a0d08b08993f5875d8e1d62a00b45f79d3f3e93c06e67846a59121e3f3c8cfa0

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Size

1.3MB
MD5

3d557431af9fe4d335f9048dac5b65b0
SHA1

a8002933a30449926e6cb9eebcde7f713690b189
SHA256

a0d08b08993f5875d8e1d62a00b45f79d3f3e93c06e67846a59121e3f3c8cfa0
SHA512

5494b4ced912cdf2ffc225f984f37c8c476dfe809bd89a4e915166738385b25c34b94a0d8f939b623b5b19698ee73f22d996080579d50bbda73a7b99975f5c18
SSDEEP

12288:1QCB0dchmvqOoixYASUDvpg6iuLmt42bL7ZYjk2Daa8EHCL26mcrniAxPPetUJEh:1D0SOnYLUDvpg6AtlbniXHhHwp7Dp/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1992	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
1972	fxssvc.exe
3332	elevation_service.exe
2756	elevation_service.exe
1856	maintenanceservice.exe
4392	msdtc.exe
5024	OSE.EXE
4372	PerceptionSimulationService.exe
1628	perfhost.exe
5740	locator.exe
5192	SensorDataService.exe
5772	snmptrap.exe
4516	spectrum.exe
3200	ssh-agent.exe
4244	TieringEngineService.exe
5416	AgentService.exe
1448	vds.exe
2768	vssvc.exe
5064	wbengine.exe
3636	WmiApSrv.exe
5392	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6077317592be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad70b071e1b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff138c6fe1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082342e70e1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050035a6fe1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000507df36ee1b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfcb016fe1b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ac0f96fe1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccab0570e1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9aaca71e1b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d350f70e1b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1972	fxssvc.exe
Token: SeRestorePrivilege	4244	TieringEngineService.exe
Token: SeManageVolumePrivilege	4244	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5416	AgentService.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeBackupPrivilege	5064	wbengine.exe
Token: SeRestorePrivilege	5064	wbengine.exe
Token: SeSecurityPrivilege	5064	wbengine.exe
Token: 33	5392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5392	SearchIndexer.exe
Token: SeDebugPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	4868	3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5392 wrote to memory of 2892	5392	SearchIndexer.exe	111
PID 5392 wrote to memory of 2892	5392	SearchIndexer.exe	111
PID 5392 wrote to memory of 5472	5392	SearchIndexer.exe	114
PID 5392 wrote to memory of 5472	5392	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3d557431af9fe4d335f9048dac5b65b0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4392

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2892
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
98c3c7982fbbfe6ac3417b7bc11b74d6

SHA1
9b48e6d0e6a3eafe88010294978a62f2197cdb19

SHA256
fa9d223a26b7b78a143811d1edb909bbbaa1c181f1b509e50c9e195484cd708d

SHA512
2363822bbc94ab852d3267e1209c54cf9a614794964209fa76f2a0be65fd629fbf0cfab40a9043ce3c13410807231ed6970a3f24cb7854b847ee021410c99015

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ff312cf59f17218b24436df9833e6a94

SHA1
90c4b659c50b3015f2db4c4f7950de36da3dc0fe

SHA256
37eeee7f9b8222c278c0c747f4be73a665da482ffed1c628c8041922ef311fb4

SHA512
9003576417f94b94e990ebd6f02ad2ede041aebe47c32ac8319aaaffb82718c4c7e1e356550971f31f4036dd32a8a460dcc75d87a3c470e0b982b05ae5f513f1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b653d6be03d381cdef0e88d65c65cce1

SHA1
ea033ef3af1771264f93628dbf4a3b0624c7ef6f

SHA256
3dd323804132d608a6df6671674ee3a750d6a9091ae43b082c1642660f412d06

SHA512
6634e1eea55e12097024050df27e8ad6764a99aad6b81f3a57b542e15dd6a186ed363f5098e15af08a4d1bbb8884c9670dba4de86dac582665b348e7350e12c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
089553cc7556c45ea2aef8f7cc9f82fb

SHA1
ada39a9240378f95f3206e34f02b7a2d399102d9

SHA256
c8e89f318aaed2258616a0a6ac559d05488b30e0bbf7265077a9ed0c73ba6e39

SHA512
773af72e579ddafe836e9ba0eee17e1e82ab2bcd1b6730f31d5e84cb4f89e97c6db93da2436177e7ee77803c9c84a37f94e8a05ccb885f231ca168c6257ed48b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e65a65a663ad7634f0da7bc5f3385dc4

SHA1
bc351aabc394410c037c7c22b59c3f1f81bcf336

SHA256
de626fc4128ee3987727d70fabc5260681d1341bdc2dc61b1460c00f0065f017

SHA512
9a8eb8697666ef517aef97b62e17892a6f83ae7386974a16f806b90e64f02972012288bdde8affff09094fc751e1459751b9bba125d33bd602ce1662fe77adb2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
84fa513f9f0763444b284889d997f3d6

SHA1
54dd16c6b9f49f7ffc57392b4417e086f4d5ec02

SHA256
adb406af86aaade24967134de1b3267da410cbe00a3fb472af220f2f4775b778

SHA512
ea3c3fdabbce6a004489577d4b2c850802d1ed4e0a6e2c627ba82a655b3f80a4f486f8e2a16eb1532a539ef6600de5787fda73ceb29b85527ab502089e5f8ff5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d8ec7e0c13dc12f193a72ceca86576d0

SHA1
2e641257532174bf02670ebebe6b80c8c2eb75a4

SHA256
ea16ae53be497f2b188f6e9a50e8ed615a28916e6a159cc3c6adab5419ef1579

SHA512
eb52c06d277648191ed9f7520f37ec5d03649752ccc37b69173d8901c15094effeca3fc738f9ca0f243025f853133bec24653908787bf596f3dec93bdf54bc1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a8dea8d24e5141059fe6cc5fcde00f3c

SHA1
ed35b5e71d6ed7433495b9072594dba4106ab2a1

SHA256
531e27b953e9f473400545eb1c094ac092eac3d29c241d91023fad4c3103b6a7

SHA512
d3f9d97852d51f01ef9a4deb5744467cbec5d370a49f592738c6d2dc4d58f98cf9be8efe95f620da4425398bcfe928c56171f5cda32531f4d68a6e6879717b75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
32e92356db20d8f2180de7c13c6e3e41

SHA1
caba077d8f82d986ba90a3fe1c089a44de104278

SHA256
07ea869d37c77c65d44d16d7a4e8a5f11e30664bff6ce13e1c97348f30a3b9fc

SHA512
a060e8639113aa8ef126610418b2d488774e706b8791dfb09f616933e99f7d6ec12d052b743dee9dd85616a6ced457f9429b9a702ec767ca751ccdd37c7e3346

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cd0746913e3d2cd88fe9ef0cb55d6e7c

SHA1
f6f997b4d4c4c9d983640fea6c34011bb90c2b81

SHA256
e1f5bece7dbc00e390323e609369bc87b9bc4e47efe11ebcea61f7a0f14fcb50

SHA512
b67a4605aa9e3a236842c1d08e185e959ef935947a9ce0ad63c3743e8858581f9e2b7c9cd8e5b55c4ebcea5dd27900f14b7d07784be24ee903869e8e7cbb135c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
34471bc44e7ed5c3be8bdc52408690b9

SHA1
f3def5189ab02025434989482cb2e04ffbc5a355

SHA256
cd5d7698a2df91d44b21e8c9437fd019bc58d4e601a7d22b3a04ded6a691ed08

SHA512
8df064aab8830f69896c8a70b491e9afd205eb146213eb3b008b1d4d0d9c727c70cdeca51b40ca94955f2f882975465c6baf6a72aa59818701ec7592c239f246

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fc3210fa6b408f6a43cafe8fbf9ca766

SHA1
eed378535d5e1d3e7b24ee62070189201a616a38

SHA256
01a26937edd7e2abb2dc6bb7cccc316fca077ce05327020646c379793bec0603

SHA512
554073afe1cd225db36826101e24dac7cd4aec980d57300218ba6acb9693b6880ffa7ec77d9bc3d3fd5cb8e88652d1a9bb94c56364af95f5ce03938c9624b50c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d13cfb0e569c8570599c412c5fadc0c4

SHA1
9fb7bbbfbe961d7aa8fec1c3dc247ec71c63b439

SHA256
ddf6d58c60dc0ff5c9b8ad33320114c841dfed9020421f752d5086f7317ae942

SHA512
7ad684fa95a5fa9a7d500cbdcd11d8f71c7119f8af2b701d4335c4c5b13828a4c186bdd8255ca4ec9e9747a1b4b471e306f774b715f93c3528129594d0ecc23b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
dbe107029855100af384ba03468e6663

SHA1
8c7379a33ff9d27471a72093e6f5a612c43d64cd

SHA256
fc999d2448fbde607c4223a042b8efdb5a69885acc51c678901b3d40e729e459

SHA512
39249497f91a523a593ba5de9120c4da53f3d08f1f05688abcb4747d3dd415c4b6208f6ae4085136b7548796217b5244159e000a997c85bef42f771ff039cc72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1e85cfdcab3e30ec639db4b576ee818b

SHA1
fc9df81c6d39876e1ac04eef61f68ba37a294900

SHA256
ccc60c788b9df6b235b0ea850ae6681b5d216d11738b3835b277b93253c550e3

SHA512
e92af1944d6a4fcf992436c011dffae5b4b8cba6aa5fa64a17e252f42f50f88136470e6db960ea85f5ad51dfbfff3d6b3c325bc55d70bc7ac59e1ee7046ca73a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7dd1280cfcc81b30a7f0cf610732fdd3

SHA1
9f51028bee32dc554bf4dfc7e570271b962b0643

SHA256
4d53f5d0480aa6e20260d878a5d433d83fdc83bf1e2745100008ce83e8f7774c

SHA512
5cd79ee67a09099e90df6c833c9fe7217d5bffd975a498ff655d37e9c1a557698bc9f5cff2171d519b746c2a540b144ba7273b91ce29f9d250c38bd592cac45b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f6744aae4da55cc1d39150ce24192f7f

SHA1
ab1ae35b7f48291718fd57be14275a24d5415209

SHA256
a8bd94eb29e13db3fc4bac257b6c8a7c0bfec33ce867fb52c9c0f6d8e25c2f16

SHA512
9300ccb78c706606a68e04b63fcdcfb364f671bb8e56dc90e28f8b49469cdd4c24365ab5903fb4376c07fba4b8d7db3be33b0e91d52f043f36622116f6414700

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
918a2f9e703074e8009cedf16a582879

SHA1
2843a727c94694522f7278a25e7193f4d59bbb12

SHA256
68f403287b76a405962989f4088e771d47dfceccfc37a5a2e6a24e815002f824

SHA512
619f9bb219d38b316155540123defc5551477f057099a006092c4d54f888b231eee0a844766b14828d40e8767e6e0c5e0b7cea2eb77868e17a28698107de09de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
387203a5d0adef73de2b81fff8c4dcc2

SHA1
187964695a3a770df2c37defaa885be2fd5ec034

SHA256
85ca555811ca45d8386d48589e2ad14c446ede330bb039caf4c780b1da8e16d2

SHA512
d0d636a0463b473403d9b784b64b7cb18c69420ad1c0e2a7c992dec6aad2185618e18d28e9a569aebc4ea57750e3cc805bd766a9c6e8bffcbfeff63d486da036

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
03189e0cb70ac4a8ff7b184a163e7e11

SHA1
421a0ca7a182b71995a070d9215d3af843367d43

SHA256
2dad8dfdb3f616c15a319e7f5955502d0fd8f33393b830bfbd93d0e72ec6429f

SHA512
16340b2d9660ca73b68036b98b52838817bbbe4683cb763cf4d1cfb3062bb842c9739a006f8a223b53d5e5c3578a03cbee30cbaf3607f6dbe3c467e039e69205

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
36dc6c59ce1ed3ac424640792a1af3f6

SHA1
596cdbb83bf57c8bd7953a70e680cb759e337b76

SHA256
fedc85da2ce64795d5b92d0a5a6e3fbd79fefc6acfabed4918d6a9e4377a339b

SHA512
db91b2036e463f50aa1a6c99940b575f48f4451bee7a09cfc53ead38e517ce0d55d41dbf0e123f84a3d3aada99b2d8d4f77ff0a6961e355dfa8be5936602a27a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
113b33e28ca2012e7959ba0f4a12201a

SHA1
0127a9e434ef35dad80a0c8b1e09d41fec47bda4

SHA256
879bd2cf87171779cf00578b26148de8c4ba68fdcc09da85ca372060ff7d45d7

SHA512
757ee646e52036b6689fffa20d82b56b60fc8bcb3e0cccf7c418db1fe101ff198f5ce39da031f2f9fbf098cfb86d266606e5af657a62c3b4da9a872cff08011d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9b1925b1db5d8dfbbb2dba266eec0dc3

SHA1
b058ca58e682b05b23533ebf34291e562fde4087

SHA256
9876bab11454066f4abd780c57e58e891ab07a4abbc645d151389dcbca17add6

SHA512
f294b612fc6699f3482f8bd8934e504b4bb072a4afb2791cf3c51d8d9d284acc9171e3fdfd599a218beef18d8a2a65930b5e8376088f58785c5d39103518ba6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
dc4046f6d521a54013c9e196d0f80a8a

SHA1
2a9d84a3155f4335e95f1b620984bae5ad9ab0fa

SHA256
a528efbfd2f8fb40eae41073fe9cd59574468cfeaf43b9cba6217bff382a9b6e

SHA512
ec745b774c3ad978a5165db13145bf58facfa6adf30955a002cd0cb0f2240dd1db169571e96432a6c218ce928aeb6af8e66314228d22973daf1ec86a2c06588b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
69eebb0df88a9e73d91b4cb86fe2d9ec

SHA1
80c91db602dd641a0b2eb1e6fb040b844e973e8c

SHA256
11da88f4749f5860fbd8b446e2e4a1098acea66ecc71857cf66f48655780b68c

SHA512
de1aa3b86e59e5ef8a237279795aa2fab36ac18f3b83b8e744181eb4036347942dcfa4b2a7a9aeec2db700aed3bf07764b7ac3441f593c239dc8f1f727dbee98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
3057963f6fc3a71570f4bebbf74d61f3

SHA1
691a94220453b507099eef41439a6a054862c04c

SHA256
6c76c4b20f9a33474ecbdf30f296e67dd87d27dc4259109aa13dafb5b9141bec

SHA512
efcd5dd18aca3829239826862d519e1422ded782aebdd2fee64db23f512085ee71989b18bd86545d858a7b78d4fdaa226c35e2925cecbca627b1022399891c3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f0ba6bf517b8256ebae54b9a61add04e

SHA1
cc9bd1fb452207c48976b12b4561bbf8240a3e45

SHA256
999bc57fabe123ec74f81eaf51eb3367bab64160f27729a55ddf02e946b29157

SHA512
371313291521fc750eac7e33c37058b28ee9c568c2c844e9c0785d2bba237f9407631b98d7589b552e88b02ee3456ea196be14780fd402b7812d93512358bc82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c889119dfb608566c3f511a7345f9409

SHA1
368b32fd821f2aa2d08064f9dbabf3a79051bae9

SHA256
aa010feb430c5daa36d83572a9adf96e01f46a15b4a21fc868ab2993c94004bb

SHA512
2bd46342419c3e981dbe74754923a563e1c883f46010b5f6123b9f40e30b776996bea8d3b772284ca4e870bf93d7b110c784c5714a2e42b650739d72d668187d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7845d6a89be699df18e078209058e915

SHA1
5ee02dc6f5aa3e2034849401d99f19737630f621

SHA256
c0aeea2048d9a6d89035bfe22d2aa38b4cf63b8279601febc9bc38d9e24e3dd8

SHA512
d9208c85fe5c596f2022e1808e92e7237c450ba1b79143d22e1ebcf402735d1401853c75d60165a290901dd503efa5e4de49402984c2fcc4bbb522a93d2553bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
76cff26adf13c03718e2422ee1ef5a70

SHA1
dc31927cf615242bec1b4793b12385ab869d2b55

SHA256
eaf33189e203dc1a7f7ae35fb3fdb539e7a42059472fa57414a0286a84a393d0

SHA512
ddfaa820f336523d5e702522143bb940abaa8d947966e9f048dd7b45e5347213885a913de9ff1f84ae71aab9da41e94cc0938e1e204a44f9e3469adc96b161c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a06b205542059e275cf9bfa1cce64c84

SHA1
b1293739f8b376378f9298cc38fb8a37035634e5

SHA256
eaa00980d4ba9f97bb7dd04e1b6d490d806c45fc3c5ed3932e205cd330f90b38

SHA512
597cb4f3d8352fba490545839991ec2811f8e8985478d9b97a598f5e0c5d0008c20f766bf0836eb1d282664ffa546b69616d9aa28eed60e18d4a84f8921d571c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3f10e1a008de1040f4abdb5b20ae3e46

SHA1
5f0be60a0b45f54cb57e6735faf0eb89e7bdcde5

SHA256
3e652195e641aee12265a09dab597a89a94e96a36199eedb63eadb4510bbec88

SHA512
aa17fc7a9756c0cca7acf4f063d47e1692e1fc604cc3d32cd9c0b672c59c59b174012ae8e90267b06821e5d5887d74d6a03689f36983c67513842b6444b7e6f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6099f0d8f613ea40f41bf35fe49573c6

SHA1
af53fecd9b2094ad4875915851fba28b4abf225b

SHA256
a73fab3a10f8cbfdaa797f714fbceb3a163a73b260d88472b411f69c6cd2f643

SHA512
414162eaf8863be7f011d791e303cdf896d066add4e832799ff291745efc68b7c1a93a0444cec485e52052f8f9651dd56bdb6f74277905a1ec3584c2943dc198

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5e0dbd6c3f4c6f5c151ba2316af40a79

SHA1
f7ec80b2f59e9fe0b9c05fdf3419b25756012df8

SHA256
164be153186b627c2c768a53845ca005fe45e1f33a97663ba62456720476a66d

SHA512
48c60d735ad6b5ad737bfe31191414bfc4ba5bf1d3694050eed3b6b5654eddbedc9caec4baa999c3047a1678e5a311db511df1d5062ca1fdebbbdeee4ed7a789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
306907589727f87c3a30a700fb8d85af

SHA1
1c87af32361ae95a72d5b16b91df5c50a7f06839

SHA256
ae36ecd9a5942c52945cf790ef2af885e3308c2bdf0c4ce9e09e3822758e38e7

SHA512
29cba80eee7bcf71a24145deb4c2b68462acaecf1c5e57a63475a2ef49c6a0a20dc0c7e73cd1f7983c6c7488fe3fcc3e3ffb8aebcec7dade2ab8960beb5e690f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e615dfe0b665b2a90f33f51460623393

SHA1
c954566e8e5e65136eb0c47c97aea8febefa9fa4

SHA256
f474d8eec236a69876a9d4102ccace07d559648247d5942347c7dec2cf84913c

SHA512
b4458ca23e7ca0ced1c978655bbc2295313c6f1c23125040d8b419c79da3ed4355ace102423dfc8275af61afe865042668cfa4c197b5a381016c05aa37f6738a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e843e090f309b19b8a6787c71e9b3aa1

SHA1
bc0c27f490d6d7dcda88f5d29cca376ec4abb993

SHA256
f5458e2c86017bc0ba25388e75f60ffa8a5532071ee1356052c7637b61ce7858

SHA512
6eb76f0945266f339b8e8ffe884a68a2b1042546f7ec92c9cab77e2492f5f85818666a4962b83ef7f8bf39611b75567bb76a6c10e4ccfd85dfe941d8a3d36cf0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a9f2abcc4ea2d448e0a80ffce9bbf423

SHA1
e5c04ae3f2fcf8ad21e004d056be6c0df0b14ee3

SHA256
50db3e98332138e64a4de94e94ec57cb8048a07dc8f35479376f59729a2ae786

SHA512
c1b7c9f8a02487d643517e9383c4de2310a8d97113e61dd853d4bd4135acde9d27f872c3e7dc604d295dc0636bf866bb8889d5805a66fc95e2089a900e95d812

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
31fbb886dfcdfc1380938ce9b3d47a7b

SHA1
bda5f687487c8483ba71911ba16b1bd75023133d

SHA256
33224e6d3abb0dfc0ad64a1ebbf974095d3abf6eed0439604beedeca6135a010

SHA512
ebea7100fde423da31c33d8f1a8fe4033bc40ac05f34ebd8991250ac6b5ecbc3ed6996a9586ffb6698806cd2b1be42f114f9e0bb701b8ab62b80d4c6f829dd38

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e025e33a6511a1d6d9906f7111fa9b96

SHA1
440b21b64abafe60f6e17cdce1c6b0562d945d44

SHA256
8a12feeaa291704d92624b41e5552ddc6451c53515659ef14ff1923b0cab8e9b

SHA512
17cde34cb5e233dc49df5a8845f2a732564b13de29eb641e9033890996de6bb01ed038c7fd0e35aca6f52fddaecce4bbe431ff252d3c9f8678ad13c024afe4e4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9c1e1e10d5905d6c4b28ee4c5e86bd97

SHA1
ec635b38c523fb231937cf3f242fd1a7a0919b19

SHA256
cdf61e82911e1ebaf4271f0989b73e0d0709ec932e48b34f3d7f04f5ffe7d1f9

SHA512
1a2451ac34976f23b6d8a08dcfdc20b87264b2e0a0cbd213bdbcea6cbd836b0d0098d07714582820bb807c2469f8f50253373067a112cd3d045389dc985e00c3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5e22ed85d4f0783dc7333bda993a4bfd

SHA1
e16bd065dc859a21d57595ecf872936c137f2f24

SHA256
cc2a048e52c2772e26ebb305a933f1d5e6c35fb8115d9c7141933d7a4983c3a5

SHA512
02b64d32d12f42003261605c5a9259eca64b582ba2e54ed7fc8d3c444b087536534016f6a3418177aad495e647be3741c10a4f152508e27431252363673a5115

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a1c7dce4857713ccd0ef503f56e3eea3

SHA1
d35bed3e167a25dfba4458a72587c4d294a94538

SHA256
7f73e3930ad317bf81cc6bb48bc150122c4e0b637b779e3b9985689b77658a14

SHA512
5d399ff8d3377bd9bf44e265b3d2d5df45d64449aba3e3b91a4f7ff4bf5fa75fd1abb05c408548cb68ffaf55b332af9880c87e52a4afbd392eb933e9a4008bf4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
50b7a4ca95ca9bf187c00272277b79c5

SHA1
c8550495575efd6357829e49ffe2046efaedc649

SHA256
b90f049591ef85b3cdaeefd4c43ec55e07ed26308ed803d07837cde39b4807cf

SHA512
37a01d9ed40a36307ac2c17fcf2ce34b7447cee29dc0ebfff9514c8954b725dc8eeb16d2a761983010ed8c107c62d9df8ad852f36e1d4214f7f3c04454d1611a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
08ab1e797ed0686d4d70c05211346b4b

SHA1
34a95af216f4f4abae4836d173917328bee46a78

SHA256
a240b7f9f1121077d751de54d2072c6d14eb32b69f6c35424a9e5d5b2a8bf6bc

SHA512
42a46e3f4ee0075fbfd6a78b91083e777a233f5ec12288aaeeff09f8a558d56ec1f3e127db681851cdc640849aa940b8fcce1027d346533b71fc92bea5890cbf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3003fde3d960e9628b0f90e77c59fc03

SHA1
b2f6d9ab1c6b863d4e5d679f3d705ccff6303ccb

SHA256
46f8f7f57741cd32e88eb1778d2aec3f738a4d3899ae0cf9fdf6c3f99046509d

SHA512
2888ad2267277d33034f915df9e87650b8dfe9ebf4de37e74627451aed0b4a2d26acc6d06f73970e655a52a91e5efb46a330a4f3c2e29ba9278c833b22175ee2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
38c7723fe8e12b0da9101c6b32a242be

SHA1
99ebb95a8d9b90bfd16510d2fe2963dedc4f26d0

SHA256
5665eb5f9deb9b7768483d7e55bf1840b7759ca76c2d696348bada339c05e050

SHA512
7c20e8b383ae26355f75c1c6cc2f8e99651fefd31678fd9804e44b3eb65b9e8f050ca9a2991d284d430014503e2ac42af34c11aa83e310c3958b67e53c6be616

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5eeb421b8513123c3f8636825094cdc2

SHA1
d164d9ffe2872aacc7c392da5ac5d1c00e60ef47

SHA256
e993d18abc59b8c0aa4e43481d4e92989ad2c835a9af89c5c85446ce95851e1b

SHA512
2af4b9d497dfd33150a03d0cfc25ea3121fb45e330c3f12cc95b7cfc5e1b71b20d5c1d9c89a886df02a8a71c9e2ded8b9536fa64c4effb50a03e88fb7f6fa097

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b1e5aec0fb99c6e19ed192a3c0004dbd

SHA1
d8cccc5dc30e33f2eebba404fa267e87bf60a831

SHA256
5fc3bf8aa6ec669f106ed470ff4d47eb7847ba6704cc9c37d555b3d2f1c48718

SHA512
4a9d7d7811a9f4e0bdee69c9ebcd2881e61dd0cd96b9d7dbcfbf723af1cda7a6b2b145ebdc69628744e32cebc17c7182aededb5331619ca6922efe6a5158cf7f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31a62ca65c99128a6af64f565b8fc80d

SHA1
eab276c95f953c2af35bfe226740f538aea7bf33

SHA256
872865a8539ff7001581b419f3deb6be830c3a623820173d633f00c7f02a6d0a

SHA512
3948bfa86bda9381dafdfe35e07bd1b39c107f0fc9b04f36fd6f45569d6a66c392eddfe60eb7b26dfb96a882396ea63e6d7dc85bf824bc4a16d8b421053abc44

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b1d01cbf30cf0364f2f0a0ea6c3f14b2

SHA1
7ba46b1c0b677d682ad92debd52e6ae17bcfbec9

SHA256
ccbf068ea2824e504c382df5b6d9e84303c2413e784b2c41506551d0a65a3667

SHA512
e328cf3311133bc61ad80e85999e2b2803e6a259d4d2ae202339ce01e852e15b45dc4ac910be086d00d321bd41e393ccc98811e6b515a6e0a26df79428ae07fe

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d406265697328db21eefadb160f2334d

SHA1
7338c6d903921025915bd1c995b4c24135094105

SHA256
c5a9dd2d6b1be68798f3723fd509eada8b90a5109f45e7d4b06fb7c5d9a1ff7f

SHA512
3d1ef86fa05d8538825d100fc27e677e1d98c162a4773160c504c847da83faa6ebe81088d0e1ab9114540651112966fe7f391561ef952be4665d7516e78afb89

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f86ba724075754ff4d3a406f9d8c7e61

SHA1
b6b84a8452f4baf74c3a7c368f43a7eacee545f4

SHA256
65c8f800fc57e0860f5ea0a76cca3a5db0fc1e219479f3af84efe7442f73d134

SHA512
2ac6815860c101d9040579a48f259837f73b602b4425002b86d29963b4cca62e4892cc96193c0a1616da0c8e36e1840dc7037a07da5ebd8a22a0493b0bbefd37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dfb0a5ac2ae9ee8608e998c4d3b2e73e

SHA1
aa8947e8a88c1ead7cd45ea0adb4fd8e45d81303

SHA256
fa0ca5bb564c7352d983f55940962435e8b66656748fd35ce39b6f41b945efdd

SHA512
647015b3274a6a6ff467187157bfa3affd1baa446a555dc63ffab7ed77f613fb5d2db9227f0c9ebacc1bd4222e0a3c7dc84f92a8cf48cec01d57e21dcef1e71c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3f178b3bbbcdfcde55d0dfad55909b77

SHA1
4e3fd72518a4650ff805f8c416ff77e58fae4130

SHA256
3cacd8ee6c577cb12da24457bd65780aaa919f1d3ecc9df5b2b61d0fe0d2c558

SHA512
8170a760a833feaa5af1f2557d547b3321e5c03b8ea8912e75c12bbd1ad0d63b365c8926290244041b72d2f6ba25353a44d5ce4dcf70e790a514457825dabc7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d369dffc2508feb9fed1d888d6a5cff2

SHA1
f88b343ac59daa49864bd04b322a98777a86eaaf

SHA256
9432564da18ce254da375a79ff3133c15e51a7c9e9439531fc92b6e6de7f4bf8

SHA512
63620ff1e3fd62dcff0813cefd15023bca9f41032459a39b8b65bee04f5c821f00be2d82288b1ccda89b0ae09b0429d3b7c929e3f77d168428448f29cd96233d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fb145b99ac3948ea8a7d376ec450e22a

SHA1
0e4ace8b1484501be548ea56c1e1634ccdf6675d

SHA256
216fd69da2fa2fede79e1654fa854b9231eba4be87f2169777fbcccfbc5049de

SHA512
efc0f06894ab2a272de4fd8f5b9efff9d7b20c4be82a468a7b3785e0f70dd7fbce84ff1a7cb9a9d57878eb48179a785cc32cb9bd9dbde582035bb119613853dc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8bc08dd63bef9693828c927ec93979d1

SHA1
a0714d9d27b6ea355661ecefa5008a05298088c7

SHA256
2e87293fca5da0afae98ac0052f9887e874cd66ff28cabf72058cc5e2d37653d

SHA512
e89e7be0105f05a65ea03613007b3630f5bcee5200585b9dc3e67e5db89e6d81ac17bd47490b0ce75a3496d4e499038f122b51f9524b8a37776afc9f79c7f70f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
afcd6ae996958fd80db85e83383c081e

SHA1
8afbbf90fe33073eb3142767fbd39a5dcfc7654c

SHA256
e9209559dc0982ee83257052511d4cdf37c3f2520b9b71e6747955ef152fa331

SHA512
2f0c99b2cb651123edb5a5717ef71733058a6f0504034b05cfc7fb231e18ca23529318906821ee885f2eebe71603bf661787a431566a2195236260d412d2edb8

Download Submit
memory/924-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/924-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/924-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1448-151-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1448-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1628-163-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1628-98-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/1628-105-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1628-103-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/1856-64-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1856-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1856-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1856-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1972-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1972-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1992-110-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2756-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2756-143-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2756-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2756-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2768-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2768-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3200-398-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3200-140-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3332-131-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3332-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3332-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3332-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3636-164-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3636-405-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4244-400-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4244-144-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4372-161-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4372-92-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4372-95-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4372-86-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4392-150-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4392-68-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4516-119-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-375-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-94-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/4868-419-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/4868-8-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/4868-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/4868-2-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/5024-75-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/5024-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5024-81-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/5024-154-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5064-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5192-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5192-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5392-406-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5392-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5416-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5740-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5772-324-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5772-116-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download