4df5059e758764c8cbc29e76eeab1d50bcb3495b7eb667317f2746d7c26ee79d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Size

1.3MB
MD5

6e18e6fa0bfa68be90bf7535d1ed91e0
SHA1

05ed49add0b6a071201929c2e26868ba36d2c0b6
SHA256

4df5059e758764c8cbc29e76eeab1d50bcb3495b7eb667317f2746d7c26ee79d
SHA512

3c24e0336732148043f45c86da2a5ea2993678f967371a74e7864b96704674f259a0d4d790b535a861f09a521a50e66f735458f60fad89505c584da9cef392c4
SSDEEP

12288:GWPrGxzQ9TA1ubv6IQ3FMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:GWzGxmsmSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4588	alg.exe
2840	DiagnosticsHub.StandardCollector.Service.exe
3464	fxssvc.exe
2376	elevation_service.exe
4200	elevation_service.exe
3792	maintenanceservice.exe
2744	msdtc.exe
3728	OSE.EXE
2896	PerceptionSimulationService.exe
3724	perfhost.exe
3152	locator.exe
3232	SensorDataService.exe
2496	snmptrap.exe
3188	spectrum.exe
4232	ssh-agent.exe
788	TieringEngineService.exe
4772	AgentService.exe
4092	vds.exe
5028	vssvc.exe
3572	wbengine.exe
4452	WmiApSrv.exe
1216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1b4f6b5b293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d15d11ab1acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d321d919b1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4e9451bb1acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7ad4a1bb1acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afaf0c1bb1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cd4511bb1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ec4001bb1acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a962fe1ab1acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe

pid	process
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3464	fxssvc.exe
Token: SeRestorePrivilege	788	TieringEngineService.exe
Token: SeManageVolumePrivilege	788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4772	AgentService.exe
Token: SeBackupPrivilege	5028	vssvc.exe
Token: SeRestorePrivilege	5028	vssvc.exe
Token: SeAuditPrivilege	5028	vssvc.exe
Token: SeBackupPrivilege	3572	wbengine.exe
Token: SeRestorePrivilege	3572	wbengine.exe
Token: SeSecurityPrivilege	3572	wbengine.exe
Token: 33	1216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeDebugPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2452	6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1216 wrote to memory of 4824	1216	SearchIndexer.exe	SearchProtocolHost.exe
PID 1216 wrote to memory of 4824	1216	SearchIndexer.exe	SearchProtocolHost.exe
PID 1216 wrote to memory of 2552	1216	SearchIndexer.exe	SearchFilterHost.exe
PID 1216 wrote to memory of 2552	1216	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e18e6fa0bfa68be90bf7535d1ed91e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3188

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4824

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a037747f2740d280db6841143cd2934

SHA1
a8a923be5141ff2d7e396a4637822a548c71c8c4

SHA256
2ddcdbafa6c2b856ff3a11b73563f68ba70815ea4a579a3178f6f5cf91dbede2

SHA512
bf62aa64ef233f1417412e2070335a169dc376760dc6f4bd24311d87139082a7bd8d482f141e77721175d783223f69216df84a78fc385129bd6126d8eb3946d5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4f3210c9db6b3fc94bc43eea42d7c0ff

SHA1
0902e5108e46d1a1074889b326b8c93d108907d0

SHA256
dfa6abc9d8c92a6b94d7e6a67f4dcb008c9ef48362bcb3aa353791bd34d33508

SHA512
7d23529b25d9c0b49a6d7a473b64bd82bf833986d6d336cb0a3a1bb3ffdecbe9d21885669467f22f3a0e1b756ca64e2f66e0c2498f5cb5ed4980258641b2cd56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b8ba197fa3964d781f854ce88aab11ed

SHA1
b1b17049c5d879f6181418df751a553a0ad2af7c

SHA256
13495dc384cf814a58346a64e978d08ccd06a9c35dd0e7bd66f0493dd26425f4

SHA512
9e2b8366bf6f6216aaddfb87cd0af4aa1d98271a67998eac50a5e8380befeab037f088da15b460509bf971dadf5a817e717efe4019645eae470cb0a6162a6ae7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6322e8a8a0f203c26e93fa17db5dbf54

SHA1
841ba794619dcbd104a6d100b86871df3fa04954

SHA256
8abab5e080b459770186e74b84865d1027faac83c578323ab77e581540cdfea2

SHA512
9f1ed77f6f0fd5f9cd9ba58369132aca66524bdce84b3e408efd3f9033485f545eb8927e9922c69f9ed393bc8396ff2d5fb1de3efb2ae7834bcae858f0c86eaa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ab5ef28c9d7108b5392c5b8cef92faf0

SHA1
412ba4a72e165e2038ab121fa1b3221c1bd94977

SHA256
6e6fd28b63013ea83deeb82bd266b1a5e06ebd3541e0861e5d91850d7faf4244

SHA512
c48a8ee99ea6faf5e8e2f7a161be629761713ef836b60cfe1d6697e9b9281b58933e496abf05b493c28ee3e0bca7fa9c01232a297f9787cccef400da52772933

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
497b45c92ccd270748b509812d3b036d

SHA1
75d0e4cb72d5926446c4973f2f5d78144debdb75

SHA256
efd0e3e93a6315967a3fcd3236daf1b04005ce2fd597948fbe0206f3024b4238

SHA512
57a1b4e69d3fd4f2fc6ca596dd996616b9726d2f07c6f263f431241e527494b1c8af15f88f2cad2d8a5c1e4297eb213cbb8f6d862ad230fb86710a8306f8b126

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7d3d510c4761c51440bc8e8bf80a184e

SHA1
1620edfdafb6911d0235399425f8f32d8b8df176

SHA256
15215a72e63db3fe3d35550c93517c053943165d79d31f46dc89b32b09107967

SHA512
9734a1eb27d1d1c46e5c6715018329bac9171ad097043f5729d3e827646aab38bbaa7ed7b0f0d078048691f65de441e47685cde56f6cf3be9c2a9a159e81bfd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
213f10cec073c33a2ff9bb3893f95c40

SHA1
869a48618a0bd2ed6425db99e94500847ba41dc0

SHA256
c099f1e744f9f0fcfd7470c694505375fdd6034d5fecd0cb2d085e26894b96e2

SHA512
9df84fe02f5ceae2f09aa5dc6fab3e99769bf18cb92a269ddcf767273a365f0a7aef6373feb193a4095c2ee0be75f04c24251acc913696e0618d126ccbdec1e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d3fd04aa35ef527625663fa90756a125

SHA1
95f42e4bfe569b1386743a3e8a7bd53f135cdcd5

SHA256
37d785b705409ed9348888506f98b8bdf75952bc1e5306199ee04bf683cb61ac

SHA512
b702fd9b95137183787ca597423bb97d6583cd703e4aa54a8ee9ffa606c37028328d4a4e366f4f93484148bd91cf74c5b5f8b9b9608edf795bb6c9b3a6f0e3bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b052699e07e660b9112468c261ed84e6

SHA1
35359a70c820d2a8ae549c14707d43896cda2840

SHA256
1ce20eb3a62ffa29e08e4b38b8c16911646e5523c8464124cd5678597968f21b

SHA512
63c70c66a434c2e8e660dd0a0f7ce04bf5e5567e38564d3895bc4e1f898439c46f36c6c1b831bb9cf172fa680c5be78fcb656db83dad8374d65d44acf304038a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
90f16db2d3bcbcf1e89a79d11d6c2bae

SHA1
8e546cef3badb46dbf2173092c5360c07cfcc71f

SHA256
489a2357203c01f4dca58ef51a05cfca3298b674d2fc1e5ead06c0f65d9b2058

SHA512
555e480f9dfad501dcd5ed6bf9cde764c0d3ad4bddc1a52b112628b47fe61ac0397f14dc3f99ab15c6c3635e1b5649f9610b364875b5f6c6a30e092315a0bd4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ed1f98bc4512be463e4dc3226cff13a9

SHA1
e4372d817a764d2810885865fbc761670eade905

SHA256
0a112a344e335b6ad68bcd0982b583f74fac2dbbd761341af73b006818a056ec

SHA512
0ad73fe37ad0c63e1c2da9ddef42d5446b82437d3a407cf61a4ab12c826481adf578885e9b459d6ac078489650b1fa8c0e72cbec5e4c2fca976dbe5973cbf079

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dc99a2a7c6d5e8038b58c34eca8c29b0

SHA1
b426c492b01b4f4102ea1e252b301114f24e3c5d

SHA256
d2df6df7efb93e7a16886095d858c0c302383ca0a81aeebb6e60fd86dfc67160

SHA512
af5f2254bb5faea086b16da51016abc8c054ae876e8a5fb706484b32da9134395e6339aa7ec98299c4dac5360d3a378f74b84fa19a9383162bb8e31eca7b7b6f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
37ba5bd266120167c856a7e3a10f6f7d

SHA1
9c5ba7c1d08f97a1c658a691a9c1ef28950a9444

SHA256
c0c23ad5dc7eaefd5f772c1283c527fab381930541e84bf1f6a8fb3befab1f93

SHA512
4cf754beeea051b06a85a2a21cb1b356ab16a11acf152a069ef42ca9b134045b50822748b152e91aeb59153db036c279bf0503051ee2b912f63a62b9a9bba813

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dbfef64424f0b62ba31e0e8317076b78

SHA1
551de1323f9fc6d97f6680ac27d92756d5694576

SHA256
553769adc20905ae8f6157c76d2921091af3bb2d6d8a783fec4e501e65c7b438

SHA512
38f614cd1ef67f06062872cea8c621ad06f638eb79cdd10c8447041e28018f22c3ee0bc1775b7f2d60b8241c122aa44fd1f12481c2804825638b92fdaefbce21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6ba26dba755247ee88f086d0a734dc31

SHA1
351fb6186d0521141eccc83a33a35b9378d0d77d

SHA256
0197fd7253cbd4961523186aa48632e4f0f6dfae099e20b5736ebbedfad1baed

SHA512
1dfcdb7e403b482096795efa577a20ea9e1b38541a15f969c783f0817e9e461deac43325e1a5a43db98c5f2a7ab2521ebedfb1216cd6ff6646a09910fb5e8b8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
39212980fafab447c8faa6ffda5335e9

SHA1
4933f1f3273a0879f9192eb1cfe43cfbcdd546e4

SHA256
b11ab3e2a94da235ee2e79c3bcf4955b39d58ef0d254c75a635b45dd81d4443a

SHA512
57d2b711d06f44e2c8a1bce53066ffe3aaeb75ff897b1db6b0e37090aecb4d9e801afb090d41312588142078d312c36e61e0a1f3a896f0aa66a4f617dc1c7832

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
be2937fa811654716201239aec8069db

SHA1
bc166ca4cacfaa6f13fb16a9d664bd918dbc7290

SHA256
05e2dff777e9168169bc59ce01a3e4a0a7e2a00dc697f6946df70507058f29a1

SHA512
3255042b8518244f436945c9930ed7b9c85598067b9038c67b89779f003ac9787cc9ea78f43de85b336645a4094d17364c405ed003ac4b60650647be304b4d06

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f9099ca6b354803cbe2ab31b31a6951f

SHA1
eae52d9edf38887235466f04db75b9f106d7d4e3

SHA256
90f968cb8df6e75977d0d33a40237e1c4c1aee6808981479635a6f202e86bbde

SHA512
a8f627d0488987081509f91d7d645f7015775794bb4dd978bd2cc4265cb5a18d4d93aea5fb6d0aed617fb266f56630e5ae12db4893c561695978ab0d02b11fde

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3454a0a7072afd77543f7e6aabf28504

SHA1
4d45725b6622be21cf7df18c867895af759a86ed

SHA256
5e4396c921de6d4d756e88fbdbd0c79e21212d559f2201ebc01d6f22d639ad98

SHA512
69ba4690c369e3360fc5ea0c2d05597f583c1233d1e6ef52e7508c0234e682e8d4903e8ae8b519842b2c9ba7359de2df1a766e1599bd6b819bb9736ffaed0527

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
68cdd0b3d08a3b6ba9fee1f5cba91f46

SHA1
b0ef1c1b1e42cda9e1ad702b27a2505ae52f13c6

SHA256
ac549e03be87baab91762a8f1fb64db306592f2d52a6bc3d1b3cf07988362542

SHA512
b5866b120949085a692ebf65515d14cad4ed97f6c2fe2f2bd32cad30dae146626fac9b34fa18aa23677ba8a2220df283bed3056ed96e79bf8c2681c790a36492

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
01be7a7dfc1aa0b17325834363a743f1

SHA1
e6a665df5063851ea97926a2f7d4fcfc5855e741

SHA256
f58317be15983828155b66fb8bb0a1614e819516dcd6071ba9f5b2c007ebe766

SHA512
a3529e93dcff77e050891e31bc5078cb443c1caed00d235c4f78061df4b528bcbedf35f753eeee64b4dfe0bf202a3924650d09a17063f7255fd7fa14ac466656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
06d6846981c9f6953f5d1dc9d15f8998

SHA1
ebc800b9683257711e2094fdb42d008e3706d9a2

SHA256
cf38cccef95eedad13b53f8509e9762d728c9f11c9e133d875bebdea92d08899

SHA512
223f7277356752f38e54053a0a4fc720be4dccb1fff653d089b499118d0bba9a60bc2fcd103bc85fa6447e51a965b8ff287c4af2709e37c7fc66486575573ecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ccc2dc1826ca3f061295be1762b0c75c

SHA1
d9424e1a660c74a36b8b4061018c29278fd37993

SHA256
bb7ab6af346d2db84efe66dea4923c57f7d8f86093c9eed18f358e276a58eafd

SHA512
de91365a5c21eaf98567ab0f8f527bc366f4ce304b5b7d46467b927f9f939275088fc48b38893cd875662381094c305038d2fcee154d6ccac033fded4d3b8831

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3ac462153cda3fc8936713c840df85d8

SHA1
d6a27e614ea75ff7e32cb7b6c888f5e3cc5447e7

SHA256
44202d993d47fb2f4593add791bf785cdc4cc3e69d24665386a23fb4e37a78f8

SHA512
2946c4dd2920e61e597581194a37ffb95a89cca04de53226540aa1e2759994c4115010905120694e722a5226c907f73bf6d90c0c45433784e7c53cc996940a46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
8f09c49ce6648da7510ec51f965f427b

SHA1
f45b866ea8e17103873d28175511f81bb438c958

SHA256
424047b56ebc99ef2ced5d897b79ec5fcdfb46da99996e9614da7fea0e45d260

SHA512
1bf4b7b6791d25a096e7e26b2c31dd0c1fe8ded5dc8ad98ce12149bbde262c862b8ea92c708a932f2ae84db50729eac24dcc6605af662b4442068f9d53a49f3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8fcfd5de7edb6a97621a8ed7baa901cf

SHA1
84796655e7196baf80b9ea1dfea82ffdfd7a660b

SHA256
faad22d7f82e7a20bc8092312094348c90c8830b8392dd06f4f963571b56bea3

SHA512
c8514f3c7e2374562988b11fd4391df1cbac80f3fcf6a51fdddac8bd7319ec473bf1cff971c5ae5f6a1be1443fd02428aa5e0c60986752bcfb324325f2a7fdc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
eb8ebad23e71effde00aff471721ee50

SHA1
c68c9a62e8b75deae5b003e29c61f44a2bd26f05

SHA256
04005b48db30f3a295cdd491799fd98a9971ba63273802130ef1114caf32b0d6

SHA512
a1cae5fd0e46fb763b31cdb9acf9f5a27c5d25c5a196245edba1f2d600b0feb643f7169931175483dfbc40720c83bb77e04cb63c0cc0fdc5d1c120eaedcd894f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
55f09e1e869281a119346d47a55a889d

SHA1
ee66e988e5668033860b10f75fcb6f90f0f3b3d7

SHA256
17020a40546068553ce5ba0c5647c2f6f8175d1c577c67b801fbee491273c599

SHA512
c4aeefb566698ae85a612f30d86c0b427b4cc21a74c1ffa95582c4c516343bbe9f3291d65f00c12de38e6c5bcf491faa3cf066500c40a2894e85c4b3c2ec93ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9ec7aed331a8ebbbbeab001fe44281a2

SHA1
6daea3b9715805bb5f5b4eda95ef6dd104296731

SHA256
0f314706d3abdee74051c7bad2d0450e47187f420f7913293861a1a7b0a9afbf

SHA512
b44ad02f2595fae7b4bd9fc28391731c9f6beedcb8d2bd1d66e3abfa611c4f76ad796ba0cc39c2ab487870f886f3e4e6d68a4af5ba5e96cccf29a7f9b9fc000a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
8a349f4839db3500103c604761e6ea61

SHA1
90d6c291f34dd212d65cb3646f3d474337be1d0b

SHA256
f9646c58b08b969fc99c01b56abd0b47ddc3698645e3fafa070063e42662038a

SHA512
39182c1e3efb4fa88cd5f487d5081368ccde5541725cd4884b22f62e5756827d38719c65bfe7dc317803f922d7aaccd04274626a638c80bb81edfa26cff03c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ac0029d8bc71bb593201b6dd15c10af9

SHA1
a1ea6c46df545ba47f0c9760707d10c9313abefc

SHA256
026a7c399c1d848d8c14da2452695ac5649a1a43e3454489a60ea07ec7371f73

SHA512
5538ef5dfac400b8e88ece131174673795249d01c213ebfb92d27a8bab5fd50ef7272897bc4a56ec17e7c116dcb1c228ab4a544e48a905c9d9dbb376da8758b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
85119ca0424dad28e0182f5be2e01020

SHA1
c3cd5b685085723c6cc26552d006dd91be0dd352

SHA256
db5094af11a4fffc3b0cee26b0fbcd690e7ef46d51e01f76d43de1b3dee41d64

SHA512
12a76f0d4513d0f337f814fd6962cf295a2a228532eb09c612dec45ef1444ca88c19b04d17eec76210b93782c4807cbeeadf81a22a72c93e4b4dfddb27cf6bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
fe6177c155879dffdfd5bf22c7eae88c

SHA1
06f5fa8d63f9989bb933086eb9df62ef589eaeca

SHA256
db266f29fea6d29adea6891eaa4d182611172a34d82c91bb1a4fa53fc44e89b5

SHA512
89a6c59f02fa0068d26e7687943b8d327de31b2321e8d369f78b2fbba807b66e0426c6423dec78384e1aa5585ca302095982233db49280f505eb40af5c23a677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a869e338aaf3a4003a884c6b4a2a0017

SHA1
ee2bdfeea31ff7560f9549e5fd9d9217ed77ad2c

SHA256
dc5417d37dc791fda44f6e2825a2aea82c7954a8d56807a24555ca5a4de727fc

SHA512
f0c8a51e72aed3d07d2f35f275b9b5a665ca88be84d98610fe84d027c2d3e68c465f8a4f35f0f43941f3bcfd5f279da4c7b87d2e56517c036e08b373c389c7a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
599dffa0af1891511028789c5e2a9248

SHA1
1b31e95eae848d05b1a7c2037e522d1728485e1d

SHA256
9e7485587fe7a39a42f06606cff209541f7d957c14165ca04d8ac13433dbdfaa

SHA512
74a5b31f93500cd4bf5e15b84da5fe89d9feae307a76b4a8f3d7b285130d35bd8cd26e0ccdbbd1385846b1e4be20d138fadb104403262bdf433bdca0af261817

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0be718f46c7cf036e3345314302bee70

SHA1
116acd500bda9028eb5c9d8bea9248e4595f75d7

SHA256
c0555c464e9331153f5dfad3b9012d541008cbd0b1ce68b60fd5c5e686e5447f

SHA512
d98120d68fee45535e868c5ec56cdb2ec8438ba695bccb84f8215569b68b0ba173a967ae97827b3c8f33990aeccc50e7d0beb3a7435d41e6bd1f17bfc485f517

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
025910753c0403a84073a9df09c74b7a

SHA1
2589c1fb41e89abdff7e8563ad131ac2c955b781

SHA256
b0fa42a3f6f1c6464fe0e6f352d73b0052d01f6dc980c551500171d343d7030d

SHA512
ea88c175572c81439574e7f2887e686911090c3d896985b43bd30af0c7128dc4726cf5c8cfd804acb1a484e588dda5ab12f8cbbc359b66c8b890ba36a9edaade

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1520b76af9896b0d88421c647ca3e5f1

SHA1
bd1da2836c4690ed2db460b412f003940ba89c00

SHA256
47e5892ec579269ddee9772dd206c3bd5e6a564a6847e8b43afa8d0130962930

SHA512
f24d8e88df3061aa0c4918602978f520831cb74f17f19c11e2d377f1836b2756790fa429187ade6d6cd75fccdb1152c3077c72077b19cca4647094deed76a3bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
76a2cb9b1f334755ab794cd8e7cf1d0b

SHA1
414eba74abdde67853dcc0e732d8229d34a48b58

SHA256
ae5edc3f80fc89adc8011db8982d1367718f3c30471bfe4e8676c481277f0e07

SHA512
3f639f01b67a7ed88b0cdfd28896e2394c621769c898117afc0dbabc63eb274deadad835c86d3ecfc81fe12619f1b7e6da5dafa2cc6158995fed4c557223ab76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
1d44fb77a693630bd296b7305d747a31

SHA1
2064d4a72fef08b43995bce0c3c6be673e20b789

SHA256
667d9d12693518d024b9651008ac7d132a4451d0cebc332b4202e17c67ce93d8

SHA512
94c60005d3e174282e14b51e8b151b6bd6ce4cfeb7035e713cad11c33f754355bda7773769295abfefbdc3707982033db2662047fb359af224d772459e20121d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
96a2494085c7c222744328a972edbb2b

SHA1
3356391b930e030fc6cff15eb00345d913f8d18a

SHA256
1d4c6040ae285d8a019131eba8f79d52b153df6e4359025fef27c0d5e3e3a0f8

SHA512
81af9f2a347f68498568e143f7a8984ec068d11aa598ff46cdf31097acdf0ac42a75145fda57c628dab51f243e92d3afc27ce1b3a645676d946627c73743d6c6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6dadb10d19b7d60dc4cc66922b20b29f

SHA1
ce6b5f69a7e679b8c5cdff306df3912f444d8685

SHA256
f28468293851fd41e2db25030967a0fd5e9087bf7b70c14beb4d26efcf8aecc8

SHA512
d670dbcd1d3a37a6de6ecec39d548056c85c4f6bdcda134fdef7e04a841eda6ae1bb649350f46cf966692ce3126b66b8159f42125d918cbda8a20eab1ac887a7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
45741f05793258a362f146670608c5e2

SHA1
54ee3aaa486bfeced3c21a35cd9c219c3144c3d2

SHA256
7bedb74fa14d6845935d1fdfb5523acc2f9ef220765e35725dfdb80a3ef3ff38

SHA512
ba21d23a062fe495a822ea2095b6baa90e1c99c0630421e8dcd725fa7f4d23945098c2549cb1bcba4c95673c3f6fee3d51f6b60d6bd07142084e3b03816a386f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7711761755c6fc700ca572426f4dedd3

SHA1
5e936fb419d375f0b250cdb1ec6b2708d1cca6a4

SHA256
82ab6d7f9fc9cd5528077a0f8cac6dbd7a22cd1f5e8eb56681bf6b120ef38faf

SHA512
4fc603c99fdf7ee3b321adebb2a9f413c098e778690a4e624266fa389a1709dd48fc2ed46ae29ec868e1fb0b92c1a243b58dd4167a8d4eaca9ee04a68f930479

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cb5d48ff13361d8c65663a54a17b1e16

SHA1
6a94907f05c554fd8d300689924902e6c7e17daa

SHA256
ba1343dba59ed0c8757370b7195a7d11c08df91829ea5fd5aa48843a6b9ac425

SHA512
dc2d11f511e7820efdc4de4dc42af748d61d93283f0b29ed2c75e405aef8b833e33f886887eb11f998ecbf094698568829896ceca3483a19e2da054287ab0062

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bd144b4768cd910d4cd521fd16ddb382

SHA1
cebd0c3d64e4aaa7168e15679e591216236495c3

SHA256
1de0faf8de6ed0aaedbe316fde3900a1887915be9066812ff25b0e0b763dd741

SHA512
cd1642c6cbd3db97e21c73a9890c82fc6ea3576d37938c978d042b0fb4d88fcfd59b0db2a6ab35275ba237d0d337c7f17c2263a2d91e3cb7970f19a8609562ec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
26637b5d476b77c99bcf269f19f539d5

SHA1
9847408ca397b0fe9261fae5f4f19bdeefe6ad76

SHA256
a970b21444877bbb5a88ecc4cea3e199cb2fe5ba3e352e05429a214f282aca9d

SHA512
4e2db33aa25afa33b7fe22e4ef4fefbaa20be875fa6edba448eeb9af5e87c889d1ae077b0a5c16a97febfe295e795169e508a564bb6de73a2a5f319ecefa48a5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
01e531cdb0253e781346719bb8dc5de0

SHA1
812c63a0a26986599a6debab84d3c89a72d5e2db

SHA256
4cddfa081d11de491a05364ce086ca42411dde8f022785cae8fd56aa52482315

SHA512
62361f9478ed7860e4d4ad372e45486d9e44b8378f610f8b40bde77642bff675db6ff14f302889028d936b4d0b9cc3addc058317f550d0accd9cad61eb5f93f7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
41c7e3ae4ddd8ec09261bb3315ddbba7

SHA1
15820c2eb12114a073c8709dac2e9f64362b8a2c

SHA256
53ddfcf4f342b89f486561d5374e47a9fe5d4974ca497dd8b1f44129e6d07ae5

SHA512
3fbbe83206181536bca8a4a1b9cd740ec93b18e4de9e97ac368a487215140d96164f4e8689391cf3f0d7ebb7e78519ab16df8ad0cff0ceb8f9136b1acd3203f5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
2f87cd3477e5e02f1a046734b9b44eda

SHA1
7822906bfe348dadebe2daa6ee9d0b33caac4b34

SHA256
2dce852d1b360b5687053438c80eb0dd83fb57576c3e8324e2b79c1136bcdda3

SHA512
8a19ce4d2b4fae60e9bf22289e30e4c2819ffe8d44bfa4bcf1ef3544f391afd2861e5605c79dd659436ac1c47af7078afbec40ef1a79b70ba6757b92be6a4ac4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cc4570a2b2b24c726c25f5116ae10b99

SHA1
2b07ace39a9c2828d3b8e12c019dd33bfc57f611

SHA256
8b938fb36c4ba709d9eec9a7e0408f8f680b642a56bbe0376e4b77adc6ab2310

SHA512
157312f5c27d7038115d178fdb8f9e62b9e8637ecce90a9f75bcd31c32d4be0f57e34a7f0ab6f5920ea297ab5a3623b4b76df69533ed0a9b025f1c8c39a47083

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5bbac2d057398ca96331f813c03a3e3e

SHA1
fd5a9e40ea8fcf8a636487e221373cb271265856

SHA256
df5bc109e3c4048e650a8b66b0d7814367cfa99bd17fea96ba487e8cf649c53a

SHA512
35d060481f9bd504fa163333bc36b50bb740680b9240f86a16bb05c75df0caa8e05fcd88570c63b6be0c65a765cbbdbd4f93bed21228d9b6802916bc6f5b9e94

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9a4731b822e151ba2fdfcf5a8b9f17e1

SHA1
2a59c660bda94fd6f988cac775a962e43464f5d5

SHA256
562ed3a0cdc12d5797db7c7c877925a2574fb131ed4ea10fdd674340c497038c

SHA512
69121538ef011579a9056db423a284631fd9d3d81a49a2738796e7a405158697f5fbe4137c3c2f274e6fe1042c57000cbc09e175cd313a6c909b46046cc489ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
425e0a30daa40b9dc4854bfba2202e11

SHA1
6aef876f210807787c94681ad2ca7ebf53458a65

SHA256
18736d345a5d59b4985db8079a5b0a621a4444315323d9c585b56eac301a93dd

SHA512
1a9cbe61528e6a0e46732c62fbfffa09828f13db811f09936bee5fa36d41bac0edf439143a62a4320de6c814dfd9150af72bc7ff1e3580e5457d3c85f3259c48

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12cd4e9acfee51615a85e61999e74bf6

SHA1
8a15f784a5a07423aa23512aa5ac087ce45f1a1a

SHA256
3cac9784f0f545ae36f7f300d42484a14ee3baa6964b3b15fa8139b76862306c

SHA512
e2d2e5f341661970f1769e59228322bb105850e32d2733b5c1a2b4525487a222ecf11f2e9a046772e0c70883c38f67abb54306c5802d4cab0526402df9af9947

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ba76018e754aaf3163c94fa27b44d722

SHA1
a27bb618c7c6f6f09e2cbaeaef2a279f30443174

SHA256
c00e307954e50f33375913a23bedb4a4ea38fea18513ad06fb8fb1a75ab7ae89

SHA512
c786db3fccfad0a496f8a5a1589b9d90f1b86c2248ab8c30ba3582609f99fde7a58b9c4d16a02f052084dc7f54bb58b5b8f452e8242dbfbb7442a7f0c3f19709

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
8aed44fe6485fbd42989a75b43040d61

SHA1
86bbc6fb298837ca2cee1762be24913494ed37a1

SHA256
b6a6aef2d41ad96be505c9f8af6c96ba4364f8fb75a4bcaa642ac33fda256a6f

SHA512
a4c6ef845d18290ff027b6ac30659932b1c186a0e84c4517f91a0fcaf67f55141120d73c5cd0b59110f9c6b25ed073838e94049bf215b4864a620c88685cf5fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1fe3cd4c18c71bd87ea4adcb31bf6812

SHA1
2d260016c07157a92872c616111d86ebdffc3557

SHA256
2e9555b3b53738e023d014dcb41266b7b53b7408f163b53e97e05a43557314ea

SHA512
f2deae34fb1ff1e2c71e85d2b2afe13e8d1dc1acf13d57aee78dd9ffc5dff17d0266ab1da5e789d817218851d19540ea817e5a9b9b416f5ba86d840b0feac6da

Download Submit
memory/788-314-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1216-324-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1216-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-54-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2376-48-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2376-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2376-613-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2452-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2452-1-0x0000000002170000-0x00000000021D6000-memory.dmp

Filesize
408KB

Download
memory/2452-464-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2452-6-0x0000000002170000-0x00000000021D6000-memory.dmp

Filesize
408KB

Download
memory/2452-7-0x0000000002170000-0x00000000021D6000-memory.dmp

Filesize
408KB

Download
memory/2496-311-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2744-97-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2744-88-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2840-34-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2840-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2840-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2896-307-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3152-309-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3188-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3232-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3232-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3464-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3464-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3464-43-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3464-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3464-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3572-320-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3724-308-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3728-306-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3792-73-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3792-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3792-81-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3792-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3792-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4092-315-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4200-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4200-614-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4200-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4200-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-313-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4452-321-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4452-619-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4588-612-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4588-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4588-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4588-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4772-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download