f98e1d0ac15aa38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
60e70547e819405b914dbee37b58621f

SHA1
5bf6bd5a5ebc8fa71c8ad729ccbb56dc716c46f6

SHA256
d079445339afab8bd14ba3d752292f3a86b292638e2f1ddd4923e53f210aac10

SHA512
b617b27c65201ce00b020ee7f79ae17bff4fc0d2881f44c3aa41bf773698cb5261621e7a4afc433a3839e1bb8948b847630c74fcf61aa5b6adb55549b4ced0dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bd4d36fd41fe59b52931f7876db2a2ba

SHA1
00cc0c97a38425f9c2a88f8b21bed50fe78872ad

SHA256
3563e151cc645fbb9152fb1598ea0425f67b958b035c1964a95cc46247076090

SHA512
8e119e81ece6c306edfe663a59ea313f17203d64c6abd18fd18497f060bb259b8516788cf9ef5a08f902d1dd859cb20855a41fb55e0cabe20eeee905c45c223c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
519f18d509b990bf309593fe0ebacce6

SHA1
bab6d65fe88291a20589b92bc73a15f178cd6061

SHA256
2857c56dcc75daa2cb152bcc8898def803aaf939dc4aa58a6ddd0faf350ebad2

SHA512
434999785c36784168b3c47ade1edb0056165a3933f9163888a0c39e273c0a96e1a92bce73523135d18ff1ff1f5290a2dcbe5d7a6936f8cd467a6a0d7f336d62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7abac47266279129a3e2dce4aea88ac2

SHA1
0fec3815bff17bd6cca9cc3af1c94acc74ac83c2

SHA256
65e47034fc8b9895cf26ddb6ace7abc9447d1944ec8f64d6318f2c948d6076fd

SHA512
12bddab43e612bc11fa3b7686f0930f33713099c3d88660d5fa49b46af0540a04e3b4abce6c44f53ad9821b6b452e6affcb77c877c102b2776b79816938b00fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9440f30596ff07264d1b09baadb18229

SHA1
41fd5762b71025d2d7c640b28b54d2f888826e28

SHA256
60b347502935056c864a0c0d0f6c7ab993eb6521ae8cb93625a9cc4e62bc8d52

SHA512
551d60e1a98381b92be25c21df85d8d6206a5d7f26df1a3a2ae01163d13a64a392b3b1042d89682969d8724f0433a8e14f5489506dee0c4584d6ec259564760f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6aab78bfb81b786c87d9e5bdda01e174

SHA1
3c2ffda055de41db1e12bbc4bac9f153c2a3cf10

SHA256
61e8bab4967236c9dad258299365b16d18862d512e3de759638fe3278a1d868d

SHA512
06ead1bc9932ef2e66d05fc2b2990db157ea7a7b710a8441c6736313ef9628ed9d9123c581cd8fd7b35bb93de214aef36d711b580ac3b60edeebc25213854030

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
156ae2cf5c408e2e0dad140acad70541

SHA1
388d049c62423cebd888ae8d3c2dc4ca0a63e2b0

SHA256
78bb2a373e1a9cf3b5adff2ba956649061f1e2a21c5254a7305881ad0285986d

SHA512
1aa863aeeed2b947c02d160127e7d304a94866dfc04a0c7fc476080dda3ce0456e9019feace5e18f1254db61a5aaf590ae888ed8b82b40e4d91982b32dbbfd3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
85e797aedd84e14eaf467f8999b89123

SHA1
67b79ad70e01c9517aab020ca73cddc7d8e967d8

SHA256
bd84229aacb686df80f54c5c00d80bf7144c7ab9931419364f840bd45a3e47ef

SHA512
6bbcc113196b8bb576e4bd799300263084b123dfc31d7fa98274a4f788aeba58825c8336b32c736026cbed5a79370617317cf2cdf9ff519d081e417167b8640a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8dd970999c2938fc1f5072a9f477beb9

SHA1
a203dc6073ca71240f52e1495ed2d89b6616982e

SHA256
0fdfadb2cb4ba221a491bbe46d1fcdf5d834c167cb40ae96529d08a954745796

SHA512
5cd66268254f7338099348139f4a48fc69b81167edc4283207690b6ae7915404318cf74d7c0a42362f08c5f875e8c66c2b99eabcdd1cf679e632dff222d75cf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d1312e0d478b0fc3db2b08d1aeccd550

SHA1
144c4315b9af1acb7cc5ce2d67b6647fec186e92

SHA256
60bb634320887cf6692528ee017114a34730aa6fbf170bf047ca6f6ffa005bdf

SHA512
66f752bc61e0759e66bd38358613d7bdc46b615742474bd53e126a11f86965400c8ccef788797a9b779c42570be5bb4f7e57865f2e912fb4887a212c27f6b3c9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1acc1ff6e6a8a57753587834937afba5

SHA1
ed33ed215ec5fc77d2cb90887e77f5dee6995298

SHA256
8e6a9a03b3c5bd53fbc612b58846e78d728a3a88707b502a424c6944a4e6e457

SHA512
b164d082af0ced7e93202724c8ac33c758bd9d2cc259329b371e13710848ab8724ee4736d276a8e5bf7948400b4ee45be1294514fb77e3aa253e2fb379cb82a4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
57c5d030bfb1eed909a7c8750c8919ad

SHA1
cbbc1cfc14c886b5c7fb747ab5f5f431be0b6ac3

SHA256
16fbb1256f3b52c243a7595279a903fbd91e0bf20555b55bfdd3ad049e74e95c

SHA512
6b2ff8b488e4ceb5922b1bcf3d728ee22f0f8978968a4b3a6a1c043c42937e10f03898077ff9cea4672579c4fc8413026e86c0ea9d3b9b48c73fca4e5ecccf44

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
22fdf5fd7dd6de7d1ab19d38b33ef94e

SHA1
02cb9385636f164e34515cab209d5b46420ebddd

SHA256
c0d9c0ae0b26a77d296b840dff7d309ca65519f537145ccbd52860061ed21a05

SHA512
3653371bb6a054d7e5924aca049d0c64b29c74948a763ce58e0dd2b6ac4eb928a25239879cc7ef9ea6a048ad0c5b423172fc3ffca20fdbe1b294a29c5d7a2597

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6f42769d7c76510da53e18835849a49c

SHA1
2b2542413375d038f4bc739e1f47cf21775c6eb1

SHA256
b480432fce4558cab7038b97602f4255175420d7b476e0c77901256560a1af9e

SHA512
ce577c18772d822b2b8e5e7bae846f609e29e83a60aea9355bd0f972e0caa13933632f5f73cc8dd1045510de6498c3ef40995868c6ea42cdd9e423a798b504c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e2bc88ae9c1dc151f94c2b78032bd6f9

SHA1
f7c5b5ae8f2e427764d4a53c77b8fb98ef41e800

SHA256
4c726b36ebf19b250d60531c3b7fe8c4a27d1e32c808b26f628df1835aaaba18

SHA512
feadfc61d68677473c3fef8d76db40ea819610ca56bffa1e18790b15282a05e708a91eac832eb13a3d47b0edd87845a920fa8a738d6abc0418244745b81d3f27

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ca2ddba8e8661e6eb278a0acf5356750

SHA1
32fef9b2841c6d6edabded674ee8be39e1365716

SHA256
cc904a64024523c85b2c4bc7b739c9002d6bad3d47c5201d46bacd2c3d05e300

SHA512
66fa2738cd61756a95ba0dcf13d50d6e910a44c3a2b38d5fe7153e0c62e35972b899e2b085267cfe86a0e4ddfb5bf610433f6a29cc3a9e0dfc9bca7c7d093668

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
01ff13c706c962215f11fb69bf3256a8

SHA1
f89a71ddecf7eb486eb1c66ece67ccf9331db47a

SHA256
1b5b313d1375f4879167f2cf8601e2d08e09e1605098092ea981e929f323328f

SHA512
7d09d87e7b74d942914598a86992ee66d16b550d0f79c2c8176f99d680b0e63f316df70b6ffc06229ef6ad37f3e435d468f2871309228a25325113a5638764d4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
840663b8e6d256cadbfa1ea700de5c77

SHA1
084dfa0e2572bc0daca325958af715c0f1016a48

SHA256
bbab4596eda92e68bd886172c321f8c7433d84f948c739e4f9fec85b2a965a43

SHA512
8c6502ffd5a87d92c43197cef482a7ca22daeef96b9fe759ff2f738da07279eecb778f4f5850e5721f553eb955661ebd79f9c2bc2260bcc786faa7ddfa057824

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
51073eef2bba0d4e0063f8da522a7d46

SHA1
91e882adf7fb07f1872cd8e78ec688483a7aee9c

SHA256
5826845db32a1468b541040a62c83e338cb1af76c207e5a354f34c446cbe4228

SHA512
5ff226ee275c676dc905f09c54e2a81b0a87a624cb6e6e5d8101b15ff2044b7f87ee90dfa2a0c4696f0eeb812c69c08bfc955c643f67f0b1c85e9131267a3602

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
71c2ce9e8f0531de387b85d28f316617

SHA1
d5992dca41f6b1e46ef60613332820de377977bc

SHA256
bfd3ba4e1aa3860e14f141207c901674a97106cfe3fabd5e1726dc5fda375244

SHA512
5579bef14dd181a7ec05900dd21f95ecd9c95ef1d7159cf55be1101a8f92f0a3bd90ac1daeb576b5010a8485c28e5e566bef3e28ffd89ae5db4577c206ba7942

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d1b753850d2f753df990e9ed0d5bea3

SHA1
ef8fc56c81edbd7aed13f7d864d45f79574dc29d

SHA256
9cfa51b2fc09cc2a807cf40d726af8c2ca5f92a1746650a4d464069080491a4c

SHA512
0f554eadba6834111d10c2ea7cd075264f134b2ab3ddd8a8c6db54c6338ab68e141bb811b4d0d6e1f38590395f8e6b368469548db33b3edd4499431bb0af62f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
531dcc1b46a5290deca66fd6ee0f8616

SHA1
caf1daabb0043296b1cb93b3e2ee51ae0fcb6345

SHA256
a91662578e4d29af0555029cf3e2b0bcbb562fcc97dd52105e8bb49c7bcd6650

SHA512
024da760cec371d93f8c723f53569104818d3bd2385924e0f959fff4135cd3d81950bc6fb8eb4527de61339423f329556fb4bc4f77dfd61144b62a8f47ccebd3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6e1a0140c2657c603c4e36e9b52ef97f

SHA1
12f4bffec1e6d2263f37879891a72e10b311565d

SHA256
3584887048a3659e2350b716195087bd8be6be84add713cb886ab7f3887f90bb

SHA512
6be72fb14fddfe922f272dbd003bbefca2e91bdefff468e26592224db5aa9b711bdca4d56d04291d3e532f7e4aa353c44418ce4b0749b8875a10dfb014005f04

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
acc5c1e1bff965a80a8b8c682af50fad

SHA1
4bbf66ee814285745eb96e89cc01f698fd58e670

SHA256
8616e28fd6c27346df52a70eaa93abd2523006024b0fff1ec55d2d009e991c62

SHA512
64f0886df69281e18ea0e3fdc435c5570c3227875a338815bce9b14d2bc98afd8fee9cfcfbd7b29602c2209f59dccd2e5c34a8e6694df342c76fc2ff41dbf07d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5635e55e72acf40e31b6ce8426167f66

SHA1
d76e59ee4287f230296ed975ca772fbd83a7cda6

SHA256
8739609daa86957255836ae2e784096640dd17d143e88862393a808dc35a1a7f

SHA512
2dfc2a26dc58ecaaa30af02f4d65325fd88b6d81818350a154804fa31e5814a11c95568d5907cff30350480bcbb1474b1d49d441f2ef5fcf47d89f89c5406d15

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0391807f7ddf9554d9a9666550c0fc59

SHA1
c092e2a09207265e5cc07193576841ae9cdbeecb

SHA256
bd1fdcb1fac6c6eecd58d38e75ec31b547fbded45f5d7ea19f836791d3a4e41f

SHA512
a67467b000514e17ad374977bc122ecafe56f00c285103e21d968e0891e7a6792b024d72dd393e7685226483755626c82c7e5e3c0615a0cf26ddba722a2f84e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ae666c47eee57e734691a6ccd4275565

SHA1
0ce8dc52af8b883b004f423b4c23e1174a18f04c

SHA256
25e39265c5e9c706454d3d5afa08ab7fd70c7dca473bcbbe784edd217c7e0f08

SHA512
930645dcdf3e0c415784c9c3c6f69a0562832703caa35d52bfecb2120a997fe5690d2a178b93e735383705f8d57d3c3fe44ed53efc2d89944f9fe5bf4c7faf89

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7d9a72c85d2648fc52350d939c93c8b4

SHA1
9937991099a70bb8ed5ddfac34dcea079661a6a6

SHA256
459080a5e82d7cbe77d7a3a37ddef44ba5f1236aaac12947ea403e8335b86066

SHA512
d93a2cd329953d7382823af8f6108b8f512385da3e8556bee9824b27f0c66596cc39e5c1c351239052bfb280009e2650a85f5adfa380ce76a8985147c75d46e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7227504dfd71c51a29d722135cf39298

SHA1
8475e7215626c45626c60aa1a150ff0292a2c77b

SHA256
726f5b33043713c2fa793bb57b762f05be1e36f0105f3c264f459c8009cb19e6

SHA512
8837c393ab27dd16f8c43e736ac8e6ac210352f46f00ab530f6e9ad61abe9edba7defcb0ed11b0369f5d1ee24fc61a655276c85cba407aee89e2ff305eebbf11

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
47e0ba12bd4662d9c5ba51d9449e0f6f

SHA1
7448de68c3d953c40c10e2f900ea754251b9799f

SHA256
b6574256e679b5af1fbe8dd6a20372b859fb52325773383a70ac0620e7a124de

SHA512
8faa3add76536e3cf4a33492e88991f7bd8f721e5818b0187f9b012c3592727ed6f6253bbc0cb140313ac7b626ba1b3323c154bc4927955d303f6665f17e66fa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1ec4ac46377ac5a67cc33dcae5c3fc76

SHA1
693e0f1bd975478bbdc2720c2a58f35c6e6fdefb

SHA256
1c48d9c1ab6b91d9c08eb80dc87ae6ffab167e095f336cf0096bdf58b7076486

SHA512
fa542e2bbb358af590c82166681a466bbe928dae785cc25c1d3fb964604dd7124bf80d25d735d1b417157fde90d13e8dc8927502a85fa2df4e79031ca8ecf9a4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
cf50c0e73d1727c97af56177a13895ff

SHA1
42b1ac4c2e30c5ffefadb4d2d00b6895194bb5cf

SHA256
0742d72d8fd58d1aad2b4b7d671454a3613ec369fa9042bad80e87dfc45b8044

SHA512
5327137aff73784c05ed2963d1c582d30593cda9bef96d61f863f65f660c0a4cd450820313e96b2dc150dd378d8fe11961663e0d683cad86fee2f11b1d2e3cdc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f76894189aed43dea5a399eecec5ff98

SHA1
bc184ff610fa1341c2c801b632ee246d5b7dc62e

SHA256
591617f60a1e2a084826908dae52a927e51bf9fb13134e9298a0ec48d11876a9

SHA512
1c1cc0c8038c18306fb8d6b3dabd135a39e5ee81682b09e0b5afe8aaf7c724880427a138d8bc196b5087f2a1bd723a38f79d4e26f072f4f9473084ef761e9cb7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
16e526474ad6da8ca1427b48ef93fa5e

SHA1
b037ea03fc13f143ef67bd84ed309688ef0f3064

SHA256
b8496166e664b39b6c2e6fe4e501f8340bfb6f4e9c9f543fdfea8e0364cc5a4c

SHA512
e9fdc77a2b83cb9104949d3bba7030b870af28e4d7cc1da8838713f5e1547f1ddfb85c7094ec445111d34f949d81b3039f20e8fea7364f3d037d4e69f5ac43fe

Download Submit
memory/412-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/412-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/412-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/412-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/412-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/892-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/892-54-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/892-173-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/892-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1088-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-480-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1708-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1708-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1728-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1728-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1728-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1728-186-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1768-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1768-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1836-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1836-441-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2096-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2096-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2096-91-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2268-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2268-481-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2340-460-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2340-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3128-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3128-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3152-86-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3152-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3152-88-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3152-75-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3152-82-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3544-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3696-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3696-1-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/3696-6-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/3696-7-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/3696-63-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3784-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3784-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3784-49-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3784-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3784-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3968-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3968-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3968-411-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4092-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4156-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4156-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4156-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4156-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4440-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4440-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4584-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4584-349-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4868-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-406-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4908-484-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4908-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5108-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5108-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download