95703940824b8996a682a755b5a96050db3a7de2d12d3f94b59cff4f4a79a8fa

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Size

5.1MB
MD5

c8a9a3f5557cbec5bf8f38bfa923a8b0
SHA1

80371a9518c70d8d3019f2f4720d8a5b8190fb06
SHA256

95703940824b8996a682a755b5a96050db3a7de2d12d3f94b59cff4f4a79a8fa
SHA512

ff558a49566cb69a7827e51f5bd93f10db044bc1b835dca50db961f950f416deabd37ad19ea077a03b0a17ca8e4103be8f63c9d3ef7c9b8a4f6260a885979cab
SSDEEP

98304:PyENIIut+hl5p19HLOaFAIH3TcLWGO7d09GZkrCRfRCUyuFC4Qmd1:KEN2tm5p3uU3TcLWGO7djZkrC5RMQ/

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3988	alg.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
2996	fxssvc.exe
3176	elevation_service.exe
4828	elevation_service.exe
64	maintenanceservice.exe
4120	msdtc.exe
3044	OSE.EXE
3940	PerceptionSimulationService.exe
2936	perfhost.exe
2524	locator.exe
2184	SensorDataService.exe
2032	snmptrap.exe
968	spectrum.exe
3812	ssh-agent.exe
4292	TieringEngineService.exe
808	AgentService.exe
1324	vds.exe
3612	vssvc.exe
1272	wbengine.exe
4644	WmiApSrv.exe
1244	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\142a68e4293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004907e7298abfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd1b35288abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caf5b4298abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883291298abfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000989936298abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000163472298abfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2996	fxssvc.exe
Token: SeRestorePrivilege	4292	TieringEngineService.exe
Token: SeManageVolumePrivilege	4292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	808	AgentService.exe
Token: SeBackupPrivilege	3612	vssvc.exe
Token: SeRestorePrivilege	3612	vssvc.exe
Token: SeAuditPrivilege	3612	vssvc.exe
Token: SeBackupPrivilege	1272	wbengine.exe
Token: SeRestorePrivilege	1272	wbengine.exe
Token: SeSecurityPrivilege	1272	wbengine.exe
Token: 33	1244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeDebugPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	228	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3988	alg.exe
Token: SeDebugPrivilege	3988	alg.exe
Token: SeDebugPrivilege	3988	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 228	3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe	82
PID 3148 wrote to memory of 228	3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe	82
PID 3148 wrote to memory of 228	3148	c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe	82
PID 1244 wrote to memory of 4524	1244	SearchIndexer.exe	112
PID 1244 wrote to memory of 4524	1244	SearchIndexer.exe	112
PID 1244 wrote to memory of 2340	1244	SearchIndexer.exe	113
PID 1244 wrote to memory of 2340	1244	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\c8a9a3f5557cbec5bf8f38bfa923a8b0_NeikiAnalytics.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\126.0.6462.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2d4,0x80965c,0x809668,0x809674
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:64

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4120

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2184

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:320

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4524
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
468d1e9b8e78b649f3d8c9a5058bfc41

SHA1
fe91632724b6215dc3c6daba84b381625f83b715

SHA256
4f7a1e493f6988aa416008261187cfe709d7ff73fbc148d6ed02abda445c7da4

SHA512
5bc15aae75a9d692c7e723859aa9342fd1d69e78877d02f977a1ef2f520e01ddc80accbd2d68421997daa1f90758605bfb564ca5dce28acd4b8f809fc24f9288

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fd7507f83c8c6150ab7323802fd92cc3

SHA1
53db4f8c29c4325b898ef2f5d6b289368958c2e0

SHA256
980e9f9e3824d5f2efc3d794d530bd3c7c9965c3a8be9d1a51491e1454876d37

SHA512
6fe6d1d3a91506f16d3b0d8d507a0e0457327bfdc511eb79c733f67d7614081bc95dd7419a6761ac620a5c8678ba630fb897ad3d792fc3449dbc59185e98e028

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ec721b56d73749dbfd8d559ac37d15e3

SHA1
cbc28f681b3a66856105fd0baefaa75e6a6ced52

SHA256
54b25da8085562f7bbe73ed5ca8a4c16993aa6a2d004d0d750987d4c321d9179

SHA512
38b904198e8e8eeaaee06a3148e4098f90d39348846028103910efe3f04981261ab8e9b22e26ed438d33b4ad6cede76f185ed93518a6bdf62b14355cc2e574bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bbf179eb672e948fbca6f03eed20d052

SHA1
89b0670c2086f3d49e442db30a5c45d8e5b75b98

SHA256
e99e61b3a21c37215ece13db12ee6d7edf214cf4ea1a1bd013c6614278c823c8

SHA512
907f0f47d157f3b7ec2ca3ea13ca84af7da6faea247ffa5e9b4a48ac3728147fe888d9b0d8f5f6ddba9ee87bda751cd497a8bde593f0558a83ae4dd2ed6c623e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b943d106f0d52b13a680a9330e605315

SHA1
5b65d2c2541eae22551d1632df09daea73cb3b72

SHA256
15557aa77647ecea3e2790e6909e8325866ae81c88b9da2aed693628bcc1708c

SHA512
fd8f40bf388ff78f1852515c7fbb68185e50488962c72c030d2da7fb59f1c02cf738b52e2cb4dff99813feb4e0fb75ee602f69ba95da0f7574ea9d0b03e3fbd1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
488ca9574b5b6c071062908f8d9ba0f6

SHA1
ca63f6dc7e3c25dc14a48df310df38efb02efc91

SHA256
080a3843841af7938e2180dcd330b6f276baaa2a8b0cc741ba7a537d3af51b0a

SHA512
6c77777ae237cedc75b89c43bc73935ee52ab2f41af577aaa5ba5deb8c34785e4cd1e92dc5b9217a6c7f732b8fb9b0c41c95277efc29a52cf744776bdc035d11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
74dfa0bb7966bebcfcb01599ed390950

SHA1
577940fb30873ee9edda8cc46e5ba3d1ce2ca1f9

SHA256
4352a6abeff4c1bc4e3e2d105ef90da62a553b637b4119ab578756a2857fa6fb

SHA512
f99f49d6e543d7d77e2be95c1a7c83fc0bf252102f83c03e1875f2cc0fcecee3e85dfe23afff172259b0abe3db4c0cde126682602d25e6c0663efbb94ac0a3cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8c7d47b65ca734637a8e8b0886dd78a5

SHA1
28fb9b4f389f31bc6a728e222ec8db431b9fff23

SHA256
68790e9344c95ce02de146720be473f195fcc98b2b6d45542a299531b1bbfdcd

SHA512
96fdab04f974ec68eb7d1c9cd345dfcd4a414cf0ed87fc973ed2d850c9837b013513a191472fb6793d76c3031e5359cfae9f43797e491e25c5bd98436f03d176

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6af34eb4b24865df7224d8121db0350c

SHA1
b69ac1627fdd5d1ff5dc080772afa850a85133bb

SHA256
05c01168c1f62cd86f046d09d07c423009e4e11acf9a39603b77be23dc4e8466

SHA512
088a750b5110062d898f90d70008a27fa64af21690117eef7925b9a5bab60d2ed8499c46575515767f37bbe533d64992123fd640c560b67f98345fb2a06ac92c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5ae9652776e5f3f0731d1de33651f42c

SHA1
8ba6c1d3ba04c63cae99b6ca894c853422d460cc

SHA256
d20424f8578050d0361bfe6d4b72bed17bde3a7b69228f593fdad233877b7b81

SHA512
4fc93d2d24a3a1375d2dd1ae7f3512dc49590bbd15bf21103bfd73f17005c1730889b2d97fcf1fc4bc9770e17f9865ca2be989ce1d74f9e4ab085f6d1b263200

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
217c3e1e4e51ac784e7cce0c7e9a1553

SHA1
ec5de0318a0bae4c14acd96a845eaa2dfd12e3e0

SHA256
89094ff416cb235678bb388f11d720f45a0367f218184ab3c208a5d27bac39b2

SHA512
7fa43e27b6615ac794df39a48fe2d769affc0c16f5080564413e0d8f6d9660d1e80535d27eeaa73046891553b43c7dbd3087a5a5cd3dcbe574982bb94de12198

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7b597ac6d8b46ad04a4649242183b2d5

SHA1
9c82cf6c957367c1c3d48f99edfe4481ce004b19

SHA256
240c370acd67f4816f98e3f04f10b9d6da093b4bfe4b02892e4042c906b0c1c9

SHA512
b33e42bee3e561bc82143904479300d432505a471412d21afcbd32d9f581476db60797fb7d11078bcc53825133cee2449178440d366fe34754d5479f95405465

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6a1128fb2d69230b980ce851f182036b

SHA1
822140586aaa6c1a100586016a3b6795517d1922

SHA256
aeaf3282921b89674e387ce8a553608fa10f13f97bf7fda4134299e81fa98a48

SHA512
1a0cf049692c3ec5728931505714505521611ed0ef02ceb788306dddabc1b8005e10dcbc18a7f2ac182ce8da311d6b8a3a1ae7fe2d9b90cc80ae7fafa184b5a9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
25e33b70837cd49bd6215f16c0abc352

SHA1
1d64c7cb4d6752885d362a2a11c99cbfd2715e1f

SHA256
47c0be0010ecc9ff1ae254e750d110c30db2ab3b520e6b32ed3c02f794a692e3

SHA512
e682684a1bbf3408ee8acb21b12c9e695198a1ad118a5b2632e7b090e7c8a49c993a0e338e31403f601e5d00701772bb91c0f7a419e3a0f33121e725b54f3cb6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b2796e670d1751adab275aa0e27d5da4

SHA1
652ab437f42601c61504293396df19c38b0bf751

SHA256
a63d882ce74cfd354a5532e7f29d8bd6b18d959a32d70d4c5fed767d97e3dbda

SHA512
3ce1210f6d079d0b61fcb88ec9ca9cd19c216d1244f6b31a9e5135fc5cce389a243a60b41250155ac3375a2a536bc17fd2fbc1c2fa1702c4e5e140fe550128f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9531a381c3c13d9f44ab2fcb845f9016

SHA1
0f880cb9fd33280f8f37bf698fc90ae924fb3ac8

SHA256
8bd5dda53178eafd56edd0ab3f74a3d6b0adc0db5a59ae417104c7c6bedef1c9

SHA512
8ce9cb2906f0cf018968c81236924c6cbf33c53215c628af2e5bbdc68dbee9deb18b9a95a3ebcf9a5822f62c479acd80615473d7e225f616b7cfb6e938d5cfbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3c1932107851433dda24219e2427fee5

SHA1
a2c8366338d53e2ae4523f7a159860bba6066396

SHA256
2a777320d408b06740fbc9b88c186d7ab6464ce46f3aa04bd1f7b7559a0d06b7

SHA512
03cd67cf17b3d4eb97660bfb526db868b7603ea20c1b5e61198d77b19c97ddd1d1580f8e28fcda151c71b07565dbd9c20babc6149aa2b11645256f46f1ef0420

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9f082c9f427c0a998b0ac72f023ff423

SHA1
3775b8c65bc32b0d9ac9377a896bcdfe227ba181

SHA256
85987d91aa8b7ebfc5fe609bd6f025d3555f2d495c7c6a4f40e2e86db2a65f1e

SHA512
f3b6de2093ce0d39e1350f9f85e0fc5c23734a7f67ec422bda79ab02b30b944a728c9ac81aec536bb8ed3c017bffa61681e1ec53564710202cb3a8797bf2cf99

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e04b61e840af7a59d8d8b0cfd9c07be1

SHA1
8c3d2d165f84ad26b697f74ac6922125a2d08798

SHA256
04faf15e85660bf7deab7b9e592285ae359a34658f6db3733db5f18a802b6efa

SHA512
0781efed292e554325de92c639c6c0e786bc6230a9a05fbda65b657bf2ec0256cddc47074f450526618fcaa17ad462c4d5e25201f5c373c8f3906e3c91eaf7a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
65f0780517917c3875ce775c45426922

SHA1
4825bd477107435264b155ee220ddff2babe8e25

SHA256
f4497f5103a44399f6eca3baf653491c17a6c1c7efc33af2a92fb906aa6cb5af

SHA512
28830b8acd02532452255ff58a3809ca68151c04ecddb688a2ea9ba9e5f29b849e1407727cfa491ded0300b10a6fa85feba848da8db8331e2090714952628424

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e96d3032f5370eeb2fb4854ed1f7e044

SHA1
d6d80344230313e79c9d0409e24dd2af1682abcb

SHA256
696da4fc51bb4d19442fa9ced2edbbf66a091d707b151c0db791b511950fcb0e

SHA512
e13c486fbbeb003374191fe0df5e16be4149709903e19dec475ffcd7649691b26f7e1441f98072c5cfd2db9b2e62aef176fba1713fb69cef1af79ba7566bbb6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
eaff864c32e1b2c02278ef13c38e264b

SHA1
8ac381be71a367ca7a9a89c1bb9d47854c1dcd03

SHA256
8d0721c37b5d09bd38ed63b292cda93b9c007a3ac38f7ef0dcff359f66270b78

SHA512
17b22866471c960df636abdcf24d41566807666a534569fbe489c77c90fcdd9ee191925e512695b1d6bd2946358b3a9e72b5551dfe9bfe998abed733f1ba3b07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
88107f9cab9475ebbae48d5a61f64dec

SHA1
87d4d2f03fe69d18c4d9084244f04d5427855218

SHA256
22a2ec0cf328e01847fc13b2b9023c397b96ce64f8138bee29a4b5f5f7880e25

SHA512
b85568778709898b0bfd2cba9b308fc6de8699925471506bfd950350347064457720ccc4a8b19ecc9f208ef12df357e10ae538d57ef614b75de03964ca68758e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eb1391292a3f8cabbe45cc47e3235262

SHA1
841dc584a9eccfea1b9d84dd4caf21eaa5b6f639

SHA256
41efa9e59966ad5e257831d9bc182552f995ac9f8c085332aa11a1641ec75e27

SHA512
1cdddbd20c3a9ea1e292a9ba6ee69b1a0ee3dd4eeeb507dead391c531eabaf0052fec6c52ae8fd0af059122a834b3bf510ba14d414505dca796124c9d54fdaa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cfe33f63d54eab92b47f2844f7c1771e

SHA1
0673a8994c02bee862893312f62352f10b3c2133

SHA256
cdc10102f691d01c8ecf7db3251b8bec4c140a3c87e18e149249cb04302b4621

SHA512
5f97928eef9b91f86863ce70b8244f06a75a7562de2117aa842009d4f1fa8dc9b7ed63f50a3eaeb51c5c8a76b68c77a8269c412fcd81f7d7d7c88184c1e69669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5e6f3b8c2533005e66490f1d72de1cc1

SHA1
a4f352f381d820ce88923a2e8b75cf3930e7b707

SHA256
84686daecfce39b32af320e2ded6d05dfa0c25df952d4cae442d9deb739d6a7a

SHA512
92bb47b5404d7d23b8cdfa4cd29c7be2393d927437c45d569dec18df01bbc9ed87668ec7fafb30500c7d6db7f85d45ab547a96e6700714b7e27e2fdac4f04345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
191199c7562d1366a618f04201d29d60

SHA1
40b9393dd17cda4e9996ae5ed2a5f4298aa5af55

SHA256
22233b22a88e0ae87c3153354b114818af37dc50748f801bc5febc71a65d7419

SHA512
fccfcf1951f00bfa5c7eed26e4fe52477c24043b71cc41667d164ac02a4aa4445686560b94e7d19958ea4d7cfa17b628ee9120b72cd599a3bc89ecbd51720d23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1593abeef7bc2bb8f1765772ef07a254

SHA1
03fdb55192987ea66b1d7657904fff299840be90

SHA256
04f557881c6463cef33b2d8d8137e5cae80dae4e705e28283bee79870eb0f138

SHA512
a8bde249c7815e69fc7248681547866b7cbbc4672255251ea49dcf5144fd0b727462e57f07c2ffeed4e485f2e25c36200dcf3eeb641a891d59dcbd5d9b9cd00e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a1da7b0159cf1d24d885bfbb2c384717

SHA1
f30ed803044b5e00f1431eb4199fd12eda500f26

SHA256
18376558b34fc473d0bf9eb4669a605c55de43471c05e830481271e574eb8c16

SHA512
2a818c3ab9176c6e485340105d652528faec368b58cadb7484904f1eafd721121b5bd5b0f62163afe478b945d0919fa2d341fbbe77b16f74d38e3b771badcb85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
153d0cc46e1cf6d8da2377d705faac57

SHA1
22beff475a75e16651ed42d13026c4c86cae71c7

SHA256
d0c1259b339b481ff388aef7840ae404b991f2132ecec89e839d39bd480462a7

SHA512
decdcbbb8a0752a3ea73e70b2edfcc775a00e087664e617e8d414602291e1a84b246301ddef28a360189a2c1d59be8e746b634108a0a4316c133eb76427b1aca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7e979b824d6f083542c585bf02e52cd9

SHA1
519fcaab325a2855d062520d8543f59564946729

SHA256
bd85e0b4e5be9d2f6494b4504a1a0f273b7054f4b88b693bb68d5662c707c0fb

SHA512
982862cfae14a313c99df371f7cdedec8eb1ecca607c3b5c178886d696bd19c7b5fc00d75a6b8508a1b1c493871c4f6e0d4e351fec2fd6c41f32617fea86206d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
496a1558922edf8592f57ceda99958f2

SHA1
f48b42940f06da8de9b1daa0ed00f0da209ac0d1

SHA256
402f15975e03fcca716fc94e321161ed2c664db3a2949c63c351f390c511ada8

SHA512
490ed278fe94636531b16e9cfa2780e120651fae5602aae9464b370097f9e191300b8cab0faaf72d7e3d037b55e9cf4bc41194330bfd421b2e238f6f2ce39716

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
32b5927d95883cb8f56d73b87464f5a9

SHA1
bdd2e64e45df5062fd689f3529a14a629b54a1aa

SHA256
b0a901e925449d2d112be2e5e871f6da276d565f20ab4c2bda3a2692ec1cfb58

SHA512
0e3d58dcacd76a116bed288b00af1224e6bc6b8b01694e3f02a5c7c84d14c5d348900757b5cfd4ce006c2dc2c70607e9e207f654aa62a5bf243965d14fb3ddf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4af4ae0b1b223a1a8e064beb5ed0e154

SHA1
a06455b85e0b09320a56138994f97b3e7ec0a7d2

SHA256
31518be33562fcb99c817dfbd419f3c46088ec249511e3f69911351ff32f9316

SHA512
4ab2634686ba4fea05467e073e882bba32667bef3c47b7d6cc477b69d4f99f40e6925599e3c95031c2b337cf098208a4da2f511b1aae983274cdffc1670aea02

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1114d55cf0f42e0046e67518060fc510

SHA1
052e6d99114e9f2f13c04d7e54c4ddcd968d364a

SHA256
5201792bff6d8813ee9f61605fb8cc5dcaa1492fc33b9e637e599002865f3dbd

SHA512
7850c7f408c3fcecbb102243de5490a9f2a428f9695f7d472bba8853d15a86e0be55fc5bee487dedd1f33c6e0db4a2dcb52afbaa22b349761c49bc3a20d6c0ec

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6cb3c7333eeeda057b9b5f48f1012d6f

SHA1
687d610b8d4279bb94528577e87722eec532a792

SHA256
5bb8d4e9a5c5839991a061b6342f68001e4902be01b50ed47dff9b5a77fb47ca

SHA512
33cbca48214c6babbbafb9b2245d9c186a957a42a7301cd058ced4de1f7d086c5d2638789ebaf0f510141e25408217a00151df0c361c3f9b29a1714d97c2c4e1

Download Submit
C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
673da909076000f807afa358ca88b4de

SHA1
8032530fb4ce839548704c7b32bcbb79bcd6b035

SHA256
55d7f41747d75aee1a1dde9bcdbe6f39f433f5bc59785a4d8093e8736d2fbdde

SHA512
4d2e98abdf3bac63175547acc83b83e6566c904ee551f0e7fde7d5a1272e05b8e6846a9bb93a9d2347b0a7a04dc8e6a629c8ba0f8d78d190b529b99da626bb0d

Download Submit
C:\Users\Admin\AppData\Roaming\142a68e4293b476c.bin

Filesize
12KB

MD5
a7cf47a049c1867ccea1ecedc101da84

SHA1
515eedc8d166839a507715ea4de57acd2c485faa

SHA256
92623b21c2af765bb68864e8bbb5618be86f1216d7d618c1e25186209f4cc502

SHA512
b428e67d8d59147fb5e43d39ac5672ed8e629bffd66dd906512269b213b28f6126e16adeb57c3b6af3bff4e70fa2fc6caec099c95e5cd427acf714b731cf27ca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1b8cc166995e80a07a2d9155f6e73ccd

SHA1
e64a99ef22fde4a9ad3419e2f031eb14e84451d5

SHA256
7395367ff777772eefa36725f31a9a8d34d1f5264e6bf7207a2671fc1a2bb755

SHA512
6f08bcd7da70a24b2cf4b9275b9f8adcf17577cbf1f7d6ae02b4d5c56c0a97fd50fc8dcbaa25dcc24373f04610cbdda2ecdb32e976ceed755516169897d8c231

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d1d542fe1773a4d2592ad55f4e1037d5

SHA1
73d478e90280404e40cace5eaa490ca12d6e681f

SHA256
35928b21e8f72824ea8c094bb9b5de5b425675d4524e4c1377bc967780d298f7

SHA512
08fb9d2e2d66848d53ff96f4c5529b95504a641ec50aa3ef2c59f2676bcf86e7b140c7193aac0a3dcbef688430b114647af0ea678dfe4bc81b0289ecdb8e5666

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1d80c02233202655f5c98ff5809d6de8

SHA1
8127e3c316f41c42046aa593a5a4a89d1a47c0eb

SHA256
78335d6d5690832b292c06bc76041b023e204ee03d1e9e51449f7ac83db55b1b

SHA512
796c49b7af88c22f166367b14de47d3da4345e898cfc186006cc0c67892a1d5d19a4185f5cee08aef6de7994cd408f1f9cfa6a69a78ea3cacbe93aea77d79342

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6b7041b6aefbd826724a9bcb54a96cfe

SHA1
d0e3ae4989db427528a9a332d1661846059418c7

SHA256
d2fa36b0a64e5ceb671d5cb8459af22be1b095dd4156c5ac95b049a4857dd82d

SHA512
9799f63e55f5b64a71b58cb1c7d6c6ee66eaaf14abe31f1ad8b7b43d64efc76eb11612b771d1f7e145c152eb42159414942bdfc00e71148ef52b6fdcbfd70a67

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f571508f92e0090ae52e2301b2b7993d

SHA1
38a20d3ec3be5a96e7a880fc19c401229233c15f

SHA256
d1e1507eeae4dc0fa610c173a14962ff647c4ce99b0257b26dd43347df66dbfb

SHA512
943352981e322f5b6c55ffa1debf387b7d915d9548f891296dccb75220c42195a7b42d80e491365bd0dc9132432776a9e69a17a46e7ab53ba64f45c4ed5b4e1f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
127aa61c9ddcc5db9453fb5cd0da6ffa

SHA1
93005c2d5a0a956966a6aea6bcded25c28215e5d

SHA256
737a86ad50465c88990e1f3ab042e47cf27a22ee802e6f129baff005ea63e9e0

SHA512
af9e43940d3c97835678d72c516c0c62027b0b0277381f0c785163377248758b47aa51334bfbf7a1e024e433fc28ff436ff425b65639aa368f7aafcec5a05cfa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1ff758012e2353bfd2831692988fb795

SHA1
569244d53348a566761642dd9181ead3e3301cda

SHA256
bfd4eddc6685a50d8c6f444d11562b151856121592aac84fb172fe7c3c0689a6

SHA512
f25ca552f51c0af523cad797d969f76ea40953be71cd09d5713b2e82c68e1002d5536480e8d6a583a154fb540fbe6eb5b571795c69debd7b81892da431910707

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
73c150969be76651ad51ea0b97e6eaed

SHA1
267bc9b7f820a941b77ba974421b49d2b952b150

SHA256
a9f232b2957d8ae0d183f6da30238c6d873f56786ea8dd015da9f7be699653c4

SHA512
c66f241fece96f66fd2694f99aac7534cc1c567a4a584c01fcef98e36531951374cdb4b220dbc32e95929bb161965a09c9b66345b25264d81beb3fd0042f0b09

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
59b29995cc2f86d3d5b9ee9ce209a37c

SHA1
39f09b1b2b2072efdf45a33415bc875a649765d0

SHA256
b651325dedcc861c50d66becc420b89c8272752f94cba6e5baca81a7434db280

SHA512
14830ff867e8e6873d732dc51a1639614723158f8bdd1a67f2dbc6c7035036df3377bc60e782bb06600e4d2808aecbd0ec92e049764c58fae56c6e6c04553068

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4c59fd497c4a0f807889027b5e5b88a3

SHA1
7188ad4c3c20b126f70bead66979870a431c9d49

SHA256
dfc4ff9bd7eb0e425d7f11e702bb960fc6a12fc80d846ea38347a152981dfdac

SHA512
95982922aa17b56627a91c5fc0fe7deed29a0f14683e24b720c2a4211941d0cc44a7b58b28b1bdbacf1ea9941fd2b9d90f9b91e8ca47ac98f818c9b31bf803f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5ae3c7a1a075f5dfe01b9b3d29259cac

SHA1
89f9cdb827298a2bde47071418c55f7df92c860d

SHA256
c98f17bc07adc451ee0294c7c45c1ffc9d80e211cac4b0c06933dd88838ff5fb

SHA512
c7637bbe68fc5615ad630bc51c126fa9c61f85547bc7ec8d4ffe2a300e46c8ff2435b18bc171dbfb2082521a9fdbe3956c34b3277c7abc55d0b4ae5cb4302fbe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5101beb46f58981e04282688d76989d7

SHA1
df6190eca479897b4a4d8e563c9f545afb3778ac

SHA256
76b037f89ae3f4aad84455b9a3580bd0c2e51807b084b42d728bfef60fb76229

SHA512
c8afc75d9bc408590e0dd2d0291769dc24715e5e605f7ec2d606826a1558e920ca75589cc68b11745e8c78e8c9ff896f2961be5d0c36f6d125f6566999273943

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1ef54d745a89db9668399a49c13ab853

SHA1
4176e17f1026211255242c329cff712a7d7d749e

SHA256
9dc9e814d5c9e605835b749c27afe7949d4ca40ec3bdb2b5c6094c2730c58478

SHA512
5943ebfabed87ae882eeaf407e109a87743673a28e436b662456ec8830afe953b893cc5dd8a0dd45408c85a984f19d44f18fe93758610a9ca3fc677fb6bafb09

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d1f5860d5d92b996f702b01f68a43fa2

SHA1
52ec0d24024744592d1b2047f830007d806a2d03

SHA256
575d26a5df549538a7e98c23d4aa4a34affd48cb68f48422fc60f020cc929a81

SHA512
eb315687f4eee3d73a2252ed16fbfafbcff71348930b32eb1815c7aae235544aeda64385d7c991925f6d40254aab9a29a8bb078e1fe8cb9ad19f3f80bc1345ef

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7b6c0e8cd3e2a936cea8f5a1d6f7ba81

SHA1
a7a201c7fb4570ee3cabbb8c1faf1762e3adf0d1

SHA256
9ce8f878ac0bd9c8c383f09b4539e37ae89be98727d71698d6fffd5a3f580b1c

SHA512
571a5e30eb2872bab8d36fb7570f51518a24140f93e11ed036863eb411b5cae9e9ba332594da8d4a2d5232786302311f589e652ff58d13d2ea6d40304d0314c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
436038ba01823eb1e8349167277951a6

SHA1
10c5ddfe605b2e790816d48428cba66a5f18cb22

SHA256
8ee3c570ca496907e6e463af8f30fe5a68e3992d0ef8b6e020ce93657524499e

SHA512
caf402e613f939d4a893f1fd35e1d8e9f20a2a145ad5057822154eb064ea9384a0fb5d52cc4a049690541ca4d41424066aa8523e375e4c748da89bf8bec7a413

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9583bc53b362b01337d458b1f4f5d204

SHA1
def51e3cd45c728e0c682829861ee99bac22515e

SHA256
1899958188bbdbfa9d133a5e5181ab125a37d6fdd41825817b51068289aeb41f

SHA512
11667fcdc140ecb67a0a54be356c2c2ea7c6c5b5c35326579627c4a0009fcaa2369e648ebcf3a74eb3a86a19c35fa8ee82f26ff9b6a551c8ce5d76ff91ef0dc5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
266cf97e7db718ae3f2a31cf0b32ada9

SHA1
393fb7a00df9791a4acf1baec23c31a65afaf9c8

SHA256
6bd108c39265c0caeff0f2991a4f04f5dee8e7bd4b8cf9218ec1c62def5e46cf

SHA512
683e1661e45bf02011e57f12665461672f829c1883dec34d3cf300dbdd445029105a5ce2728abd33df8416c5f3d4d45cd15177ea32b12a7a88233bca6e3a3a3c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
87b4506fb2ab4b98ed499376f7b5b124

SHA1
cfe3185799ba34975bff739a0b0793d05cefba36

SHA256
3ff0e8f9c22d9c4e34b2c6ffd55f03b1c676c19712206422801874e3c9d6d73a

SHA512
a052b714cf61ceaf4c0d19cabdc4cee68ee349f6c3d9478c80752f593427bda59ee9c3f52a772bcceb88d6e24ee8f835cd7bd75eb651718a2100dcee9f045ed5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6f5825cdbbf008eacb30553917a610f9

SHA1
4d42da932a144292095d10b4c54571db6ee007bc

SHA256
6d2d69ce3f90c31279263520ebaf5a0f881d77c9126ccd521aa84e2a83acd118

SHA512
ac0b8179e8c7abb0003c510a85a3b38d0fc623af8d126fced1783373a8d09db292a47560269bb2c5f43b53caf5c911403e4cdc88bda11c4d593229fd4f05281a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6bc0040d4486af6873babd859a5a6f87

SHA1
84dcf7e0a5adc9d45be3d7b15f0835699032a172

SHA256
8e2c2e22361203691d7cc77e0c850af88c1c657ed2f1cd21890249776b4ea115

SHA512
a5ce49392993db6821d3033baffbf979389d55770a198dd0106777ba25122628d97d473575f59591828d4729b61aa3ab446ecb2e5ff26c19b97278edea94ce47

Download Submit
memory/64-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/64-89-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/64-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/228-26-0x0000000000AD0000-0x0000000000B36000-memory.dmp

Filesize
408KB

Download
memory/228-10-0x0000000000AD0000-0x0000000000B36000-memory.dmp

Filesize
408KB

Download
memory/228-238-0x0000000000400000-0x0000000000936000-memory.dmp

Filesize
5.2MB

Download
memory/228-25-0x0000000000400000-0x0000000000936000-memory.dmp

Filesize
5.2MB

Download
memory/808-240-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/808-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/968-618-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/968-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1244-625-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1244-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1272-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1272-623-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1324-239-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1324-619-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2032-223-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2184-615-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2184-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2524-221-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2936-220-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2996-60-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2996-54-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2996-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2996-85-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2996-87-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3044-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3132-50-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3132-49-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3132-41-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3148-34-0x0000000000400000-0x0000000000936000-memory.dmp

Filesize
5.2MB

Download
memory/3148-0-0x0000000000400000-0x0000000000936000-memory.dmp

Filesize
5.2MB

Download
memory/3148-6-0x0000000002700000-0x0000000002766000-memory.dmp

Filesize
408KB

Download
memory/3148-1-0x0000000002700000-0x0000000002766000-memory.dmp

Filesize
408KB

Download
memory/3176-70-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3176-458-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3176-64-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3176-72-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3612-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3612-622-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3812-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3940-219-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3988-28-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3988-32-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3988-256-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3988-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3988-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4120-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4292-227-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4644-624-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4644-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4828-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-484-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download